{"id":2220623,"url":"http://patchwork.ozlabs.org/api/1.1/patches/2220623/?format=json","web_url":"http://patchwork.ozlabs.org/project/ubuntu-kernel/patch/20260407173029.3872549-2-georgia.garcia@canonical.com/","project":{"id":15,"url":"http://patchwork.ozlabs.org/api/1.1/projects/15/?format=json","name":"Ubuntu Kernel","link_name":"ubuntu-kernel","list_id":"kernel-team.lists.ubuntu.com","list_email":"kernel-team@lists.ubuntu.com","web_url":null,"scm_url":null,"webscm_url":null},"msgid":"<20260407173029.3872549-2-georgia.garcia@canonical.com>","date":"2026-04-07T17:30:29","name":"[SRU,Q,1/1] apparmor: fix NULL pointer dereference in __unix_needs_revalidation","commit_ref":null,"pull_url":null,"state":"new","archived":false,"hash":"4ba2d64bda95ec8f61f8f9c71ad2d2e4326c4bbd","submitter":{"id":82129,"url":"http://patchwork.ozlabs.org/api/1.1/people/82129/?format=json","name":"Georgia Garcia","email":"georgia.garcia@canonical.com"},"delegate":null,"mbox":"http://patchwork.ozlabs.org/project/ubuntu-kernel/patch/20260407173029.3872549-2-georgia.garcia@canonical.com/mbox/","series":[{"id":499013,"url":"http://patchwork.ozlabs.org/api/1.1/series/499013/?format=json","web_url":"http://patchwork.ozlabs.org/project/ubuntu-kernel/list/?series=499013","date":"2026-04-07T17:30:28","name":"apparmor: fix NULL pointer dereference in __unix_needs_revalidation","version":1,"mbox":"http://patchwork.ozlabs.org/series/499013/mbox/"}],"comments":"http://patchwork.ozlabs.org/api/patches/2220623/comments/","check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/2220623/checks/","tags":{},"headers":{"Return-Path":"<kernel-team-bounces@lists.ubuntu.com>","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=fail reason=\"signature verification failed\" (4096-bit key;\n unprotected) header.d=canonical.com header.i=@canonical.com\n header.a=rsa-sha256 header.s=20251003 header.b=LmXrR35M;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com\n (client-ip=185.125.189.65; helo=lists.ubuntu.com;\n envelope-from=kernel-team-bounces@lists.ubuntu.com;\n receiver=patchwork.ozlabs.org)"],"Received":["from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65])\n\t(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fqtWw02lNz1yGf\n\tfor <incoming@patchwork.ozlabs.org>; Wed, 08 Apr 2026 03:30:51 +1000 (AEST)","from localhost ([127.0.0.1] helo=lists.ubuntu.com)\n\tby lists.ubuntu.com with esmtp (Exim 4.86_2)\n\t(envelope-from <kernel-team-bounces@lists.ubuntu.com>)\n\tid 1wAAGB-0003zo-7S; Tue, 07 Apr 2026 17:30:43 +0000","from smtp-relay-internal-1.internal ([10.131.114.114]\n helo=smtp-relay-internal-1.canonical.com)\n by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)\n (Exim 4.86_2) (envelope-from <georgia.garcia@canonical.com>)\n id 1wAAG9-0003za-QY\n for kernel-team@lists.ubuntu.com; Tue, 07 Apr 2026 17:30:41 +0000","from mail-yw1-f200.google.com (mail-yw1-f200.google.com\n [209.85.128.200])\n (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest\n SHA256)\n (No client certificate requested)\n by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id A23EE3F60F\n for <kernel-team@lists.ubuntu.com>; Tue,  7 Apr 2026 17:30:41 +0000 (UTC)","by mail-yw1-f200.google.com with SMTP id\n 