ASA-2019-00636 – Linux kernel: Use-after-free in aa_audit_rule_init()


Allele Security Alert

ASA-2019-00636

Identifier(s)

ASA-2019-00636, CVE-2019-18814

Title

Use-after-free in aa_audit_rule_init()

Vendor(s)

Linux foundation

Product(s)

Linux kernel

Affected version(s)

Linux kernel versions from 4.18 through 5.3

Linux kernel version since commit:

apparmor: Fix memory leak of rule on error exit path
https://github.com/torvalds/linux/commit/52e8c38001d8ef0ca07ef428e480cd4a35e46abf

Fixed version(s)

Unknown

Proof of concept

Unknown

Description

There is a use-after-free when aa_label_parse() fails in aa_audit_rule_init() in security/apparmor/audit.c.

Technical details

Unknown

Credits

Navid Emamdoost

Reference(s)

[v3] apparmor: Fix use-after-free in aa_audit_rule_init
https://lore.kernel.org/patchwork/patch/1142523/

apparmor: Fix memory leak of rule on error exit path
https://github.com/torvalds/linux/commit/52e8c38001d8ef0ca07ef428e480cd4a35e46abf

CVE-2019-18814 - Red Hat Customer Portal
https://access.redhat.com/security/cve/CVE-2019-18814

CVE-2019-18814
https://security-tracker.debian.org/tracker/CVE-2019-18814

CVE-2019-18814 | SUSE
https://www.suse.com/security/cve/CVE-2019-18814

CVE-2019-18814 in Ubuntu
https://people.canonical.com/~ubuntu-security/cve/CVE-2019-18814.html

CVE-2019-18814
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18814

CVE-2019-18814
https://nvd.nist.gov/vuln/detail/CVE-2019-18814

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: November 15, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.