NACK: [SRU][Q][PATCH 1/1] apparmor: fix NULL pointer dereference in __unix_needs_revalidation

Masahiro Yamada masahiro.yamada at canonical.com
Thu Apr 9 05:24:12 UTC 2026 

On 4/8/26 02:30, Georgia Garcia wrote:
> From: System Administrator <root at localhost>
>
> BugLink: http://bugs.launchpad.net/bugs/2147374
>
> When receiving file descriptors via SCM_RIGHTS, both the socket pointer
> and the socket's sk pointer can be NULL during socket setup or teardown,
> causing NULL pointer dereferences in __unix_needs_revalidation().
>
> This is a regression in AppArmor 5.0.0 (kernel 6.17+) where the new
> __unix_needs_revalidation() function was added without proper NULL checks.
>
> The crash manifests as:
>    BUG: kernel NULL pointer dereference, address: 0x0000000000000018
>    RIP: aa_file_perm+0xb7/0x3b0 (or +0xbe/0x3b0, +0xc0/0x3e0)
>    Call Trace:
>     apparmor_file_receive+0x42/0x80
>     security_file_receive+0x2e/0x50
>     receive_fd+0x1d/0xf0
>     scm_detach_fds+0xad/0x1c0
>
> The function dereferences sock->sk->sk_family without checking if either
> sock or sock->sk is NULL first.
>
> Add NULL checks for both sock and sock->sk before accessing sk_family.
>
> Fixes: 88fec3526e841 ("apparmor: make sure unix socket labeling is correctly updated.")
> Reported-by: Jamin Mc <jaminmc at gmail.com>
> Closes: https://bugzilla.proxmox.com/show_bug.cgi?id=7083
> Closes: https://gitlab.com/apparmor/apparmor/-/issues/568
> Signed-off-by: Fabian Grünbichler <f.gruenbichler at proxmox.com>
> Signed-off-by: System Administrator <root at localhost>
> Signed-off-by: John Johansen <john.johansen at canonical.com>


"cherry picked from" or "backported from" is missing.

Your Signed-off-by is missing.


> ---
>   security/apparmor/file.c | 3 +++
>   1 file changed, 3 insertions(+)
>
> diff --git a/security/apparmor/file.c b/security/apparmor/file.c
> index d30be1979ced..50785b4dd746 100644
> --- a/security/apparmor/file.c
> +++ b/security/apparmor/file.c
> @@ -777,6 +777,9 @@ static bool __unix_needs_revalidation(struct file *file, struct aa_label *label,
>   		return false;
>   	if (request & NET_PEER_MASK)
>   		return false;
> +	/* sock and sock->sk can be NULL for sockets being set up or torn down */
> +	if (!sock || !sock->sk)
> +		return false;
>   	if (sock->sk->sk_family == PF_UNIX) {
>   		struct aa_sk_ctx *ctx = aa_sock(sock->sk);
>

More information about the kernel-team mailing list