ACK: [SRU][Q][PATCH 0/1] apparmor: fix NULL pointer dereference in __unix_needs_revalidation
Yufeng Gao
yufeng.gao at canonical.com
Wed Apr 8 07:32:49 UTC 2026
On 8/4/26 03:30, Georgia Garcia wrote:
> BugLink: http://bugs.launchpad.net/bugs/2147374
>
> SRU Justification:
>
> [Impact]
>
> When receiving file descriptors via SCM_RIGHTS, both the socket pointer
> and the socket's sk pointer can be NULL during socket setup or teardown,
> causing NULL pointer dereferences in __unix_needs_revalidation().
>
> This is a regression in AppArmor 5.0.0 (kernel 6.17+) where the new
> __unix_needs_revalidation() function was added without proper NULL checks.
>
> [ 287.713912] BUG: kernel NULL pointer dereference, address: 0000000000000018
> [ 287.714922] #PF: supervisor read access in kernel mode
> [ 287.715653] #PF: error_code(0x0000) - not-present page
> [ 287.716378] PGD 0 P4D 0
> [ 287.716749] Oops: Oops: 0000 [#1] SMP NOPTI
> [ 287.717347] CPU: 0 UID: 1000000 PID: 7587 Comm: aa-exec Tainted: G E 6.17.13+ #19 PREEMPT(voluntary)
> [ 287.718806] Tainted: [E]=UNSIGNED_MODULE
> [ 287.719370] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
> [ 287.720729] RIP: 0010:aa_file_perm+0xb9/0x3b0
>
> [Fix]
>
> Cherry-pick uptream linux commit:
> e2938ad00b21340c0362562dfedd7cfec0554d67
>
> [Test Plan]
>
> Run the following POC and check that creating the nested-vm doesn't
> cause a NULL pointer dereference in dmesg
>
> cat << EOF > poc.sh
> #!/bin/bash
> set -eux
>
> # VM inside container causes a kernel NULL pointer dereference on 6.17
> if [[ "$(uname -r)" =~ ^6\.17\.0 ]]; then
> echo "::warning:: 6.17 kernel detected, expect failure then check 'dmesg'"
> else
> echo "::info:: 6.17 kernel NOT detected, expect success and consider switching to 'linux-image-generic-hwe-24.04'"
> fi
>
> snap install lxd --channel latest/edge
> lxd init --auto
>
> # prepare ctn to be used for nested VM testing
> lxc init ubuntu-minimal-daily:24.04 ctn -c security.devlxd.images=true -c security.nesting=true -s default
> lxc config device add ctn kvm unix-char source=/dev/kvm
> lxc config device add ctn vhost-net unix-char source=/dev/vhost-net
> lxc config device add ctn vhost-vsock unix-char source=/dev/vhost-vsock
> lxc config device add ctn vsock unix-char source=/dev/vsock
>
> lxc start ctn
> sleep 30
> lxc exec ctn -- snap wait system seed.loaded
>
> lxc exec ctn -- snap install lxd --channel latest/edge
> lxc exec ctn -- lxd init --auto
>
> # launch small nested VM
> lxc exec ctn -- lxc launch ubuntu-minimal-daily:24.04 nested-vm --vm -c limits.memory=512MiB -d root,size=3584MiB
>
> # cleanup
> lxc delete -f ctn
> EOF
>
> [Where problems could occur]
>
> The regression can be considered as low since both fixes have been
> applied to the upstream kernel.
>
> System Administrator (1):
> apparmor: fix NULL pointer dereference in __unix_needs_revalidation
>
> security/apparmor/file.c | 3 +++
> 1 file changed, 3 insertions(+)
>
Acked-by: Yufeng Gao <yufeng.gao at canonical.com>
More information about the kernel-team
mailing list