ich777/linux_media
1
0
Fork 0
mirror of https://github.com/tbsdtv/linux_media.git synced 2025-07-23 20:51:03 +02:00
Code Issues Packages Projects Releases Wiki Activity

apparmor: add a valid state flags check

Browse Source 
Add a check to ensure only known state flags are set on each
state in the dfa.

Signed-off-by: John Johansen <john.johansen@canonical.com>
This commit is contained in:
John Johansen
2019-08-31 15:55:06 -07:00
parent e4f4e6ba5e
commit c659696964
2 changed files with 8 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
security/apparmor/include/match.h
View File

@@ -181,5 +181,9 @@ static inline void aa_put_dfa(struct aa_dfa *dfa)
#define MATCH_FLAG_DIFF_ENCODE 0x80000000 #define MATCH_FLAG_DIFF_ENCODE 0x80000000
#define MARK_DIFF_ENCODE 0x40000000 #define MARK_DIFF_ENCODE 0x40000000
#define MATCH_FLAG_OOB_TRANSITION 0x20000000
#define MATCH_FLAGS_MASK 0xff000000
#define MATCH_FLAGS_VALID MATCH_FLAG_DIFF_ENCODE
#define MATCH_FLAGS_INVALID (MATCH_FLAGS_MASK & ~MATCH_FLAGS_VALID)
#endif /* __AA_MATCH_H */ #endif /* __AA_MATCH_H */

4
security/apparmor/match.c
View File

@@ -202,6 +202,10 @@ static int verify_dfa(struct aa_dfa *dfa)
if (!(BASE_TABLE(dfa)[i] & MATCH_FLAG_DIFF_ENCODE) && if (!(BASE_TABLE(dfa)[i] & MATCH_FLAG_DIFF_ENCODE) &&
(DEFAULT_TABLE(dfa)[i] >= state_count)) (DEFAULT_TABLE(dfa)[i] >= state_count))
goto out; goto out;
if (BASE_TABLE(dfa)[i] & MATCH_FLAGS_INVALID) {
pr_err("AppArmor DFA state with invalid match flags");
goto out;
}
if (base_idx(BASE_TABLE(dfa)[i]) + 255 >= trans_count) { if (base_idx(BASE_TABLE(dfa)[i]) + 255 >= trans_count) {
pr_err("AppArmor DFA next/check upper bounds error\n"); pr_err("AppArmor DFA next/check upper bounds error\n");
goto out; goto out;