apparmor: fix NULL pointer dereference in __unix_needs_revalidation

When receiving file descriptors via SCM_RIGHTS, both the socket pointer
and the socket's sk pointer can be NULL during socket setup or teardown,
causing NULL pointer dereferences in __unix_needs_revalidation().

This is a regression in AppArmor 5.0.0 (kernel 6.17+) where the new
__unix_needs_revalidation() function was added without proper NULL checks.

The crash manifests as:
  BUG: kernel NULL pointer dereference, address: 0x0000000000000018
  RIP: aa_file_perm+0xb7/0x3b0 (or +0xbe/0x3b0, +0xc0/0x3e0)
  Call Trace:
   apparmor_file_receive+0x42/0x80
   security_file_receive+0x2e/0x50
   receive_fd+0x1d/0xf0
   scm_detach_fds+0xad/0x1c0

The function dereferences sock->sk->sk_family without checking if either
sock or sock->sk is NULL first.

Add NULL checks for both sock and sock->sk before accessing sk_family.

Fixes: 88fec3526e841 ("apparmor: make sure unix socket labeling is correctly updated.")
Reported-by: Jamin Mc <jaminmc@gmail.com>
Closes: https://bugzilla.proxmox.com/show_bug.cgi?id=7083
Closes: https://gitlab.com/apparmor/apparmor/-/issues/568
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Signed-off-by: System Administrator <root@localhost>
Signed-off-by: John Johansen <john.johansen@canonical.com>

diff --git a/security/apparmor/file.c b/security/apparmor/file.c
index c758204028780f627f5d15fb0e69e3422756db85..919dbbbc87ab627ac2105d5504138d42e586e9ae 100644 (file)
--- a/security/apparmor/file.c
+++ b/security/apparmor/file.c
@@ -578,6 +578,9 @@ static bool __unix_needs_revalidation(struct file *file, struct aa_label *label,
                return false;
        if (request & NET_PEER_MASK)
                return false;
+       /* sock and sock->sk can be NULL for sockets being set up or torn down */
+       if (!sock || !sock->sk)
+               return false;
        if (sock->sk->sk_family == PF_UNIX) {
                struct aa_sk_ctx *ctx = aa_sock(sock->sk);