A critical vulnerability has been discovered and resolved in the Linux kernel. This vulnerability is now assigned CVE-2023-52889. The main issue happened in the AppArmor component, specifically in the handling of null pointers during socket creation when receiving skb. The vulnerability could cause an unexpected kernel panic.

The identified vulnerability was observed when ICMP packets with a secmark set were received while an ICMP raw socket was being created. SK_CTX(sk)->label is updated in the apparmor_socket_post_create() function, but the packet was delivered to the socket before that, leading to a NULL pointer dereference.

The solution is to drop the packet if the label context is not set yet. Below is an excerpt from the kernel panic message:

BUG: kernel NULL pointer dereference, address: 000000000000004c
#PF: supervisor read access in kernel mode
#PF: error_code(x000) - not-present page
PGD  P4D 
Oops: 000 [#1] PREEMPT SMP NOPTI

The aa_label_next_confined+xb/x40 function call trace includes

Call Trace:
 <IRQ>
 ? __die+x23/x70
 ? page_fault_oops+x171/x4e
 ? exc_page_fault+x7f/x180
 ? asm_exc_page_fault+x26/x30
 ? aa_label_next_confined+xb/x40
 apparmor_secmark_check+xec/x330
 security_sock_rcv_skb+x35/x50
 sk_filter_trim_cap+x47/x250
 sock_queue_rcv_skb_reason+x20/x60
 raw_rcv+x13c/x210
 raw_local_deliver+x1f3/x250
 ip_protocol_deliver_rcu+x4f/x2f
 ip_local_deliver_finish+x76/xa
 __netif_receive_skb_one_core+x89/xa

The fix has been applied in the upstream Linux kernel repository, and you can view the original commit details here. The recent release of the Linux kernel 6.4.12 has resolved this vulnerability.

For users and organizations running on affected kernel versions, it is highly recommended to apply the fix or upgrade to the latest stable kernel release in order to mitigate the risk associated with this vulnerability.

In conclusion, CVE-2023-52889 is a critical vulnerability in the Linux kernel and AppArmor component that could cause a NULL pointer dereference and kernel panic. The vulnerability has been resolved in recent releases of the Linux kernel. Users and organizations are advised to upgrade their systems to ensure their devices are protected against potential exploits targeting this vulnerability.

Timeline

Published on: 08/17/2024 09:15:07 UTC
Last modified on: 08/19/2024 21:19:16 UTC