Commit e2938ad0 authored Oct 09, 2025 by System Administrator Committed by John Johansen Jan 18, 2026

apparmor: fix NULL pointer dereference in __unix_needs_revalidation



When receiving file descriptors via SCM_RIGHTS, both the socket pointer
and the socket's sk pointer can be NULL during socket setup or teardown,
causing NULL pointer dereferences in __unix_needs_revalidation().

This is a regression in AppArmor 5.0.0 (kernel 6.17+) where the new
__unix_needs_revalidation() function was added without proper NULL checks.

The crash manifests as:
  BUG: kernel NULL pointer dereference, address: 0x0000000000000018
  RIP: aa_file_perm+0xb7/0x3b0 (or +0xbe/0x3b0, +0xc0/0x3e0)
  Call Trace:
   apparmor_file_receive+0x42/0x80
   security_file_receive+0x2e/0x50
   receive_fd+0x1d/0xf0
   scm_detach_fds+0xad/0x1c0

The function dereferences sock->sk->sk_family without checking if either
sock or sock->sk is NULL first.

Add NULL checks for both sock and sock->sk before accessing sk_family.

Fixes: 88fec352 ("apparmor: make sure unix socket labeling is correctly updated.")
Reported-by: Jamin Mc <jaminmc@gmail.com>
Closes: https://bugzilla.proxmox.com/show_bug.cgi?id=7083
Closes: https://gitlab.com/apparmor/apparmor/-/issues/568


Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Signed-off-by: System Administrator <root@localhost>
Signed-off-by: John Johansen <john.johansen@canonical.com>

parent 93d4dbdc

security/apparmor/file.c

+3 −0

Original line number	Diff line number	Diff line
		@@ -578,6 +578,9 @@ static bool __unix_needs_revalidation(struct file file, struct aa_label label,
		return false;
		if (request & NET_PEER_MASK)
		return false;
		/* sock and sock->sk can be NULL for sockets being set up or torn down */
		if (!sock \|\| !sock->sk)
		return false;
		if (sock->sk->sk_family == PF_UNIX) {
		struct aa_sk_ctx *ctx = aa_sock(sock->sk);