CVE-2023-52443 - Linux Kernel Vulnerability: AppArmor Crash When Parsed Profile Name is Empty

A Linux kernel vulnerability has been resolved regarding AppArmor, the open-source Linux kernel security module that provides tools for establishing mandatory access controls for applications. The issue was identified as a crash when the parsed profile name is empty during the processing of a packed profile in unpack_profile().

Details:

The vulnerability happens when processing a packed profile like

"profile :ns::samba-dcerpcd /usr/lib*/samba/{,samba/}samba-dcerpcd {...}"

The string ":samba-dcerpcd" is unpacked as a fully-qualified name and then passed to aa_splitn_fqname(). The issue appears when aa_splitn_fqname() treats ":samba-dcerpcd" as only containing a namespace, resulting in tmpname being NULL while tmpns is non-NULL. This causes aa_alloc_profile() to crash as the new profile name is now NULL.

The general protection fault error looks something like this

general protection fault, probably for non-canonical address xdffffc000000000: 000 [#1] PREEMPT SMP KASAN NOPTI
KASAN: null-ptr-deref in range [x000000000000000-x0000000000000007]
...
RIP: 001:strlen+x1e/xa
...

This behavior of aa_splitn_fqname() is expected and checked in other places where it is called. However, when the name is in the form like ":samba-dcerpcd," it is passed from userspace and causes the problem.

Exploit Details:
In order to prevent this issue, the whole profile set replacement must be denied in such cases. The user must be informed with the EPROTO error and an explanatory message. The vulnerability was discovered by the Linux Verification Center (linuxtesting.org).

Original References

1. Linux Kernel Mailing List (LKML) discussion of the issue
2. OSDI'20 presentation by Linux Verification Center (LVC) on Linux Kernel Security
3. Linux Kernel Documentation on AppArmor

Conclusion

CVE-2023-52443 is a security vulnerability in the Linux kernel involving AppArmor that could lead to crashes when an empty profile name is parsed. The issue has been resolved by denying the whole profile set replacement in such cases and notifying the user with an EPROTO error and an explanatory message.

Timeline

Published on: 02/22/2024 17:15:08 UTC
Last modified on: 03/14/2024 20:16:02 UTC