AppArmor: Fix reference to rcu protected pointer outside of rcu_read_lock

commit 04fdc099f9c80c7775dbac388fc97e156d4d47e7 upstream.

The pointer returned from tracehook_tracer_task() is only valid inside
the rcu_read_lock.  However the tracer pointer obtained is being passed
to aa_may_ptrace outside of the rcu_read_lock critical section.

Mover the aa_may_ptrace test into the rcu_read_lock critical section, to
fix this.

Kernels affected: 2.6.36 - 3.0

Reported-by: Oleg Nesterov <oleg@redhat.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c
index c825c6e0b636ee985283d3d4a077deaa24343808..78adc4303efa3871501ed8a841e0cdee67bf394a 100644 (file)
--- a/security/apparmor/domain.c
+++ b/security/apparmor/domain.c
@@ -73,7 +73,6 @@ static int may_change_ptraced_domain(struct task_struct *task,
                cred = get_task_cred(tracer);
                tracerp = aa_cred_profile(cred);
        }
-       rcu_read_unlock();
 
        /* not ptraced */
        if (!tracer || unconfined(tracerp))
@@ -82,6 +81,7 @@ static int may_change_ptraced_domain(struct task_struct *task,
        error = aa_may_ptrace(tracer, tracerp, to_profile, PTRACE_MODE_ATTACH);
 
 out:
+       rcu_read_unlock();
        if (cred)
                put_cred(cred);