Fix apparmor vulnerabilities (QID-45097)#560
Open
saiarcot895 wants to merge 1 commit intosonic-net:masterfrom
Open
Fix apparmor vulnerabilities (QID-45097)#560saiarcot895 wants to merge 1 commit intosonic-net:masterfrom
saiarcot895 wants to merge 1 commit intosonic-net:masterfrom
Conversation
CVEs: CVE-2026-23268, CVE-2026-23269, CVE-2026-23403, CVE-2026-23404, CVE-2026-23405, CVE-2026-23406, CVE-2026-23407, CVE-2026-23408, CVE-2026-23409, CVE-2026-23410, CVE-2026-23411 Signed-off-by: Saikrishna Arcot <sarcot@microsoft.com>
There was a problem hiding this comment.
Pull request overview
Adds the Qualys QID-45097 (“CrackArmor”) upstream AppArmor fixes to the SONiC kernel patch stack to address the listed CVEs.
Changes:
- Adds 11 AppArmor security patches under
patches-sonic/qsa-2026-apparmor/. - Updates
patches-sonic/seriesto apply the new patch set.
Reviewed changes
Copilot reviewed 12 out of 12 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| patches-sonic/series | Appends the new QID-45097 AppArmor patch set to the applied patch series. |
| patches-sonic/qsa-2026-apparmor/0001-apparmor-validate-DFA-start-states-are-in-bounds-in-.patch | Adds bounds validation for DFA start states during policy unpacking. |
| patches-sonic/qsa-2026-apparmor/0002-apparmor-fix-memory-leak-in-verify_header.patch | Fixes a namespace string leak / verification issue in header validation. |
| patches-sonic/qsa-2026-apparmor/0003-apparmor-replace-recursive-profile-removal-with-iter.patch | Replaces recursive nested-profile removal to avoid kernel stack exhaustion. |
| patches-sonic/qsa-2026-apparmor/0004-apparmor-fix-limit-the-number-of-levels-of-policy-na.patch | Introduces a hard cap on AppArmor policy namespace nesting depth. |
| patches-sonic/qsa-2026-apparmor/0005-apparmor-fix-side-effect-bug-in-match_char-macro-usa.patch | Fixes side-effect/multiple-evaluation issues in DFA matching. |
| patches-sonic/qsa-2026-apparmor/0006-apparmor-fix-missing-bounds-check-on-DEFAULT-table-i.patch | Ensures DEFAULT table entries are bounds-checked to prevent OOB access. |
| patches-sonic/qsa-2026-apparmor/0007-apparmor-Fix-double-free-of-ns_name-in-aa_replace_pr.patch | Prevents double-free of ns_name during profile replacement. |
| patches-sonic/qsa-2026-apparmor/0008-apparmor-fix-unprivileged-local-user-can-do-privileg.patch | Prevents confused-deputy policy management via passed FDs by tightening privilege checks. |
| patches-sonic/qsa-2026-apparmor/0009-apparmor-fix-differential-encoding-verification.patch | Corrects differential encoding verification to prevent malicious loops. |
| patches-sonic/qsa-2026-apparmor/0010-apparmor-fix-race-on-rawdata-dereference.patch | Fixes a rawdata dereference race (potential UAF) with refcounting changes. |
| patches-sonic/qsa-2026-apparmor/0011-apparmor-fix-race-between-freeing-data-and-fs-access.patch | Fixes i_private lifetime handling and related races between fs access and data freeing. |
Comment on lines
+35
to
+42
| @@ -760,7 +760,17 @@ static int unpack_pdb(struct aa_ext *e, struct aa_policydb **policy, | ||
| if (!aa_unpack_u32(e, &pdb->start[AA_CLASS_FILE], "dfa_start")) { | ||
| /* default start state for xmatch and file dfa */ | ||
| pdb->start[AA_CLASS_FILE] = DFA_START; | ||
| - } /* setup class index */ | ||
| + } | ||
| + | ||
| + size_t state_count = pdb->dfa->tables[YYTD_ID_BASE]->td_lolen; |
There was a problem hiding this comment.
The patch introduces a new local variable declaration (state_count) after executable statements inside unpack_pdb(). This will trigger kernel checkpatch warnings for mixed declarations and code; please move the declaration to the start of the enclosing block (or function scope) before any non-declaration statements.
Suggested change
| @@ -760,7 +760,17 @@ static int unpack_pdb(struct aa_ext *e, struct aa_policydb **policy, | |
| if (!aa_unpack_u32(e, &pdb->start[AA_CLASS_FILE], "dfa_start")) { | |
| /* default start state for xmatch and file dfa */ | |
| pdb->start[AA_CLASS_FILE] = DFA_START; | |
| - } /* setup class index */ | |
| + } | |
| + | |
| + size_t state_count = pdb->dfa->tables[YYTD_ID_BASE]->td_lolen; | |
| @@ -760,8 +760,18 @@ static int unpack_pdb(struct aa_ext *e, struct aa_policydb **policy, | |
| + size_t state_count; | |
| + | |
| if (!aa_unpack_u32(e, &pdb->start[AA_CLASS_FILE], "dfa_start")) { | |
| /* default start state for xmatch and file dfa */ | |
| pdb->start[AA_CLASS_FILE] = DFA_START; | |
| - } /* setup class index */ | |
| + } | |
| + | |
| + state_count = pdb->dfa->tables[YYTD_ID_BASE]->td_lolen; |
| /* release any children lists first */ | ||
| - __aa_profile_list_release(&profile->base.profiles); | ||
| + if (!list_empty(&profile->base.profiles)) { | ||
| + curr = list_first_entry(&profile->base.profiles, struct aa_profile, base.list); |
There was a problem hiding this comment.
This new line is well over the kernel style line-length limit and is likely to be flagged by checkpatch. Please wrap the list_first_entry() assignment across multiple lines (e.g., break arguments onto separate lines) to keep within the usual 80-column kernel formatting.
Suggested change
| + curr = list_first_entry(&profile->base.profiles, struct aa_profile, base.list); | |
| + curr = list_first_entry(&profile->base.profiles, | |
| + struct aa_profile, base.list); |
Comment on lines
+329
to
+331
| - return dent; | ||
| + return aafs_create_file(name, S_IFREG | 0444, dir, &profile->label.proxy->count, fops); | ||
| } |
There was a problem hiding this comment.
This return statement is a single very long line and is likely to be flagged by checkpatch for exceeding the kernel line-length limit. Please wrap the aafs_create_file() call across multiple lines for readability and to satisfy kernel formatting checks.
|
/azp run |
|
Azure Pipelines successfully started running 1 pipeline(s). |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
CVEs: CVE-2026-23268, CVE-2026-23269, CVE-2026-23403, CVE-2026-23404, CVE-2026-23405, CVE-2026-23406, CVE-2026-23407, CVE-2026-23408, CVE-2026-23409, CVE-2026-23410, CVE-2026-23411