)]}'
{
  "commit": "2e246cc16ea70388d1ce7be1ce694805ccb64d3f",
  "tree": "451d18719ee7d3032bda8d84f5f63f262543511e",
  "parents": [
    "ff95eb66db18333baae4ab5d976a348b8eae53d3"
  ],
  "author": {
    "name": "Massimiliano Pellizzer",
    "email": "massimiliano.pellizzer@canonical.com",
    "time": "Sun Apr 12 23:39:14 2026 -0700"
  },
  "committer": {
    "name": "Angel Adetula",
    "email": "angeladetula@google.com",
    "time": "Fri May 01 14:15:03 2026 -0700"
  },
  "message": "apparmor: fix side-effect bug in match_char() macro usage\n\ncommit 8756b68edae37ff546c02091989a4ceab3f20abd upstream.\n\nThe match_char() macro evaluates its character parameter multiple\ntimes when traversing differential encoding chains. When invoked\nwith *str++, the string pointer advances on each iteration of the\ninner do-while loop, causing the DFA to check different characters\nat each iteration and therefore skip input characters.\nThis results in out-of-bounds reads when the pointer advances past\nthe input buffer boundary.\n\n[   94.984676] \u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n[   94.985301] BUG: KASAN: slab-out-of-bounds in aa_dfa_match+0x5ae/0x760\n[   94.985655] Read of size 1 at addr ffff888100342000 by task file/976\n\n[   94.986319] CPU: 7 UID: 1000 PID: 976 Comm: file Not tainted 6.19.0-rc7-next-20260127 #1 PREEMPT(lazy)\n[   94.986322] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\n[   94.986329] Call Trace:\n[   94.986341]  \u003cTASK\u003e\n[   94.986347]  dump_stack_lvl+0x5e/0x80\n[   94.986374]  print_report+0xc8/0x270\n[   94.986384]  ? aa_dfa_match+0x5ae/0x760\n[   94.986388]  kasan_report+0x118/0x150\n[   94.986401]  ? aa_dfa_match+0x5ae/0x760\n[   94.986405]  aa_dfa_match+0x5ae/0x760\n[   94.986408]  __aa_path_perm+0x131/0x400\n[   94.986418]  aa_path_perm+0x219/0x2f0\n[   94.986424]  apparmor_file_open+0x345/0x570\n[   94.986431]  security_file_open+0x5c/0x140\n[   94.986442]  do_dentry_open+0x2f6/0x1120\n[   94.986450]  vfs_open+0x38/0x2b0\n[   94.986453]  ? may_open+0x1e2/0x2b0\n[   94.986466]  path_openat+0x231b/0x2b30\n[   94.986469]  ? __x64_sys_openat+0xf8/0x130\n[   94.986477]  do_file_open+0x19d/0x360\n[   94.986487]  do_sys_openat2+0x98/0x100\n[   94.986491]  __x64_sys_openat+0xf8/0x130\n[   94.986499]  do_syscall_64+0x8e/0x660\n[   94.986515]  ? count_memcg_events+0x15f/0x3c0\n[   94.986526]  ? srso_alias_return_thunk+0x5/0xfbef5\n[   94.986540]  ? handle_mm_fault+0x1639/0x1ef0\n[   94.986551]  ? vma_start_read+0xf0/0x320\n[   94.986558]  ? srso_alias_return_thunk+0x5/0xfbef5\n[   94.986561]  ? srso_alias_return_thunk+0x5/0xfbef5\n[   94.986563]  ? fpregs_assert_state_consistent+0x50/0xe0\n[   94.986572]  ? srso_alias_return_thunk+0x5/0xfbef5\n[   94.986574]  ? arch_exit_to_user_mode_prepare+0x9/0xb0\n[   94.986587]  ? srso_alias_return_thunk+0x5/0xfbef5\n[   94.986588]  ? irqentry_exit+0x3c/0x590\n[   94.986595]  entry_SYSCALL_64_after_hwframe+0x76/0x7e\n[   94.986597] RIP: 0033:0x7fda4a79c3ea\n\nFix by extracting the character value before invoking match_char,\nensuring single evaluation per outer loop.\n\nBUG\u003db/498910654\nTEST\u003dpresubmit\nRELEASE_NOTE\u003dFixed CVE-2026-23406 in the Linux kernel.\n\ncos-patch: security-moderate\nFixes: 074c1cd798cb (\"apparmor: dfa move character match into a macro\")\nReported-by: Qualys Security Advisory \u003cqsa@qualys.com\u003e\nTested-by: Salvatore Bonaccorso \u003ccarnil@debian.org\u003e\nReviewed-by: Georgia Garcia \u003cgeorgia.garcia@canonical.com\u003e\nReviewed-by: Cengiz Can \u003ccengiz.can@canonical.com\u003e\nChange-Id: I9ed46de19c8b07411c54c24454a26d1c056408e6\nSigned-off-by: Massimiliano Pellizzer \u003cmassimiliano.pellizzer@canonical.com\u003e\nSigned-off-by: John Johansen \u003cjohn.johansen@canonical.com\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\nSigned-off-by: Kernel CVE Triage Automation \u003ccloud-image-kernel-cve-triage-automation@prod.google.com\u003e\nReviewed-on: https://cos-review.googlesource.com/c/third_party/kernel/+/146467\nTested-by: Cusky Presubmit Bot \u003cpresubmit@cos-infra-prod.iam.gserviceaccount.com\u003e\nReviewed-by: Angel Adetula \u003cangeladetula@google.com\u003e\nReviewed-by: Robert Kolchmeyer \u003crkolchmeyer@google.com\u003e\n",
  "tree_diff": [
    {
      "type": "modify",
      "old_id": "93995b0be06c2b848485cb3150c71e376a388907",
      "old_mode": 33188,
      "old_path": "security/apparmor/match.c",
      "new_id": "8972d1b57b7a66551f2b2cc428aabb0e500c9dd2",
      "new_mode": 33188,
      "new_path": "security/apparmor/match.c"
    }
  ]
}