Linux Kernel AppArmor Out-of-Bounds Read Vulnerability in DFA Character Matching

A vulnerability in the Linux kernel's AppArmor module has been identified, where the 'match_char()' macro can cause out-of-bounds reads. This issue arises because the macro evaluates its character parameter multiple times when processing differential encoding chains. When the macro is called with 'str++', the string pointer advances with each iteration of the inner loop, leading the Deterministic Finite Automaton (DFA) to skip characters and potentially read past the input buffer's end. This flaw was reported by Qualys Security Advisory and affects Linux kernel versions prior to 6.19.0-rc7-next-20260127.

Impact

Exploitation of this vulnerability causes a slab-out-of-bounds error, where the kernel reads memory outside the allocated buffer, potentially leading to information disclosure or memory corruption.

Reproduction

The vulnerability can be reproduced by using a version of the Linux kernel that is prior to the fixed version, with the AppArmor security module enabled. The issue manifests when the 'match_char()' macro is used in a way that advances the string pointer 'str' with each iteration, causing the DFA to miss characters and read out of bounds.

Remediation

Users can upgrade to the latest stable version of the Linux kernel to address this vulnerability.