cve/published/2023/CVE-2023-52889.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2023-52889: apparmor: Fix null pointer deref when receiving skb during sock creation

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 apparmor: Fix null pointer deref when receiving skb during sock creation

 The panic below is observed when receiving ICMP packets with secmark set
 while an ICMP raw socket is being created. SK_CTX(sk)->label is updated
 in apparmor_socket_post_create(), but the packet is delivered to the
 socket before that, causing the null pointer dereference.
 Drop the packet if label context is not set.

     BUG: kernel NULL pointer dereference, address: 000000000000004c
     #PF: supervisor read access in kernel mode
     #PF: error_code(0x0000) - not-present page
     PGD 0 P4D 0
     Oops: 0000 [#1] PREEMPT SMP NOPTI
     CPU: 0 PID: 407 Comm: a.out Not tainted 6.4.12-arch1-1 #1 3e6fa2753a2d75925c34ecb78e22e85a65d083df
     Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 05/28/2020
     RIP: 0010:aa_label_next_confined+0xb/0x40
     Code: 00 00 48 89 ef e8 d5 25 0c 00 e9 66 ff ff ff 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 66 0f 1f 00 0f 1f 44 00 00 89 f0 <8b> 77 4c 39 c6 7e 1f 48 63 d0 48 8d 14 d7 eb 0b 83 c0 01 48 83 c2
     RSP: 0018:ffffa92940003b08 EFLAGS: 00010246
     RAX: 0000000000000000 RBX: 0000000000000000 RCX: 000000000000000e
     RDX: ffffa92940003be8 RSI: 0000000000000000 RDI: 0000000000000000
     RBP: ffff8b57471e7800 R08: ffff8b574c642400 R09: 0000000000000002
     R10: ffffffffbd820eeb R11: ffffffffbeb7ff00 R12: ffff8b574c642400
     R13: 0000000000000001 R14: 0000000000000001 R15: 0000000000000000
     FS:  00007fb092ea7640(0000) GS:ffff8b577bc00000(0000) knlGS:0000000000000000
     CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
     CR2: 000000000000004c CR3: 00000001020f2005 CR4: 00000000007706f0
     PKRU: 55555554
     Call Trace:
      <IRQ>
      ? __die+0x23/0x70
      ? page_fault_oops+0x171/0x4e0
      ? exc_page_fault+0x7f/0x180
      ? asm_exc_page_fault+0x26/0x30
      ? aa_label_next_confined+0xb/0x40
      apparmor_secmark_check+0xec/0x330
      security_sock_rcv_skb+0x35/0x50
      sk_filter_trim_cap+0x47/0x250
      sock_queue_rcv_skb_reason+0x20/0x60
      raw_rcv+0x13c/0x210
      raw_local_deliver+0x1f3/0x250
      ip_protocol_deliver_rcu+0x4f/0x2f0
      ip_local_deliver_finish+0x76/0xa0
      __netif_receive_skb_one_core+0x89/0xa0
      netif_receive_skb+0x119/0x170
      ? __netdev_alloc_skb+0x3d/0x140
      vmxnet3_rq_rx_complete+0xb23/0x1010 [vmxnet3 56a84f9c97178c57a43a24ec073b45a9d6f01f3a]
      vmxnet3_poll_rx_only+0x36/0xb0 [vmxnet3 56a84f9c97178c57a43a24ec073b45a9d6f01f3a]
      __napi_poll+0x28/0x1b0
      net_rx_action+0x2a4/0x380
      __do_softirq+0xd1/0x2c8
      __irq_exit_rcu+0xbb/0xf0
      common_interrupt+0x86/0xa0
      </IRQ>
      <TASK>
      asm_common_interrupt+0x26/0x40
     RIP: 0010:apparmor_socket_post_create+0xb/0x200
     Code: 08 48 85 ff 75 a1 eb b1 0f 1f 80 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 0f 1f 44 00 00 41 54 <55> 48 89 fd 53 45 85 c0 0f 84 b2 00 00 00 48 8b 1d 80 56 3f 02 48
     RSP: 0018:ffffa92940ce7e50 EFLAGS: 00000286
     RAX: ffffffffbc756440 RBX: 0000000000000000 RCX: 0000000000000001
     RDX: 0000000000000003 RSI: 0000000000000002 RDI: ffff8b574eaab740
     RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000
     R10: ffff8b57444cec70 R11: 0000000000000000 R12: 0000000000000003
     R13: 0000000000000002 R14: ffff8b574eaab740 R15: ffffffffbd8e4748
      ? __pfx_apparmor_socket_post_create+0x10/0x10
      security_socket_post_create+0x4b/0x80
      __sock_create+0x176/0x1f0
      __sys_socket+0x89/0x100
      __x64_sys_socket+0x17/0x20
      do_syscall_64+0x5d/0x90
      ? do_syscall_64+0x6c/0x90
      ? do_syscall_64+0x6c/0x90
      ? do_syscall_64+0x6c/0x90
      entry_SYSCALL_64_after_hwframe+0x72/0xdc

