Vulnerabilities
Misconfiguration
Runtime Security
Compliance
CVE Vulnerabilities

CVE-2023-52443

NULL Pointer Dereference

Published: Feb 22, 2024 | Modified: Mar 14, 2024
CVSS 3.x
5.5
MEDIUM
Source:
NVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CVSS 2.x
RedHat/V2
RedHat/V3
Ubuntu
Additional information
NVDhttps://nvd.nist.gov/vuln/detail/CVE-2023-52443
CWEhttps://cwe.mitre.org/data/definitions/476.html

In the Linux kernel, the following vulnerability has been resolved:

apparmor: avoid crash when parsed profile name is empty

When processing a packed profile in unpack_profile() described like

profile :ns::samba-dcerpcd /usr/lib*/samba/{,samba/}samba-dcerpcd {…}

a string :samba-dcerpcd is unpacked as a fully-qualified name and then passed to aa_splitn_fqname().

aa_splitn_fqname() treats :samba-dcerpcd as only containing a namespace. Thus it returns NULL for tmpname, meanwhile tmpns is non-NULL. Later aa_alloc_profile() crashes as the new profile name is NULL now.

general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] CPU: 6 PID: 1657 Comm: apparmor_parser Not tainted 6.7.0-rc2-dirty #16 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-3-gd478f380-rebuilt.opensuse.org 04/01/2014 RIP: 0010:strlen+0x1e/0xa0 Call Trace: ? strlen+0x1e/0xa0 aa_policy_init+0x1bb/0x230 aa_alloc_profile+0xb1/0x480 unpack_profile+0x3bc/0x4960 aa_unpack+0x309/0x15e0 aa_replace_profiles+0x213/0x33c0 policy_update+0x261/0x370 profile_replace+0x20e/0x2a0 vfs_write+0x2af/0xe00 ksys_write+0x126/0x250 do_syscall_64+0x46/0xf0 entry_SYSCALL_64_after_hwframe+0x6e/0x76 —[ end trace 0000000000000000 ]— RIP: 0010:strlen+0x1e/0xa0

It seems such behaviour of aa_splitn_fqname() is expected and checked in other places where it is called (e.g. aa_remove_profiles). Well, there is an explicit comment a ns name without a following profile is allowed inside.

AFAICS, nothing can prevent unpacked name to be in form like :samba-dcerpcd - it is passed from userspace.

Deny the whole profile set replacement in such case and inform user with EPROTO and an explaining message.

Found by Linux Verification Center (linuxtesting.org).

Weakness

A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit.

Affected Software

Name Vendor Start Version End Version
Linux_kernel Linux * 4.19.306 (excluding)
Linux_kernel Linux 4.20 (including) 5.4.268 (excluding)
Linux_kernel Linux 5.5.0 (including) 5.10.209 (excluding)
Linux_kernel Linux 5.11.0 (including) 5.15.148 (excluding)
Linux_kernel Linux 5.16.0 (including) 6.1.75 (excluding)
Linux_kernel Linux 6.2.0 (including) 6.6.14 (excluding)
Linux_kernel Linux 6.7.0 (including) 6.7.2 (excluding)

Potential Mitigations

References

Aqua Security is the largest pure-play cloud native security company, providing customers the freedom to innovate and run their businesses with minimal friction. The Aqua Cloud Native Security Platform provides prevention, detection, and response automation across the entire application lifecycle to secure the build, secure cloud infrastructure and secure running workloads wherever they are deployed.
Copyright © 2024 Aqua Security Software Ltd.   Privacy Policy | Terms of Use