Commit c6596969 authored by John Johansen's avatar John Johansen
Browse files

apparmor: add a valid state flags check 



Add a check to ensure only known state flags are set on each
state in the dfa.

Signed-off-by: default avatarJohn Johansen <john.johansen@canonical.com>
parent e4f4e6ba

security/apparmor/include/match.h

+4 −0
Original line number Diff line number Diff line
@@ -181,5 +181,9 @@ static inline void aa_put_dfa(struct aa_dfa *dfa) 


#define MATCH_FLAG_DIFF_ENCODE 0x80000000

#define MARK_DIFF_ENCODE 0x40000000

#define MATCH_FLAG_OOB_TRANSITION 0x20000000

#define MATCH_FLAGS_MASK 0xff000000

#define MATCH_FLAGS_VALID MATCH_FLAG_DIFF_ENCODE

#define MATCH_FLAGS_INVALID (MATCH_FLAGS_MASK & ~MATCH_FLAGS_VALID)



#endif /* __AA_MATCH_H */

security/apparmor/match.c

+4 −0
Original line number Diff line number Diff line
@@ -202,6 +202,10 @@ static int verify_dfa(struct aa_dfa *dfa) 
		if (!(BASE_TABLE(dfa)[i] & MATCH_FLAG_DIFF_ENCODE) &&

		    (DEFAULT_TABLE(dfa)[i] >= state_count))

			goto out;

		if (BASE_TABLE(dfa)[i] & MATCH_FLAGS_INVALID) {

			pr_err("AppArmor DFA state with invalid match flags");

			goto out;

		}

		if (base_idx(BASE_TABLE(dfa)[i]) + 255 >= trans_count) {

			pr_err("AppArmor DFA next/check upper bounds error\n");

			goto out;

CRA Git | Maintained and supported by SUSTech CRA and CCSE