 The Linux kernel CVE team has assigned CVE-2023-52889 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 4.20 with commit ab9f2115081ab7ba63b77a759e0f3eb5d6463d7f and fixed in 5.4.282 with commit 0abe35bc48d4ec80424b1f4b3560c0e082cbd5c1
 	Issue introduced in 4.20 with commit ab9f2115081ab7ba63b77a759e0f3eb5d6463d7f and fixed in 5.10.224 with commit 347dcb84a4874b5fb375092c08d8cc4069b94f81
 	Issue introduced in 4.20 with commit ab9f2115081ab7ba63b77a759e0f3eb5d6463d7f and fixed in 5.15.165 with commit 290a6b88e8c19b6636ed1acc733d1458206f7697
 	Issue introduced in 4.20 with commit ab9f2115081ab7ba63b77a759e0f3eb5d6463d7f and fixed in 6.1.103 with commit ead2ad1d9f045f26fdce3ef1644913b3a6cd38f2
 	Issue introduced in 4.20 with commit ab9f2115081ab7ba63b77a759e0f3eb5d6463d7f and fixed in 6.6.44 with commit 6c920754f62cefc63fccdc38a062c7c3452e2961
 	Issue introduced in 4.20 with commit ab9f2115081ab7ba63b77a759e0f3eb5d6463d7f and fixed in 6.10.3 with commit 46c17ead5b7389e22e7dc9903fd0ba865d05bda2
 	Issue introduced in 4.20 with commit ab9f2115081ab7ba63b77a759e0f3eb5d6463d7f and fixed in 6.11 with commit fce09ea314505a52f2436397608fa0a5d0934fb1

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2023-52889
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	security/apparmor/lsm.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/0abe35bc48d4ec80424b1f4b3560c0e082cbd5c1
 	https://git.kernel.org/stable/c/347dcb84a4874b5fb375092c08d8cc4069b94f81
 	https://git.kernel.org/stable/c/290a6b88e8c19b6636ed1acc733d1458206f7697
 	https://git.kernel.org/stable/c/ead2ad1d9f045f26fdce3ef1644913b3a6cd38f2
 	https://git.kernel.org/stable/c/6c920754f62cefc63fccdc38a062c7c3452e2961
 	https://git.kernel.org/stable/c/46c17ead5b7389e22e7dc9903fd0ba865d05bda2
 	https://git.kernel.org/stable/c/fce09ea314505a52f2436397608fa0a5d0934fb1
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2023-52889: apparmor: Fix null pointer deref when receiving skb during sock creation

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	apparmor: Fix null pointer deref when receiving skb during sock creation

	The panic below is observed when receiving ICMP packets with secmark set
	while an ICMP raw socket is being created. SK_CTX(sk)->label is updated
	in apparmor_socket_post_create(), but the packet is delivered to the
	socket before that, causing the null pointer dereference.
	Drop the packet if label context is not set.