00721157ae682-79a670a6032so109687977b3.0\n for <kernel-team@lists.ubuntu.com>; Tue, 07 Apr 2026 10:30:41 -0700 (PDT)","from localhost.localdomain ([177.220.174.35])\n by smtp.gmail.com with ESMTPSA id\n 00721157ae682-7a370905079sm71547787b3.23.2026.04.07.10.30.36\n for <kernel-team@lists.ubuntu.com>\n (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);\n Tue, 07 Apr 2026 10:30:38 -0700 (PDT)"],"DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com;\n s=20251003; t=1775583041;\n bh=fbJVtpM5iSor4XRDlBJZzs4RlZsrPqfUMg7x4rEQBCg=;\n h=From:To:Subject:Date:Message-ID:In-Reply-To:References:\n MIME-Version:Content-Type;\n b=LmXrR35MfuS7AI+aKyusTUuiDfYoQHr7eiHrdlqrIfjeFXaA1VwKPeOOH1aJy8imE\n g4yIM/FqFTgoKPu2Sjk5Kelw5RjixgmDWgVB73UKhkzbCQbG333VjWH1brv+jKdctf\n aCybsn2aXkQjHXUSPRShPijt+JYzcLZXdsbTSCfuS0j25CnpUhyTc3bYwbfMKzyV4W\n hLt6MrLPW9v1aNVHJakclVPDt/tNcITcy8W4UNs9SzscObEbZsx8O9KwHs2v2T+3gA\n /d2QfRbPwrX0yoFWCq2y3JfdRXbir5txCyKvVCFSxLsS9biQjpQdt9F9cc0Xq2SZmH\n c2nJhw8EUiWoWzO8GCkie+6Mq9Rbzvcul1cuH24vOfmZirUsHJarLNwUE+snqXGDBu\n w+gVlXNzrC8V7i0sWxDCKKtPUYEAXqvHZ2QYp+sr5eUIU1idLzoxMFBlKrrqGpgo7O\n pcbWj9UkSmXGE7wZLmx8uHKYZYM63YIDRLh27bpV0r7Buuyu3sRlARK9KXfJE5KL5V\n lfa8Eqr233pq/JzWVLJRA9+CsoQ1VIVu+Hal5tfsmylsl//S3ydi/vmGgqqWVPXa+2\n oZMSueJDQzwMyLhGoc2nTygJI6E+ZCyJpGICC2LIkVnBXO5tJ6tv8epLkqbI9aVvU7\n bv17RpIdDjjP3c06SdEx3sN8=","X-Google-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=1e100.net; s=20251104; t=1775583040; x=1776187840;\n h=content-transfer-encoding:mime-version:references:in-reply-to\n :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to\n :cc:subject:date:message-id:reply-to;\n bh=fbJVtpM5iSor4XRDlBJZzs4RlZsrPqfUMg7x4rEQBCg=;\n b=FcO5PQ1GF97JrZc6WVhPOyCHDiD5M7mo2ElvN9XB7Y25BpojKCjPTgmsePBvXXc6fc\n JpEWPmZyrWRUW/YB0RrB+3zJ2qC7xaZb93f/lqqkt+Ly6onwAPd2gAn/3UOZ7D4RtjeK\n R6pJwT5oQ9XolnTngtVOn4s4t8YEaeSxMaNFZCLp4D/3tgov9QuNPIKXAeO2cQbYVgMj\n l86ShwAsbnZS44Te4Qn1es0esgQKnDyS7rHImpjO6ilaMrM3LpD92x65bV1CVgFXEkfF\n EJje8EvYwSZ9Nc+Dl4LkQkMp8oklpcAgzr3BfFZGVs+zhxnBlJk83x6UOik2fNxrYUk8\n WVQQ==","X-Gm-Message-State":"AOJu0YxFrw+Xs6MZapEnz9pTafWEVTVM6Sxy1RnG0HoJRBSnPPkBBk5G\n nBI/rjsk5tQUlGtl8YVdPV4U3nGXSAfzXhwJ67rks+PWDHFs8jkgG6rRG1aAe12alJ9Z/anBs4h\n 5z366zRZ+Z+8QFuGY8sQCkls9eRP5AHfJxuZJRHDngc6gnwSfLS5N3pE3MKk/NKFqUuRtu7zeHj\n aqXE8dONfGzQLxHw==","X-Gm-Gg":"AeBDieupVpyTqzAylN+iPcbxrGtz8g9OnNfV1f3su3nhRZ20IHPTcXELkfcoDKlXAUN\n Vo6fS16Wa6Fi7r7shpIGb4ChklTJG1j2UbXnyZGvShMHPYhXtaosmPkJlW3+1EuK0PyiZKCjIhB\n aZxgCtZRyhijnGWVM8Wk+eHhsOLNPuABBxBGflnpS6MoXFj2jnz9OC00XiU6XckrorOXvZU9J3c\n /RPgvkYSG4RpsUFQ1Bfu8otYe2WGBvLRaWxDn56D2NKoblZmLy7cmuSMMnS4v/HD9Yy9pFUHjSo\n XXqZzZ3AGUM4vvSKbgoUeEe1sMPnI+5wtG47nCREWoQXdN9TNv8Mp1G37bZy3s9tKY2eqd64MgH\n k0CHeW/625rBS0M25hHh8x/ygQrBE9PppCkZLzBMp0SRr7nQZPnZ/EhH5pPYIL18yG/zNIm6JD7\n KcNA==","X-Received":["by 2002:a05:690c:c36d:b0:79a:bbe0:8cae with SMTP id\n 00721157ae682-7a4d2ff33e4mr146418607b3.1.1775583039981;\n Tue, 07 Apr 2026 10:30:39 -0700 (PDT)","by 2002:a05:690c:c36d:b0:79a:bbe0:8cae with SMTP id\n 00721157ae682-7a4d2ff33e4mr146418367b3.1.1775583039569;\n Tue, 07 Apr 2026 10:30:39 -0700 (PDT)"],"From":"Georgia Garcia <georgia.garcia@canonical.com>","To":"kernel-team@lists.ubuntu.com","Subject":"[SRU][Q][PATCH 1/1] apparmor: fix NULL pointer