// For flags

CVE-2023-52443

apparmor: avoid crash when parsed profile name is empty

Severity Score

5.5
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

Track
*SSVC
Descriptions

In the Linux kernel, the following vulnerability has been resolved:

apparmor: avoid crash when parsed profile name is empty

When processing a packed profile in unpack_profile() described like

"profile :ns::samba-dcerpcd /usr/lib*/samba/{,samba/}samba-dcerpcd {...}"

a string ":samba-dcerpcd" is unpacked as a fully-qualified name and then
passed to aa_splitn_fqname().

aa_splitn_fqname() treats ":samba-dcerpcd" as only containing a namespace.
Thus it returns NULL for tmpname, meanwhile tmpns is non-NULL. Later
aa_alloc_profile() crashes as the new profile name is NULL now.

general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN NOPTI
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
CPU: 6 PID: 1657 Comm: apparmor_parser Not tainted 6.7.0-rc2-dirty #16
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-3-gd478f380-rebuilt.opensuse.org 04/01/2014
RIP: 0010:strlen+0x1e/0xa0
Call Trace:
<TASK>
? strlen+0x1e/0xa0
aa_policy_init+0x1bb/0x230
aa_alloc_profile+0xb1/0x480
unpack_profile+0x3bc/0x4960
aa_unpack+0x309/0x15e0
aa_replace_profiles+0x213/0x33c0
policy_update+0x261/0x370
profile_replace+0x20e/0x2a0
vfs_write+0x2af/0xe00
ksys_write+0x126/0x250
do_syscall_64+0x46/0xf0
entry_SYSCALL_64_after_hwframe+0x6e/0x76
</TASK>
---[ end trace 0000000000000000 ]---
RIP: 0010:strlen+0x1e/0xa0

It seems such behaviour of aa_splitn_fqname() is expected and checked in
other places where it is called (e.g. aa_remove_profiles). Well, there
is an explicit comment "a ns name without a following profile is allowed"
inside.

AFAICS, nothing can prevent unpacked "name" to be in form like
":samba-dcerpcd" - it is passed from userspace.

Deny the whole profile set replacement in such case and inform user with
EPROTO and an explaining message.

Found by Linux Verification Center (linuxtesting.org).

En el kernel de Linux, se resolvió la siguiente vulnerabilidad: apparmor: evita fallas cuando el nombre del perfil analizado está vacío Al procesar un perfil empaquetado en unpack_profile() descrito como "perfil :ns::samba-dcerpcd /usr/lib*/samba/ {,samba/}samba-dcerpcd {...}" una cadena ":samba-dcerpcd" se descomprime como un nombre completo y luego se pasa a aa_splitn_fqname(). aa_splitn_fqname() trata ":samba-dcerpcd" como si solo contuviera un espacio de nombres. Por lo tanto, devuelve NULL para tmpname, mientras que tmpns no es NULL. Más tarde, aa_alloc_profile() falla porque el nuevo nombre del perfil ahora es NULL. falla de protección general, probablemente para dirección no canónica 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN NOPTI KASAN: null-ptr-deref en rango [0x00000000000000000-0x0000000000000007] CPU: 6 PID: 1657 Comm: apparmor_parser No contaminado 6.7.0- rc2-dirty #16 Nombre del hardware: PC estándar QEMU (i440FX + PIIX, 1996), BIOS rel-1.16.2-3-gd478f380-rebuilt.opensuse.org 01/04/2014 RIP: 0010:strlen+0x1e/0xa0 Llamada Seguimiento: ? strlen+0x1e/0xa0 aa_policy_init+0x1bb/0x230 aa_alloc_profile+0xb1/0x480 unpack_profile+0x3bc/0x4960 aa_unpack+0x309/0x15e0 aa_replace_profiles+0x213/0x33c0 Policy_update+0x261/0x370 perfil_replace+ 0x20e/0x2a0 vfs_write+0x2af/0xe00 ksys_write+0x126/0x250 do_syscall_64+0x46/0xf0 Entry_SYSCALL_64_after_hwframe+0x6e/0x76 ---[ end trace 0000000000000000 ]--- RIP: 0010:strlen+0x1e/0xa0 Parece que tal comportamiento de aa_splitn_fqname() se espera y se verifica en otros lugares donde se llama (por ejemplo, aa_remove_profiles). Bueno, hay un comentario explícito "se permite un nombre ns sin un perfil de seguimiento" dentro. AFAICS, nada puede evitar que el "nombre" descomprimido tenga un formato como ":samba-dcerpcd": se pasa desde el espacio de usuario. En tal caso, rechace el reemplazo completo del conjunto de perfiles e informe al usuario con EPROTO y un mensaje explicativo. Encontrado por el Centro de verificación de Linux (linuxtesting.org).

*Credits: N/A
CVSS Scores
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
* Common Vulnerability Scoring System
SSVC
  • Decision:Track
Exploitation
None
Automatable
No
Tech. Impact
Partial
* Organization's Worst-case Scenario
Timeline
  • 2024-02-20 CVE Reserved
  • 2024-02-22 CVE Published
  • 2024-03-15 EPSS Updated
  • 2024-12-19 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-476: NULL Pointer Dereference
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
>= 4.11 < 4.19.306
Search vendor "Linux" for product "Linux Kernel" and version " >= 4.11 < 4.19.306"
en
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
>= 4.11 < 5.4.268
Search vendor "Linux" for product "Linux Kernel" and version " >= 4.11 < 5.4.268"
en
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
>= 4.11 < 5.10.209
Search vendor "Linux" for product "Linux Kernel" and version " >= 4.11 < 5.10.209"
en
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
>= 4.11 < 5.15.148
Search vendor "Linux" for product "Linux Kernel" and version " >= 4.11 < 5.15.148"
en
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
>= 4.11 < 6.1.75
Search vendor "Linux" for product "Linux Kernel" and version " >= 4.11 < 6.1.75"
en
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
>= 4.11 < 6.6.14
Search vendor "Linux" for product "Linux Kernel" and version " >= 4.11 < 6.6.14"
en
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
>= 4.11 < 6.7.2
Search vendor "Linux" for product "Linux Kernel" and version " >= 4.11 < 6.7.2"
en
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
>= 4.11 < 6.8
Search vendor "Linux" for product "Linux Kernel" and version " >= 4.11 < 6.8"
en
Affected