	BUG: kernel NULL pointer dereference, address: 000000000000004c
	#PF: supervisor read access in kernel mode
	#PF: error_code(0x0000) - not-present page
	PGD 0 P4D 0
	Oops: 0000 [#1] PREEMPT SMP NOPTI
	CPU: 0 PID: 407 Comm: a.out Not tainted 6.4.12-arch1-1 #1 3e6fa2753a2d75925c34ecb78e22e85a65d083df
	Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 05/28/2020
	RIP: 0010:aa_label_next_confined+0xb/0x40
	Code: 00 00 48 89 ef e8 d5 25 0c 00 e9 66 ff ff ff 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 66 0f 1f 00 0f 1f 44 00 00 89 f0 <8b> 77 4c 39 c6 7e 1f 48 63 d0 48 8d 14 d7 eb 0b 83 c0 01 48 83 c2
	RSP: 0018:ffffa92940003b08 EFLAGS: 00010246
	RAX: 0000000000000000 RBX: 0000000000000000 RCX: 000000000000000e
	RDX: ffffa92940003be8 RSI: 0000000000000000 RDI: 0000000000000000
	RBP: ffff8b57471e7800 R08: ffff8b574c642400 R09: 0000000000000002
	R10: ffffffffbd820eeb R11: ffffffffbeb7ff00 R12: ffff8b574c642400
	R13: 0000000000000001 R14: 0000000000000001 R15: 0000000000000000
	FS: 00007fb092ea7640(0000) GS:ffff8b577bc00000(0000) knlGS:0000000000000000
	CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
	CR2: 000000000000004c CR3: 00000001020f2005 CR4: 00000000007706f0
	PKRU: 55555554
	Call Trace:
	<IRQ>
	? __die+0x23/0x70
	? page_fault_oops+0x171/0x4e0
	? exc_page_fault+0x7f/0x180
	? asm_exc_page_fault+0x26/0x30
	? aa_label_next_confined+0xb/0x40
	apparmor_secmark_check+0xec/0x330
	security_sock_rcv_skb+0x35/0x50
	sk_filter_trim_cap+0x47/0x250
	sock_queue_rcv_skb_reason+0x20/0x60
	raw_rcv+0x13c/0x210
	raw_local_deliver+0x1f3/0x250
	ip_protocol_deliver_rcu+0x4f/0x2f0
	ip_local_deliver_finish+0x76/0xa0
	__netif_receive_skb_one_core+0x89/0xa0
	netif_receive_skb+0x119/0x170
	? __netdev_alloc_skb+0x3d/0x140
	vmxnet3_rq_rx_complete+0xb23/0x1010 [vmxnet3 56a84f9c97178c57a43a24ec073b45a9d6f01f3a]
	vmxnet3_poll_rx_only+0x36/0xb0 [vmxnet3 56a84f9c97178c57a43a24ec073b45a9d6f01f3a]
	__napi_poll+0x28/0x1b0
	net_rx_action+0x2a4/0x380
	__do_softirq+0xd1/0x2c8
	__irq_exit_rcu+0xbb/0xf0
	common_interrupt+0x86/0xa0
	</IRQ>
	<TASK>
	asm_common_interrupt+0x26/0x40
	RIP: 0010:apparmor_socket_post_create+0xb/0x200
	Code: 08 48 85 ff 75 a1 eb b1 0f 1f 80 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 0f 1f 44 00 00 41 54 <55> 48 89 fd 53 45 85 c0 0f 84 b2 00 00 00 48 8b 1d 80 56 3f 02 48
	RSP: 0018:ffffa92940ce7e50 EFLAGS: 00000286
	RAX: ffffffffbc756440 RBX: 0000000000000000 RCX: 0000000000000001
	RDX: 0000000000000003 RSI: 0000000000000002 RDI: ffff8b574eaab740
	RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000
	R10: ffff8b57444cec70 R11: 0000000000000000 R12: 0000000000000003
	R13: 0000000000000002 R14: ffff8b574eaab740 R15: ffffffffbd8e4748
	? __pfx_apparmor_socket_post_create+0x10/0x10
	security_socket_post_create+0x4b/0x80
	__sock_create+0x176/0x1f0
	__sys_socket+0x89/0x100
	__x64_sys_socket+0x17/0x20
	do_syscall_64+0x5d/0x90
	? do_syscall_64+0x6c/0x90
	? do_syscall_64+0x6c/0x90
	? do_syscall_64+0x6c/0x90
	entry_SYSCALL_64_after_hwframe+0x72/0xdc

	The Linux kernel CVE team has assigned CVE-2023-52889 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 4.20 with commit ab9f2115081ab7ba63b77a759e0f3eb5d6463d7f and fixed in 5.4.282 with commit 0abe35bc48d4ec80424b1f4b3560c0e082cbd5c1
	Issue introduced in 4.20 with commit ab9f2115081ab7ba63b77a759e0f3eb5d6463d7f and fixed in 5.10.224 with commit 347dcb84a4874b5fb375092c08d8cc4069b94f81
	Issue introduced in 4.20 with commit ab9f2115081ab7ba63b77a759e0f3eb5d6463d7f and fixed in 5.15.165 with commit 290a6b88e8c19b6636ed1acc733d1458206f7697
	Issue introduced in 4.20 with commit ab9f2115081ab7ba63b77a759e0f3eb5d6463d7f and fixed in 6.1.103 with commit ead2ad1d9f045f26fdce3ef1644913b3a6cd38f2
	Issue introduced in 4.20 with commit ab9f2115081ab7ba63b77a759e0f3eb5d6463d7f and fixed in 6.6.44 with commit 6c920754f62cefc63fccdc38a062c7c3452e2961
	Issue introduced in 4.20 with commit ab9f2115081ab7ba63b77a759e0f3eb5d6463d7f and fixed in 6.10.3 with commit 46c17ead5b7389e22e7dc9903fd0ba865d05bda2
	Issue introduced in 4.20 with commit ab9f2115081ab7ba63b77a759e0f3eb5d6463d7f and fixed in 6.11 with commit fce09ea314505a52f2436397608fa0a5d0934fb1

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2023-52889
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	security/apparmor/lsm.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/0abe35bc48d4ec80424b1f4b3560c0e082cbd5c1
	https://git.kernel.org/stable/c/347dcb84a4874b5fb375092c08d8cc4069b94f81
	https://git.kernel.org/stable/c/290a6b88e8c19b6636ed1acc733d1458206f7697
	https://git.kernel.org/stable/c/ead2ad1d9f045f26fdce3ef1644913b3a6cd38f2
	https://git.kernel.org/stable/c/6c920754f62cefc63fccdc38a062c7c3452e2961
	https://git.kernel.org/stable/c/46c17ead5b7389e22e7dc9903fd0ba865d05bda2
	https://git.kernel.org/stable/c/fce09ea314505a52f2436397608fa0a5d0934fb1