lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
Date: Thu, 22 Feb 2024 17:13:42 +0100
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Subject: CVE-2023-52443: apparmor: avoid crash when parsed profile name is empty

Description
===========

In the Linux kernel, the following vulnerability has been resolved:

apparmor: avoid crash when parsed profile name is empty

When processing a packed profile in unpack_profile() described like

 "profile :ns::samba-dcerpcd /usr/lib*/samba/{,samba/}samba-dcerpcd {...}"

a string ":samba-dcerpcd" is unpacked as a fully-qualified name and then
passed to aa_splitn_fqname().

aa_splitn_fqname() treats ":samba-dcerpcd" as only containing a namespace.
Thus it returns NULL for tmpname, meanwhile tmpns is non-NULL. Later
aa_alloc_profile() crashes as the new profile name is NULL now.

general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN NOPTI
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
CPU: 6 PID: 1657 Comm: apparmor_parser Not tainted 6.7.0-rc2-dirty #16
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-3-gd478f380-rebuilt.opensuse.org 04/01/2014
RIP: 0010:strlen+0x1e/0xa0
Call Trace:
 <TASK>
 ? strlen+0x1e/0xa0
 aa_policy_init+0x1bb/0x230
 aa_alloc_profile+0xb1/0x480
 unpack_profile+0x3bc/0x4960
 aa_unpack+0x309/0x15e0
 aa_replace_profiles+0x213/0x33c0
 policy_update+0x261/0x370
 profile_replace+0x20e/0x2a0
 vfs_write+0x2af/0xe00
 ksys_write+0x126/0x250
 do_syscall_64+0x46/0xf0
 entry_SYSCALL_64_after_hwframe+0x6e/0x76
 </TASK>
---[ end trace 0000000000000000 ]---
RIP: 0010:strlen+0x1e/0xa0

It seems such behaviour of aa_splitn_fqname() is expected and checked in
other places where it is called (e.g. aa_remove_profiles). Well, there
is an explicit comment "a ns name without a following profile is allowed"
inside.

AFAICS, nothing can prevent unpacked "name" to be in form like
":samba-dcerpcd" - it is passed from userspace.

Deny the whole profile set replacement in such case and inform user with
EPROTO and an explaining message.

Found by Linux Verification Center (linuxtesting.org).

The Linux kernel CVE team has assigned CVE-2023-52443 to this issue.


Affected and fixed versions
===========================

	Issue introduced in 4.11 with commit 04dc715e24d0 and fixed in 4.19.306 with commit 9286ee97aa48
	Issue introduced in 4.11 with commit 04dc715e24d0 and fixed in 5.4.268 with commit 1d8e62b5569c
	Issue introduced in 4.11 with commit 04dc715e24d0 and fixed in 5.10.209 with commit 5ff00408e502
	Issue introduced in 4.11 with commit 04dc715e24d0 and fixed in 5.15.148 with commit 0a12db736edb
	Issue introduced in 4.11 with commit 04dc715e24d0 and fixed in 6.1.75 with commit 9d4fa5fe2b1d
	Issue introduced in 4.11 with commit 04dc715e24d0 and fixed in 6.6.14 with commit 5c0392fdafb0
	Issue introduced in 4.11 with commit 04dc715e24d0 and fixed in 6.7.2 with commit 77ab09b92f16
	Issue introduced in 4.11 with commit 04dc715e24d0 and fixed in 6.8-rc1 with commit 55a8210c9e7d

Please see https://www.kernel.org or a full list of currently supported
kernel versions by the kernel community.

Unaffected versions might change over time as fixes are backported to
older supported kernel versions.  The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2023-52443
will be updated if fixes are backported, please check that for the most
up to date information about this issue.


Affected files
==============

The file(s) affected by this issue are:
	security/apparmor/policy_unpack.c


Mitigation
==========

The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes.  Individual
changes are never tested alone, but rather are part of a larger kernel
release.  Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all.  If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
	https://git.kernel.org/stable/c/9286ee97aa4803d99185768735011d0d65827c9e
	https://git.kernel.org/stable/c/1d8e62b5569cc1466ceb8a7e4872cf10160a9dcf
	https://git.kernel.org/stable/c/5ff00408e5029d3550ee77f62dc15f1e15c47f87
	https://git.kernel.org/stable/c/0a12db736edbb4933e4274932aeea594b5876fa4
	https://git.kernel.org/stable/c/9d4fa5fe2b1d56662afd14915a73b4d0783ffa45
	https://git.kernel.org/stable/c/5c0392fdafb0a2321311900be83ffa572bef8203
	https://git.kernel.org/stable/c/77ab09b92f16c8439a948d1af489196953dc4a0e
	https://git.kernel.org/stable/c/55a8210c9e7d21ff2644809699765796d4bfb200

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