From 8ab9a329f3c7558a4384e1559705bed3163e6e12 Mon Sep 17 00:00:00 2001
From: John Johansen <john.johansen@canonical.com>
Date: Tue, 25 Nov 2025 07:07:42 +0800
Subject: [PATCH] apparmor: fix NULL sock in aa_sock_file_perm

ANBZ: #36495

commit 68538ec34fcb4194c7961dc4eca6f5537fec8067 stable.

commit 00b67657535dfea56e84d11492f5c0f61d0af297 upstream.

Deal with the potential that sock and sock-sk can be NULL during
socket setup or teardown. This could lead to an oops. The fix for NULL
pointer dereference in __unix_needs_revalidation shows this is at
least possible for af_unix sockets. While the fix for af_unix sockets
applies for newer mediation this is still the fall back path for older
af_unix mediation and other sockets, so ensure it is covered.

Fixes: 56974a6fcfef6 ("apparmor: add base infastructure for socket mediation")
Reviewed-by: Georgia Garcia <georgia.garcia@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>

Fixes: CVE-2026-45848
Assisted-by: PatchPilot <patchpilot@openanolis.org>
Signed-off-by: 146373 <146373>
---
 security/apparmor/net.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/security/apparmor/net.c b/security/apparmor/net.c
index fa0e85568450..fbbfedd253f6 100644
--- a/security/apparmor/net.c
+++ b/security/apparmor/net.c
@@ -182,8 +182,10 @@ int aa_sock_file_perm(struct aa_label *label, const char *op, u32 request,
 		      struct socket *sock)
 {
 	AA_BUG(!label);
-	AA_BUG(!sock);
-	AA_BUG(!sock->sk);
+
+	/* sock && sock->sk can be NULL for sockets being set up or torn down */
+	if (!sock || !sock->sk)
+		return 0;
 
 	return aa_label_sk_perm(label, op, request, sock->sk);
 }
-- 
Gitee