apparmor: fix memory leak in verify_header

m-pellizzer · gregkh · commit 786e2c2a87d9 · 2026-03-13T17:20:47.000+01:00
commit e38c55d upstream. The function sets `*ns = NULL` on every call, leaking the namespace string allocated in previous iterations when multiple profiles are unpacked. This also breaks namespace consistency checking since *ns is always NULL when the comparison is made. Remove the incorrect assignment. The caller (aa_unpack) initializes *ns to NULL once before the loop, which is sufficient. Fixes: dd51c84 ("apparmor: provide base for multiple profiles to be replaced at once") Reported-by: Qualys Security Advisory <qsa@qualys.com> Tested-by: Salvatore Bonaccorso <carnil@debian.org> Reviewed-by: Georgia Garcia <georgia.garcia@canonical.com> Reviewed-by: Cengiz Can <cengiz.can@canonical.com> Signed-off-by: Massimiliano Pellizzer <massimiliano.pellizzer@canonical.com> Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c
@@ -1142,7 +1142,6 @@ static int verify_header(struct aa_ext *e, int required, const char **ns)
 {
 	int error = -EPROTONOSUPPORT;
 	const char *name = NULL;
-	*ns = NULL;
 
 	/* get the interface version */
 	if (!aa_unpack_u32(e, &e->version, "version")) {

Original file line number	Diff line number	Diff line change
`@@ -1142,7 +1142,6 @@ static int verify_header(struct aa_ext e, int required, const char *ns)`
`1142`	`1142`	`{`
`1143`	`1143`	`int error = -EPROTONOSUPPORT;`
`1144`	`1144`	`const char *name = NULL;`
`1145`		`- *ns = NULL;`
`1146`	`1145`
`1147`	`1146`	`/* get the interface version */`
`1148`	`1147`	`if (!aa_unpack_u32(e, &e->version, "version")) {`