cve/published/2023/CVE-2023-52443.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2023-52443: apparmor: avoid crash when parsed profile name is empty

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 apparmor: avoid crash when parsed profile name is empty

 When processing a packed profile in unpack_profile() described like

  "profile :ns::samba-dcerpcd /usr/lib*/samba/{,samba/}samba-dcerpcd {...}"

 a string ":samba-dcerpcd" is unpacked as a fully-qualified name and then
 passed to aa_splitn_fqname().

 aa_splitn_fqname() treats ":samba-dcerpcd" as only containing a namespace.
 Thus it returns NULL for tmpname, meanwhile tmpns is non-NULL. Later
 aa_alloc_profile() crashes as the new profile name is NULL now.

 general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN NOPTI
 KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
 CPU: 6 PID: 1657 Comm: apparmor_parser Not tainted 6.7.0-rc2-dirty #16
 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-3-gd478f380-rebuilt.opensuse.org 04/01/2014
 RIP: 0010:strlen+0x1e/0xa0
 Call Trace:
  <TASK>
  ? strlen+0x1e/0xa0
  aa_policy_init+0x1bb/0x230
  aa_alloc_profile+0xb1/0x480
  unpack_profile+0x3bc/0x4960
  aa_unpack+0x309/0x15e0
  aa_replace_profiles+0x213/0x33c0
  policy_update+0x261/0x370
  profile_replace+0x20e/0x2a0
  vfs_write+0x2af/0xe00
  ksys_write+0x126/0x250
  do_syscall_64+0x46/0xf0
  entry_SYSCALL_64_after_hwframe+0x6e/0x76
  </TASK>
 ---[ end trace 0000000000000000 ]---
 RIP: 0010:strlen+0x1e/0xa0

 It seems such behaviour of aa_splitn_fqname() is expected and checked in
 other places where it is called (e.g. aa_remove_profiles). Well, there
 is an explicit comment "a ns name without a following profile is allowed"
 inside.

 AFAICS, nothing can prevent unpacked "name" to be in form like
 ":samba-dcerpcd" - it is passed from userspace.

 Deny the whole profile set replacement in such case and inform user with
 EPROTO and an explaining message.

 Found by Linux Verification Center (linuxtesting.org).

 The Linux kernel CVE team has assigned CVE-2023-52443 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 4.11 with commit 04dc715e24d0820bf8740e1a1135ed61fe162bc8 and fixed in 4.19.306 with commit 9286ee97aa4803d99185768735011d0d65827c9e
 	Issue introduced in 4.11 with commit 04dc715e24d0820bf8740e1a1135ed61fe162bc8 and fixed in 5.4.268 with commit 1d8e62b5569cc1466ceb8a7e4872cf10160a9dcf
 	Issue introduced in 4.11 with commit 04dc715e24d0820bf8740e1a1135ed61fe162bc8 and fixed in 5.10.209 with commit 5ff00408e5029d3550ee77f62dc15f1e15c47f87
 	Issue introduced in 4.11 with commit 04dc715e24d0820bf8740e1a1135ed61fe162bc8 and fixed in 5.15.148 with commit 0a12db736edbb4933e4274932aeea594b5876fa4
 	Issue introduced in 4.11 with commit 04dc715e24d0820bf8740e1a1135ed61fe162bc8 and fixed in 6.1.75 with commit 9d4fa5fe2b1d56662afd14915a73b4d0783ffa45
 	Issue introduced in 4.11 with commit 04dc715e24d0820bf8740e1a1135ed61fe162bc8 and fixed in 6.6.14 with commit 5c0392fdafb0a2321311900be83ffa572bef8203
 	Issue introduced in 4.11 with commit 04dc715e24d0820bf8740e1a1135ed61fe162bc8 and fixed in 6.7.2 with commit 77ab09b92f16c8439a948d1af489196953dc4a0e
 	Issue introduced in 4.11 with commit 04dc715e24d0820bf8740e1a1135ed61fe162bc8 and fixed in 6.8 with commit 55a8210c9e7d21ff2644809699765796d4bfb200

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2023-52443
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	security/apparmor/policy_unpack.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/9286ee97aa4803d99185768735011d0d65827c9e
 	https://git.kernel.org/stable/c/1d8e62b5569cc1466ceb8a7e4872cf10160a9dcf
 	https://git.kernel.org/stable/c/5ff00408e5029d3550ee77f62dc15f1e15c47f87
 	https://git.kernel.org/stable/c/0a12db736edbb4933e4274932aeea594b5876fa4
 	https://git.kernel.org/stable/c/9d4fa5fe2b1d56662afd14915a73b4d0783ffa45
 	https://git.kernel.org/stable/c/5c0392fdafb0a2321311900be83ffa572bef8203
 	https://git.kernel.org/stable/c/77ab09b92f16c8439a948d1af489196953dc4a0e
 	https://git.kernel.org/stable/c/55a8210c9e7d21ff2644809699765796d4bfb200
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2023-52443: apparmor: avoid crash when parsed profile name is empty

