Linux Kernel AppArmor Race Condition Vulnerability in Data Handling

A race condition vulnerability has been identified in the Linux kernel's AppArmor implementation. This issue arises because AppArmor releases its reference to 'i_private' data after removing the corresponding entry from the filesystem. However, the inode can persist beyond this point, potentially allowing some filesystem callback functions to be invoked after the reference has been dropped. This creates a race between deallocating the data and accessing it through the filesystem. The 'rawdata/loaddata' is particularly susceptible to this race, as it has the fewest references. If crafted correctly, it could also affect other data types stored in 'i_private'. The vulnerability has been addressed by adjusting the timing of when the 'i_private' referenced data is released, ensuring it occurs during inode eviction.

Impact

Exploitation of this vulnerability could lead to a use-after-free condition, where data is accessed after it has been freed, potentially causing memory corruption or allowing for arbitrary code execution.

Reproduction

The vulnerability can be reproduced by creating a scenario where AppArmor policies are loaded or unloaded while simultaneously accessing 'rawdata' through the AppArmor filesystem interface. This can be done by crafting a profile that manipulates 'rawdata' entries while the corresponding filesystem callbacks are active, creating a race condition between freeing the data and accessing it.

Remediation

Users should update to the latest stable version of the Linux kernel where this vulnerability has been fixed.