ghsa-wfg9-r8xh-vw3h
Vulnerability from github
Published
2024-08-17 09:30
Modified
2024-08-19 21:35
Severity ?
5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Details

In the Linux kernel, the following vulnerability has been resolved:

apparmor: Fix null pointer deref when receiving skb during sock creation

The panic below is observed when receiving ICMP packets with secmark set while an ICMP raw socket is being created. SK_CTX(sk)->label is updated in apparmor_socket_post_create(), but the packet is delivered to the socket before that, causing the null pointer dereference. Drop the packet if label context is not set.

BUG: kernel NULL pointer dereference, address: 000000000000004c
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 0 P4D 0
Oops: 0000 [#1] PREEMPT SMP NOPTI
CPU: 0 PID: 407 Comm: a.out Not tainted 6.4.12-arch1-1 #1 3e6fa2753a2d75925c34ecb78e22e85a65d083df
Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 05/28/2020
RIP: 0010:aa_label_next_confined+0xb/0x40
Code: 00 00 48 89 ef e8 d5 25 0c 00 e9 66 ff ff ff 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 66 0f 1f 00 0f 1f 44 00 00 89 f0 <8b> 77 4c 39 c6 7e 1f 48 63 d0 48 8d 14 d7 eb 0b 83 c0 01 48 83 c2
RSP: 0018:ffffa92940003b08 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 000000000000000e
RDX: ffffa92940003be8 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffff8b57471e7800 R08: ffff8b574c642400 R09: 0000000000000002
R10: ffffffffbd820eeb R11: ffffffffbeb7ff00 R12: ffff8b574c642400
R13: 0000000000000001 R14: 0000000000000001 R15: 0000000000000000
FS:  00007fb092ea7640(0000) GS:ffff8b577bc00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000000000004c CR3: 00000001020f2005 CR4: 00000000007706f0
PKRU: 55555554
Call Trace:
 <IRQ>
 ? __die+0x23/0x70
 ? page_fault_oops+0x171/0x4e0
 ? exc_page_fault+0x7f/0x180
 ? asm_exc_page_fault+0x26/0x30
 ? aa_label_next_confined+0xb/0x40
 apparmor_secmark_check+0xec/0x330
 security_sock_rcv_skb+0x35/0x50
 sk_filter_trim_cap+0x47/0x250
 sock_queue_rcv_skb_reason+0x20/0x60
 raw_rcv+0x13c/0x210
 raw_local_deliver+0x1f3/0x250
 ip_protocol_deliver_rcu+0x4f/0x2f0
 ip_local_deliver_finish+0x76/0xa0
 __netif_receive_skb_one_core+0x89/0xa0
 netif_receive_skb+0x119/0x170
 ? __netdev_alloc_skb+0x3d/0x140
 vmxnet3_rq_rx_complete+0xb23/0x1010 [vmxnet3 56a84f9c97178c57a43a24ec073b45a9d6f01f3a]
 vmxnet3_poll_rx_only+0x36/0xb0 [vmxnet3 56a84f9c97178c57a43a24ec073b45a9d6f01f3a]
 __napi_poll+0x28/0x1b0
 net_rx_action+0x2a4/0x380
 __do_softirq+0xd1/0x2c8
 __irq_exit_rcu+0xbb/0xf0
 common_interrupt+0x86/0xa0
 </IRQ>
 <TASK>
 asm_common_interrupt+0x26/0x40
RIP: 0010:apparmor_socket_post_create+0xb/0x200
Code: 08 48 85 ff 75 a1 eb b1 0f 1f 80 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 0f 1f 44 00 00 41 54 <55> 48 89 fd 53 45 85 c0 0f 84 b2 00 00 00 48 8b 1d 80 56 3f 02 48
RSP: 0018:ffffa92940ce7e50 EFLAGS: 00000286
RAX: ffffffffbc756440 RBX: 0000000000000000 RCX: 0000000000000001
RDX: 0000000000000003 RSI: 0000000000000002 RDI: ffff8b574eaab740
RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000
R10: ffff8b57444cec70 R11: 0000000000000000 R12: 0000000000000003
R13: 0000000000000002 R14: ffff8b574eaab740 R15: ffffffffbd8e4748
 ? __pfx_apparmor_socket_post_create+0x10/0x10
 security_socket_post_create+0x4b/0x80
 __sock_create+0x176/0x1f0
 __sys_socket+0x89/0x100
 __x64_sys_socket+0x17/0x20
 do_syscall_64+0x5d/0x90
 ? do_syscall_64+0x6c/0x90
 ? do_syscall_64+0x6c/0x90
 ? do_syscall_64+0x6c/0x90
 entry_SYSCALL_64_after_hwframe+0x72/0xdc
Show details on source website

