Linux Kernel AppArmor Memory Leak Vulnerability in Namespace Allocation

A memory leak vulnerability has been identified in the Linux kernel's AppArmor subsystem, specifically within the namespace allocation function. This issue arises because the 'hname' member of the 'aa_policy' structure, after certain changes, is no longer a valid slab object and cannot be properly freed using the 'kfree_sensitive()' function. Instead, it requires the 'aa_policy_destroy()' function for proper deallocation. The vulnerability affects the Linux kernel stable tree.

Impact

The vulnerability leads to a memory leak in the AppArmor namespace allocation, which can potentially be exploited to cause a denial of service by exhausting available memory resources.

Reproduction

The vulnerability can be reproduced by allocating a namespace in AppArmor after the changes introduced in commit a1bd627b46d1. This can be done by triggering the allocation process in a way that the 'hname' member of the 'aa_policy' structure is used, but not properly freed, leading to a memory leak.

Remediation

The vulnerability has been addressed in the Linux kernel stable tree. Users can upgrade to the latest version to apply the fix.