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	apparmor: avoid crash when parsed profile name is empty

	When processing a packed profile in unpack_profile() described like

	"profile :ns::samba-dcerpcd /usr/lib*/samba/{,samba/}samba-dcerpcd {...}"

	a string ":samba-dcerpcd" is unpacked as a fully-qualified name and then
	passed to aa_splitn_fqname().

	aa_splitn_fqname() treats ":samba-dcerpcd" as only containing a namespace.
	Thus it returns NULL for tmpname, meanwhile tmpns is non-NULL. Later
	aa_alloc_profile() crashes as the new profile name is NULL now.

	general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN NOPTI
	KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
	CPU: 6 PID: 1657 Comm: apparmor_parser Not tainted 6.7.0-rc2-dirty #16
	Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-3-gd478f380-rebuilt.opensuse.org 04/01/2014
	RIP: 0010:strlen+0x1e/0xa0
	Call Trace:
	<TASK>
	? strlen+0x1e/0xa0
	aa_policy_init+0x1bb/0x230
	aa_alloc_profile+0xb1/0x480
	unpack_profile+0x3bc/0x4960
	aa_unpack+0x309/0x15e0
	aa_replace_profiles+0x213/0x33c0
	policy_update+0x261/0x370
	profile_replace+0x20e/0x2a0
	vfs_write+0x2af/0xe00
	ksys_write+0x126/0x250
	do_syscall_64+0x46/0xf0
	entry_SYSCALL_64_after_hwframe+0x6e/0x76
	</TASK>
	---[ end trace 0000000000000000 ]---
	RIP: 0010:strlen+0x1e/0xa0

	It seems such behaviour of aa_splitn_fqname() is expected and checked in
	other places where it is called (e.g. aa_remove_profiles). Well, there
	is an explicit comment "a ns name without a following profile is allowed"
	inside.

	AFAICS, nothing can prevent unpacked "name" to be in form like
	":samba-dcerpcd" - it is passed from userspace.

	Deny the whole profile set replacement in such case and inform user with
	EPROTO and an explaining message.

	Found by Linux Verification Center (linuxtesting.org).

	The Linux kernel CVE team has assigned CVE-2023-52443 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 4.11 with commit 04dc715e24d0820bf8740e1a1135ed61fe162bc8 and fixed in 4.19.306 with commit 9286ee97aa4803d99185768735011d0d65827c9e
	Issue introduced in 4.11 with commit 04dc715e24d0820bf8740e1a1135ed61fe162bc8 and fixed in 5.4.268 with commit 1d8e62b5569cc1466ceb8a7e4872cf10160a9dcf
	Issue introduced in 4.11 with commit 04dc715e24d0820bf8740e1a1135ed61fe162bc8 and fixed in 5.10.209 with commit 5ff00408e5029d3550ee77f62dc15f1e15c47f87
	Issue introduced in 4.11 with commit 04dc715e24d0820bf8740e1a1135ed61fe162bc8 and fixed in 5.15.148 with commit 0a12db736edbb4933e4274932aeea594b5876fa4
	Issue introduced in 4.11 with commit 04dc715e24d0820bf8740e1a1135ed61fe162bc8 and fixed in 6.1.75 with commit 9d4fa5fe2b1d56662afd14915a73b4d0783ffa45
	Issue introduced in 4.11 with commit 04dc715e24d0820bf8740e1a1135ed61fe162bc8 and fixed in 6.6.14 with commit 5c0392fdafb0a2321311900be83ffa572bef8203
	Issue introduced in 4.11 with commit 04dc715e24d0820bf8740e1a1135ed61fe162bc8 and fixed in 6.7.2 with commit 77ab09b92f16c8439a948d1af489196953dc4a0e
	Issue introduced in 4.11 with commit 04dc715e24d0820bf8740e1a1135ed61fe162bc8 and fixed in 6.8 with commit 55a8210c9e7d21ff2644809699765796d4bfb200

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2023-52443
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	security/apparmor/policy_unpack.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/9286ee97aa4803d99185768735011d0d65827c9e
	https://git.kernel.org/stable/c/1d8e62b5569cc1466ceb8a7e4872cf10160a9dcf
	https://git.kernel.org/stable/c/5ff00408e5029d3550ee77f62dc15f1e15c47f87
	https://git.kernel.org/stable/c/0a12db736edbb4933e4274932aeea594b5876fa4
	https://git.kernel.org/stable/c/9d4fa5fe2b1d56662afd14915a73b4d0783ffa45
	https://git.kernel.org/stable/c/5c0392fdafb0a2321311900be83ffa572bef8203
	https://git.kernel.org/stable/c/77ab09b92f16c8439a948d1af489196953dc4a0e
	https://git.kernel.org/stable/c/55a8210c9e7d21ff2644809699765796d4bfb200