To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2023-52889"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-08-17T09:15:07Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\napparmor: Fix null pointer deref when receiving skb during sock creation\n\nThe panic below is observed when receiving ICMP packets with secmark set\nwhile an ICMP raw socket is being created. SK_CTX(sk)-\u003elabel is updated\nin apparmor_socket_post_create(), but the packet is delivered to the\nsocket before that, causing the null pointer dereference.\nDrop the packet if label context is not set.\n\n    BUG: kernel NULL pointer dereference, address: 000000000000004c\n    #PF: supervisor read access in kernel mode\n    #PF: error_code(0x0000) - not-present page\n    PGD 0 P4D 0\n    Oops: 0000 [#1] PREEMPT SMP NOPTI\n    CPU: 0 PID: 407 Comm: a.out Not tainted 6.4.12-arch1-1 #1 3e6fa2753a2d75925c34ecb78e22e85a65d083df\n    Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 05/28/2020\n    RIP: 0010:aa_label_next_confined+0xb/0x40\n    Code: 00 00 48 89 ef e8 d5 25 0c 00 e9 66 ff ff ff 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 66 0f 1f 00 0f 1f 44 00 00 89 f0 \u003c8b\u003e 77 4c 39 c6 7e 1f 48 63 d0 48 8d 14 d7 eb 0b 83 c0 01 48 83 c2\n    RSP: 0018:ffffa92940003b08 EFLAGS: 00010246\n    RAX: 0000000000000000 RBX: 0000000000000000 RCX: 000000000000000e\n    RDX: ffffa92940003be8 RSI: 0000000000000000 RDI: 0000000000000000\n    RBP: ffff8b57471e7800 R08: ffff8b574c642400 R09: 0000000000000002\n    R10: ffffffffbd820eeb R11: ffffffffbeb7ff00 R12: ffff8b574c642400\n    R13: 0000000000000001 R14: 0000000000000001 R15: 0000000000000000\n    FS:  00007fb092ea7640(0000) GS:ffff8b577bc00000(0000) knlGS:0000000000000000\n    CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n    CR2: 000000000000004c CR3: 00000001020f2005 CR4: 00000000007706f0\n    PKRU: 55555554\n    Call Trace:\n     \u003cIRQ\u003e\n     ? __die+0x23/0x70\n     ? page_fault_oops+0x171/0x4e0\n     ? exc_page_fault+0x7f/0x180\n     ? asm_exc_page_fault+0x26/0x30\n     ? aa_label_next_confined+0xb/0x40\n     apparmor_secmark_check+0xec/0x330\n     security_sock_rcv_skb+0x35/0x50\n     sk_filter_trim_cap+0x47/0x250\n     sock_queue_rcv_skb_reason+0x20/0x60\n     raw_rcv+0x13c/0x210\n     raw_local_deliver+0x1f3/0x250\n     ip_protocol_deliver_rcu+0x4f/0x2f0\n     ip_local_deliver_finish+0x76/0xa0\n     __netif_receive_skb_one_core+0x89/0xa0\n     netif_receive_skb+0x119/0x170\n     ? __netdev_alloc_skb+0x3d/0x140\n     vmxnet3_rq_rx_complete+0xb23/0x1010 [vmxnet3 56a84f9c97178c57a43a24ec073b45a9d6f01f3a]\n     vmxnet3_poll_rx_only+0x36/0xb0 [vmxnet3 56a84f9c97178c57a43a24ec073b45a9d6f01f3a]\n     __napi_poll+0x28/0x1b0\n     net_rx_action+0x2a4/0x380\n     __do_softirq+0xd1/0x2c8\n     __irq_exit_rcu+0xbb/0xf0\n     common_interrupt+0x86/0xa0\n     \u003c/IRQ\u003e\n     \u003cTASK\u003e\n     asm_common_interrupt+0x26/0x40\n    RIP: 0010:apparmor_socket_post_create+0xb/0x200\n    Code: 08 48 85 ff 75 a1 eb b1 0f 1f 80 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 0f 1f 44 00 00 41 54 \u003c55\u003e 48 89 fd 53 45 85 c0 0f 84 b2 00 00 00 48 8b 1d 80 56 3f 02 48\n    RSP: 0018:ffffa92940ce7e50 EFLAGS: 00000286\n    RAX: ffffffffbc756440 RBX: 0000000000000000 RCX: 0000000000000001\n    RDX: 0000000000000003 RSI: 0000000000000002 RDI: ffff8b574eaab740\n    RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000\n    R10: ffff8b57444cec70 R11: 0000000000000000 R12: 0000000000000003\n    R13: 0000000000000002 R14: ffff8b574eaab740 R15: ffffffffbd8e4748\n     ? __pfx_apparmor_socket_post_create+0x10/0x10\n     security_socket_post_create+0x4b/0x80\n     __sock_create+0x176/0x1f0\n     __sys_socket+0x89/0x100\n     __x64_sys_socket+0x17/0x20\n     do_syscall_64+0x5d/0x90\n     ? do_syscall_64+0x6c/0x90\n     ? do_syscall_64+0x6c/0x90\n     ? do_syscall_64+0x6c/0x90\n     entry_SYSCALL_64_after_hwframe+0x72/0xdc",
  "id": "GHSA-wfg9-r8xh-vw3h",
  "modified": "2024-08-19T21:35:08Z",
  "published": "2024-08-17T09:30:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52889"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/0abe35bc48d4ec80424b1f4b3560c0e082cbd5c1"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/290a6b88e8c19b6636ed1acc733d1458206f7697"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/347dcb84a4874b5fb375092c08d8cc4069b94f81"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/46c17ead5b7389e22e7dc9903fd0ba865d05bda2"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6c920754f62cefc63fccdc38a062c7c3452e2961"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ead2ad1d9f045f26fdce3ef1644913b3a6cd38f2"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/fce09ea314505a52f2436397608fa0a5d0934fb1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.