[SRU][Q][PATCH v2 0/1] apparmor: fix NULL pointer dereference in __unix_needs_revalidation

Georgia Garcia georgia.garcia at canonical.com
Thu Apr 9 12:17:31 UTC 2026 

BugLink: http://bugs.launchpad.net/bugs/2147374

SRU Justification:

[Impact]

When receiving file descriptors via SCM_RIGHTS, both the socket pointer
and the socket's sk pointer can be NULL during socket setup or teardown,
causing NULL pointer dereferences in __unix_needs_revalidation().

This is a regression in AppArmor 5.0.0 (kernel 6.17+) where the new
__unix_needs_revalidation() function was added without proper NULL checks.

[  287.713912] BUG: kernel NULL pointer dereference, address: 0000000000000018
[  287.714922] #PF: supervisor read access in kernel mode
[  287.715653] #PF: error_code(0x0000) - not-present page
[  287.716378] PGD 0 P4D 0 
[  287.716749] Oops: Oops: 0000 [#1] SMP NOPTI
[  287.717347] CPU: 0 UID: 1000000 PID: 7587 Comm: aa-exec Tainted: G            E       6.17.13+ #19 PREEMPT(voluntary) 
[  287.718806] Tainted: [E]=UNSIGNED_MODULE
[  287.719370] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[  287.720729] RIP: 0010:aa_file_perm+0xb9/0x3b0

[Fix]

Cherry-pick uptream linux commit:
e2938ad00b21340c0362562dfedd7cfec0554d67

[Test Plan]

Run the following POC and check that creating the nested-vm doesn't
cause a NULL pointer dereference in dmesg

cat << EOF > poc.sh
#!/bin/bash
set -eux

# VM inside container causes a kernel NULL pointer dereference on 6.17
if [[ "$(uname -r)" =~ ^6\.17\.0 ]]; then
  echo "::warning:: 6.17 kernel detected, expect failure then check 'dmesg'"
else
  echo "::info:: 6.17 kernel NOT detected, expect success and consider switching to 'linux-image-generic-hwe-24.04'"
fi

snap install lxd --channel latest/edge
lxd init --auto

# prepare ctn to be used for nested VM testing
lxc init ubuntu-minimal-daily:24.04 ctn -c security.devlxd.images=true -c security.nesting=true -s default
lxc config device add ctn kvm unix-char source=/dev/kvm
lxc config device add ctn vhost-net unix-char source=/dev/vhost-net
lxc config device add ctn vhost-vsock unix-char source=/dev/vhost-vsock
lxc config device add ctn vsock unix-char source=/dev/vsock

lxc start ctn
sleep 30
lxc exec ctn -- snap wait system seed.loaded

lxc exec ctn -- snap install lxd --channel latest/edge
lxc exec ctn -- lxd init --auto

# launch small nested VM
lxc exec ctn -- lxc launch ubuntu-minimal-daily:24.04 nested-vm --vm -c limits.memory=512MiB -d root,size=3584MiB

# cleanup
lxc delete -f ctn
EOF

[Where problems could occur]

The regression can be considered as low since both fixes have been
applied to the upstream kernel.

System Administrator (1):
  apparmor: fix NULL pointer dereference in __unix_needs_revalidation

 security/apparmor/file.c | 3 +++
 1 file changed, 3 insertions(+)

-- 
2.43.0

More information about the kernel-team mailing list