dereference in\n __unix_needs_revalidation","Date":"Tue,  7 Apr 2026 14:30:29 -0300","Message-ID":"<20260407173029.3872549-2-georgia.garcia@canonical.com>","X-Mailer":"git-send-email 2.43.0","In-Reply-To":"<20260407173029.3872549-1-georgia.garcia@canonical.com>","References":"<20260407173029.3872549-1-georgia.garcia@canonical.com>","MIME-Version":"1.0","X-BeenThere":"kernel-team@lists.ubuntu.com","X-Mailman-Version":"2.1.20","Precedence":"list","List-Id":"Kernel team discussions <kernel-team.lists.ubuntu.com>","List-Unsubscribe":"<https://lists.ubuntu.com/mailman/options/kernel-team>,\n <mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>","List-Archive":"<https://lists.ubuntu.com/archives/kernel-team>","List-Post":"<mailto:kernel-team@lists.ubuntu.com>","List-Help":"<mailto:kernel-team-request@lists.ubuntu.com?subject=help>","List-Subscribe":"<https://lists.ubuntu.com/mailman/listinfo/kernel-team>,\n <mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>","Content-Type":"text/plain; charset=\"utf-8\"","Content-Transfer-Encoding":"base64","Errors-To":"kernel-team-bounces@lists.ubuntu.com","Sender":"\"kernel-team\" <kernel-team-bounces@lists.ubuntu.com>"},"content":"From: System Administrator <root@localhost>\n\nBugLink: http://bugs.launchpad.net/bugs/2147374\n\nWhen receiving file descriptors via SCM_RIGHTS, both the socket pointer\nand the socket's sk pointer can be NULL during socket setup or teardown,\ncausing NULL pointer dereferences in __unix_needs_revalidation().\n\nThis is a regression in AppArmor 5.0.0 (kernel 6.17+) where the new\n__unix_needs_revalidation() function was added without proper NULL checks.\n\nThe crash manifests as:\n  BUG: kernel NULL pointer dereference, address: 0x0000000000000018\n  RIP: aa_file_perm+0xb7/0x3b0 (or +0xbe/0x3b0, +0xc0/0x3e0)\n  Call Trace:\n   apparmor_file_receive+0x42/0x80\n   security_file_receive+0x2e/0x50\n   receive_fd+0x1d/0xf0\n   scm_detach_fds+0xad/0x1c0\n\nThe function dereferences sock->sk->sk_family without checking if either\nsock or sock->sk is NULL first.\n\nAdd NULL checks for both sock and sock->sk before accessing sk_family.\n\nFixes: 88fec3526e841 (\"apparmor: make sure unix socket labeling is correctly updated.\")\nReported-by: Jamin Mc <jaminmc@gmail.com>\nCloses: https://bugzilla.proxmox.com/show_bug.cgi?id=7083\nCloses: https://gitlab.com/apparmor/apparmor/-/issues/568\nSigned-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>\nSigned-off-by: System Administrator <root@localhost>\nSigned-off-by: John Johansen <john.johansen@canonical.com>\n---\n security/apparmor/file.c | 3 +++\n 1 file changed, 3 insertions(+)","diff":"diff --git a/security/apparmor/file.c b/security/apparmor/file.c\nindex d30be1979ced..50785b4dd746 100644\n--- a/security/apparmor/file.c\n+++ b/security/apparmor/file.c\n@@ -777,6 +777,9 @@ static bool __unix_needs_revalidation(struct file *file, struct aa_label *label,\n \t\treturn false;\n \tif (request & NET_PEER_MASK)\n \t\treturn false;\n+\t/* sock and sock->sk can be NULL for sockets being set up or torn down */\n+\tif (!sock || !sock->sk)\n+\t\treturn false;\n \tif (sock->sk->sk_family == PF_UNIX) {\n \t\tstruct aa_sk_ctx *ctx = aa_sock(sock->sk);\n \n","prefixes":["SRU","Q","1/1"]}