CVE-2023-52889
Severity CVSS v4.0:
Pending analysis
Type:
CWE-476
NULL Pointer Dereference
Publication date:
17/08/2024
Last modified:
03/11/2025
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
apparmor: Fix null pointer deref when receiving skb during sock creation<br />
<br />
The panic below is observed when receiving ICMP packets with secmark set<br />
while an ICMP raw socket is being created. SK_CTX(sk)->label is updated<br />
in apparmor_socket_post_create(), but the packet is delivered to the<br />
socket before that, causing the null pointer dereference.<br />
Drop the packet if label context is not set.<br />
<br />
BUG: kernel NULL pointer dereference, address: 000000000000004c<br />
#PF: supervisor read access in kernel mode<br />
#PF: error_code(0x0000) - not-present page<br />
PGD 0 P4D 0<br />
Oops: 0000 [#1] PREEMPT SMP NOPTI<br />
CPU: 0 PID: 407 Comm: a.out Not tainted 6.4.12-arch1-1 #1 3e6fa2753a2d75925c34ecb78e22e85a65d083df<br />
Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 05/28/2020<br />
RIP: 0010:aa_label_next_confined+0xb/0x40<br />
Code: 00 00 48 89 ef e8 d5 25 0c 00 e9 66 ff ff ff 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 66 0f 1f 00 0f 1f 44 00 00 89 f0 77 4c 39 c6 7e 1f 48 63 d0 48 8d 14 d7 eb 0b 83 c0 01 48 83 c2<br />
RSP: 0018:ffffa92940003b08 EFLAGS: 00010246<br />
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 000000000000000e<br />
RDX: ffffa92940003be8 RSI: 0000000000000000 RDI: 0000000000000000<br />
RBP: ffff8b57471e7800 R08: ffff8b574c642400 R09: 0000000000000002<br />
R10: ffffffffbd820eeb R11: ffffffffbeb7ff00 R12: ffff8b574c642400<br />
R13: 0000000000000001 R14: 0000000000000001 R15: 0000000000000000<br />
FS: 00007fb092ea7640(0000) GS:ffff8b577bc00000(0000) knlGS:0000000000000000<br />
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br />
CR2: 000000000000004c CR3: 00000001020f2005 CR4: 00000000007706f0<br />
PKRU: 55555554<br />
Call Trace:<br />
<br />
? __die+0x23/0x70<br />
? page_fault_oops+0x171/0x4e0<br />
? exc_page_fault+0x7f/0x180<br />
? asm_exc_page_fault+0x26/0x30<br />
? aa_label_next_confined+0xb/0x40<br />
apparmor_secmark_check+0xec/0x330<br />
security_sock_rcv_skb+0x35/0x50<br />
sk_filter_trim_cap+0x47/0x250<br />
sock_queue_rcv_skb_reason+0x20/0x60<br />
raw_rcv+0x13c/0x210<br />
raw_local_deliver+0x1f3/0x250<br />
ip_protocol_deliver_rcu+0x4f/0x2f0<br />
ip_local_deliver_finish+0x76/0xa0<br />
__netif_receive_skb_one_core+0x89/0xa0<br />
netif_receive_skb+0x119/0x170<br />
? __netdev_alloc_skb+0x3d/0x140<br />
vmxnet3_rq_rx_complete+0xb23/0x1010 [vmxnet3 56a84f9c97178c57a43a24ec073b45a9d6f01f3a]<br />
vmxnet3_poll_rx_only+0x36/0xb0 [vmxnet3 56a84f9c97178c57a43a24ec073b45a9d6f01f3a]<br />
__napi_poll+0x28/0x1b0<br />
net_rx_action+0x2a4/0x380<br />
__do_softirq+0xd1/0x2c8<br />
__irq_exit_rcu+0xbb/0xf0<br />
common_interrupt+0x86/0xa0<br />
<br />
<br />
asm_common_interrupt+0x26/0x40<br />
RIP: 0010:apparmor_socket_post_create+0xb/0x200<br />
Code: 08 48 85 ff 75 a1 eb b1 0f 1f 80 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 0f 1f 44 00 00 41 54 48 89 fd 53 45 85 c0 0f 84 b2 00 00 00 48 8b 1d 80 56 3f 02 48<br />
RSP: 0018:ffffa92940ce7e50 EFLAGS: 00000286<br />
RAX: ffffffffbc756440 RBX: 0000000000000000 RCX: 0000000000000001<br />
RDX: 0000000000000003 RSI: 0000000000000002 RDI: ffff8b574eaab740<br />
RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000<br />
R10: ffff8b57444cec70 R11: 0000000000000000 R12: 0000000000000003<br />
R13: 0000000000000002 R14: ffff8b574eaab740 R15: ffffffffbd8e4748<br />
? __pfx_apparmor_socket_post_create+0x10/0x10<br />
security_socket_post_create+0x4b/0x80<br />
__sock_create+0x176/0x1f0<br />
__sys_socket+0x89/0x100<br />
__x64_sys_socket+0x17/0x20<br />
do_syscall_64+0x5d/0x90<br />
? do_syscall_64+0x6c/0x90<br />
? do_syscall_64+0x6c/0x90<br />
? do_syscall_64+0x6c/0x90<br />
entry_SYSCALL_64_after_hwframe+0x72/0xdc
Impact
Base Score 3.x
5.50
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 4.20 (including) | 5.4.282 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.5 (including) | 5.10.224 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.11 (including) | 5.15.165 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.16 (including) | 6.1.103 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.2 (including) | 6.6.44 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.7 (including) | 6.10.3 (excluding) |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/0abe35bc48d4ec80424b1f4b3560c0e082cbd5c1
- https://git.kernel.org/stable/c/290a6b88e8c19b6636ed1acc733d1458206f7697
- https://git.kernel.org/stable/c/347dcb84a4874b5fb375092c08d8cc4069b94f81
- https://git.kernel.org/stable/c/46c17ead5b7389e22e7dc9903fd0ba865d05bda2
- https://git.kernel.org/stable/c/6c920754f62cefc63fccdc38a062c7c3452e2961
- https://git.kernel.org/stable/c/ead2ad1d9f045f26fdce3ef1644913b3a6cd38f2
- https://git.kernel.org/stable/c/fce09ea314505a52f2436397608fa0a5d0934fb1
- https://lists.debian.org/debian-lts-announce/2024/10/msg00003.html
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html