[apparmor] [PATCH 1/2] apparmor: fix invalid deref of rawdata when export_binary is unset

John Johansen john.johansen at canonical.com
Thu Feb 5 07:39:22 UTC 2026 

On 1/29/26 10:58, Georgia Garcia wrote:
> If the export_binary parameter is disabled on runtime, profiles that
> were loaded before that will still have their rawdata stored in
> apparmorfs, with a symbolic link to the rawdata on the policy
> directory. When one of those profiles are replaced, the rawdata is set
> to NULL, but when trying to resolve the symbolic links to rawdata for
> that profile, it will try to dereference profile->rawdata->name when
> profile->rawdata is now NULL causing an oops. Fix it by checking if
> rawdata is set.
> 
> [  168.653080] BUG: kernel NULL pointer dereference, address: 0000000000000088
> [  168.657420] #PF: supervisor read access in kernel mode
> [  168.660619] #PF: error_code(0x0000) - not-present page
> [  168.663613] PGD 0 P4D 0
> [  168.665450] Oops: Oops: 0000 [#1] SMP NOPTI
> [  168.667836] CPU: 1 UID: 0 PID: 1729 Comm: ls Not tainted 6.19.0-rc7+ #3 PREEMPT(voluntary)
> [  168.672308] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
> [  168.679327] RIP: 0010:rawdata_get_link_base.isra.0+0x23/0x330
> [  168.682768] Code: 90 90 90 90 90 90 90 0f 1f 44 00 00 55 48 89 e5 41 57 41 56 41 55 41 54 53 48 83 ec 18 48 89 55 d0 48 85 ff 0f 84 e3 01 00 00 <48> 83 3c 25 88 00 00 00 00 0f 84 d4 01 00 00 49 89 f6 49 89 cc e8
> [  168.689818] RSP: 0018:ffffcdcb8200fb80 EFLAGS: 00010282
> [  168.690871] RAX: ffffffffaee74ec0 RBX: 0000000000000000 RCX: ffffffffb0120158
> [  168.692251] RDX: ffffcdcb8200fbe0 RSI: ffff88c187c9fa80 RDI: ffff88c186c98a80
> [  168.693593] RBP: ffffcdcb8200fbc0 R08: 0000000000000000 R09: 0000000000000000
> [  168.694941] R10: 0000000000000000 R11: 0000000000000000 R12: ffff88c186c98a80
> [  168.696289] R13: 00007fff005aaa20 R14: 0000000000000080 R15: ffff88c188f4fce0
> [  168.697637] FS:  0000790e81c58280(0000) GS:ffff88c20a957000(0000) knlGS:0000000000000000
> [  168.699227] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [  168.700349] CR2: 0000000000000088 CR3: 000000012fd3e000 CR4: 0000000000350ef0
> [  168.701696] Call Trace:
> [  168.702325]  <TASK>
> [  168.702995]  rawdata_get_link_data+0x1c/0x30
> [  168.704145]  vfs_readlink+0xd4/0x160
> [  168.705152]  do_readlinkat+0x114/0x180
> [  168.706214]  __x64_sys_readlink+0x1e/0x30
> [  168.708653]  x64_sys_call+0x1d77/0x26b0
> [  168.709525]  do_syscall_64+0x81/0x500
> [  168.710348]  ? do_statx+0x72/0xb0
> [  168.711109]  ? putname+0x3e/0x80
> [  168.711845]  ? __x64_sys_statx+0xb7/0x100
> [  168.712711]  ? x64_sys_call+0x10fc/0x26b0
> [  168.713577]  ? do_syscall_64+0xbf/0x500
> [  168.714412]  ? do_user_addr_fault+0x1d2/0x8d0
> [  168.715404]  ? irqentry_exit+0xb2/0x740
> [  168.716359]  ? exc_page_fault+0x90/0x1b0
> [  168.717307]  entry_SYSCALL_64_after_hwframe+0x76/0x7e
> 
> Signed-off-by: Georgia Garcia <georgia.garcia at canonical.com>

Acked-by: John Johansen <john.johansen at canonical.com>

I pulled patch 1/2 (bug fix) in, patch 2/2 will need more review, and have to wait in the queue for next cycle

> ---
>   security/apparmor/apparmorfs.c | 8 ++++++++
>   1 file changed, 8 insertions(+)
> 
> diff --git a/security/apparmor/apparmorfs.c b/security/apparmor/apparmorfs.c
> index 907bd2667e28..4fb251a7e85a 100644
> --- a/security/apparmor/apparmorfs.c
> +++ b/security/apparmor/apparmorfs.c
> @@ -1644,6 +1644,14 @@ static const char *rawdata_get_link_base(struct dentry *dentry,
>   
>   	label = aa_get_label_rcu(&proxy->label);
>   	profile = labels_profile(label);
> +
> +	/* rawdata can be null when aa_g_export_binary is unset during
> +	 * runtime and a profile is replaced */
> +	if (!profile->rawdata) {
> +		aa_put_label(label);
> +		return ERR_PTR(-ENOENT);
> +	}
> +
>   	depth = profile_depth(profile);
>   	target = gen_symlink_name(depth, profile->rawdata->name, name);
>   	aa_put_label(label);

More information about the AppArmor mailing list