CVE-2024-46721

In the Linux kernel, the following vulnerability has been resolved:

apparmor: fix possible NULL pointer dereference

profile->parent->dents[AAFSPROFDIR] could be NULL only if its parent is made from _createmissingancestors(..) and 'ent->old' is NULL in aareplace_profiles(..). In that case, it must return an error code and the code, -ENOENT represents its state that the path of its parent is not existed yet.

BUG: kernel NULL pointer dereference, address: 0000000000000030 PGD 0 P4D 0 PREEMPT SMP PTI CPU: 4 PID: 3362 Comm: apparmorparser Not tainted 6.8.0-24-generic #24 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014 RIP: 0010:aafscreate.constprop.0+0x7f/0x130 Code: 4c 63 e0 48 83 c4 18 4c 89 e0 5b 41 5c 41 5d 41 5e 41 5f 5d 31 d2 31 c9 31 f6 31 ff 45 31 c0 45 31 c9 45 31 d2 c3 cc cc cc cc <4d> 8b 55 30 4d 8d ba a0 00 00 00 4c 89 55 c0 4c 89 ff e8 7a 6a ae RSP: 0018:ffffc9000b2c7c98 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 00000000000041ed RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 RBP: ffffc9000b2c7cd8 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: ffffffff82baac10 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 FS: 00007be9f22cf740(0000) GS:ffff88817bc00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000030 CR3: 0000000134b08000 CR4: 00000000000006f0 Call Trace: <TASK> ? showregs+0x6d/0x80 ? _die+0x24/0x80 ? pagefaultoops+0x99/0x1b0 ? kernelmodefixuporoops+0xb2/0x140 ? _badareanosemaphore+0x1a5/0x2c0 ? findvma+0x34/0x60 ? badareanosemaphore+0x16/0x30 ? douseraddrfault+0x2a2/0x6b0 ? excpagefault+0x83/0x1b0 ? asmexcpagefault+0x27/0x30 ? aafscreate.constprop.0+0x7f/0x130 ? aafscreate.constprop.0+0x51/0x130 _aafsprofilemkdir+0x3d6/0x480 aareplaceprofiles+0x83f/0x1270 policyupdate+0xe3/0x180 profileload+0xbc/0x150 ? rwverifyarea+0x47/0x140 vfswrite+0x100/0x480 ? _x64sysopenat+0x55/0xa0 ? syscallexittousermode+0x86/0x260 ksyswrite+0x73/0x100 _x64syswrite+0x19/0x30 x64syscall+0x7e/0x25c0 dosyscall64+0x7f/0x180 entrySYSCALL64afterhwframe+0x78/0x80 RIP: 0033:0x7be9f211c574 Code: c7 00 16 00 00 00 b8 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 f3 0f 1e fa 80 3d d5 ea 0e 00 00 74 13 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 54 c3 0f 1f 00 55 48 89 e5 48 83 ec 20 48 89 RSP: 002b:00007ffd26f2b8c8 EFLAGS: 00000202 ORIGRAX: 0000000000000001 RAX: ffffffffffffffda RBX: 00005d504415e200 RCX: 00007be9f211c574 RDX: 0000000000001fc1 RSI: 00005d504418bc80 RDI: 0000000000000004 RBP: 0000000000001fc1 R08: 0000000000001fc1 R09: 0000000080000000 R10: 0000000000000000 R11: 0000000000000202 R12: 00005d504418bc80 R13: 0000000000000004 R14: 00007ffd26f2b9b0 R15: 00007ffd26f2ba30 </TASK> Modules linked in: sndseqdummy sndhrtimer qrtr sndhdacodecgeneric sndhdaintel sndinteldspcfg sndintelsdwacpi sndhdacodec sndhdacore sndhwdep sndpcm sndseqmidi sndseqmidievent sndrawmidi sndseq sndseqdevice i2ci801 sndtimer i2csmbus qxl snd soundcore drmttmhelper lpcich ttm joydev inputleds serioraw machid binfmtmisc msr parportpc ppdev lp parport efipstore nfnetlink dmisysfs qemufwcfg iptables xtables autofs4 hidgeneric usbhid hid ahci libahci psmouse virtiorng xhcipci xhcipcirenesas CR2: 0000000000000030 ---[ end trace 0000000000000000 ]--- RIP: 0010:aafscreate.constprop.0+0x7f/0x130 Code: 4c 63 e0 48 83 c4 18 4c 89 e0 5b 41 5c 41 5d 41 5e 41 5f 5d 31 d2 31 c9 31 f6 31 ff 45 31 c0 45 31 c9 45 31 d2 c3 cc cc cc cc <4d> 8b 55 30 4d 8d ba a0 00 00 00 4c 89 55 c0 4c 89 ff e8 7a 6a ae RSP: 0018:ffffc9000b2c7c98 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 00000000000041ed RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 RBP: ffffc9000b2c7cd8 R08: 0000000000000000 R09: 0000000000000000 R10: 0000 ---truncated---