)]}' { "commit": "ff95eb66db18333baae4ab5d976a348b8eae53d3", "tree": "63dbc8bbc918798ad862049ca68f2c768afad480", "parents": [ "82a3d6155c0856f943edc0fac0313a92403b8731" ], "author": { "name": "John Johansen", "email": "john.johansen@canonical.com", "time": "Sun Apr 12 23:39:19 2026 -0700" }, "committer": { "name": "Angel Adetula", "email": "angeladetula@google.com", "time": "Fri May 01 14:14:26 2026 -0700" }, "message": "apparmor: fix race on rawdata dereference\n\ncommit a0b7091c4de45a7325c8780e6934a894f92ac86b upstream.\n\nThere is a race condition that leads to a use-after-free situation:\nbecause the rawdata inodes are not refcounted, an attacker can start\nopen()ing one of the rawdata files, and at the same time remove the\nlast reference to this rawdata (by removing the corresponding profile,\nfor example), which frees its struct aa_loaddata; as a result, when\nseq_rawdata_open() is reached, i_private is a dangling pointer and\nfreed memory is accessed.\n\nThe rawdata inodes weren\u0027t refcounted to avoid a circular refcount and\nwere supposed to be held by the profile rawdata reference. However\nduring profile removal there is a window where the vfs and profile\ndestruction race, resulting in the use after free.\n\nFix this by moving to a double refcount scheme. Where the profile\nrefcount on rawdata is used to break the circular dependency. Allowing\nfor freeing of the rawdata once all inode references to the rawdata\nare put.\n\nBUG\u003db/498911135\nTEST\u003dpresubmit\nRELEASE_NOTE\u003dFixed CVE-2026-23410 in the Linux kernel.\n\ncos-patch: security-moderate\nFixes: 5d5182cae401 (\"apparmor: move to per loaddata files, instead of replicating in profiles\")\nReported-by: Qualys Security Advisory \u003cqsa@qualys.com\u003e\nReviewed-by: Georgia Garcia \u003cgeorgia.garcia@canonical.com\u003e\nReviewed-by: Maxime BĂ©lair \u003cmaxime.belair@canonical.com\u003e\nReviewed-by: Cengiz Can \u003ccengiz.can@canonical.com\u003e\nTested-by: Salvatore Bonaccorso \u003ccarnil@debian.org\u003e\nChange-Id: I8f1f928561bc2adc84d9983eaed5ef92ddc2fffb\nSigned-off-by: John Johansen \u003cjohn.johansen@canonical.com\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\nSigned-off-by: Kernel CVE Triage Automation \u003ccloud-image-kernel-cve-triage-automation@prod.google.com\u003e\nReviewed-on: https://cos-review.googlesource.com/c/third_party/kernel/+/146443\nReviewed-by: Robert Kolchmeyer \u003crkolchmeyer@google.com\u003e\nTested-by: Cusky Presubmit Bot \u003cpresubmit@cos-infra-prod.iam.gserviceaccount.com\u003e\nReviewed-by: Angel Adetula \u003cangeladetula@google.com\u003e\n", "tree_diff": [ { "type": "modify", "old_id": "f9cb042325e847472355a4471bdb4466d7782735", "old_mode": 33188, "old_path": "security/apparmor/apparmorfs.c", "new_id": "d75ba38de87b1bb8ed17d0f5d2183fec63897c43", "new_mode": 33188, "new_path": "security/apparmor/apparmorfs.c" }, { "type": "modify", "old_id": "e89b701447bcb4c8a45244b2b53d6c6e40bc1a37", "old_mode": 33188, "old_path": "security/apparmor/include/policy_unpack.h", "new_id": "e06031c6d42e0a48c07ef57d21beb72612419dde", "new_mode": 33188, "new_path": "security/apparmor/include/policy_unpack.h" }, { "type": "modify", "old_id": "ba94b3f7f9da39e22861c0edfcee48cb6c727766", "old_mode": 33188, "old_path": "security/apparmor/policy.c", "new_id": "c94e7a6d64b19edc6f2a8f60050ef0058cead69f", "new_mode": 33188, "new_path": "security/apparmor/policy.c" }, { "type": "modify", "old_id": "9e6f3e0d4265a3475e603196c8159e42ab5d13f4", "old_mode": 33188, "old_path": "security/apparmor/policy_unpack.c", "new_id": "afc6987d79a08f992840ea9d4d2a262ef5ef8b09", "new_mode": 33188, "new_path": "security/apparmor/policy_unpack.c" } ] }