summaryrefslogtreecommitdiffstats
path: root/security/apparmor
diff options
context:
space:
mode:
authorJohn Johansen <john.johansen@canonical.com>2019-08-31 15:55:06 -0700
committerJohn Johansen <john.johansen@canonical.com>2020-01-18 15:37:24 -0800
commitc659696964a7530ddd9ae075919b44f263fba05c (patch)
treebf7f0306da8dcf3d69aa9e3c96e09b06c6a1e2da /security/apparmor
parente4f4e6ba5eaadb839d17cfe5235cff149a44b36a (diff)
downloadlinux-c659696964a7530ddd9ae075919b44f263fba05c.tar.gz
linux-c659696964a7530ddd9ae075919b44f263fba05c.tar.bz2
linux-c659696964a7530ddd9ae075919b44f263fba05c.zip
apparmor: add a valid state flags check
Add a check to ensure only known state flags are set on each state in the dfa. Signed-off-by: John Johansen <john.johansen@canonical.com>
Diffstat (limited to 'security/apparmor')
-rw-r--r--security/apparmor/include/match.h4
-rw-r--r--security/apparmor/match.c4
2 files changed, 8 insertions, 0 deletions
diff --git a/security/apparmor/include/match.h b/security/apparmor/include/match.h
index e23f4aadc1ff..f280b046361e 100644
--- a/security/apparmor/include/match.h
+++ b/security/apparmor/include/match.h
@@ -181,5 +181,9 @@ static inline void aa_put_dfa(struct aa_dfa *dfa)
#define MATCH_FLAG_DIFF_ENCODE 0x80000000
#define MARK_DIFF_ENCODE 0x40000000
+#define MATCH_FLAG_OOB_TRANSITION 0x20000000
+#define MATCH_FLAGS_MASK 0xff000000
+#define MATCH_FLAGS_VALID MATCH_FLAG_DIFF_ENCODE
+#define MATCH_FLAGS_INVALID (MATCH_FLAGS_MASK & ~MATCH_FLAGS_VALID)
#endif /* __AA_MATCH_H */
diff --git a/security/apparmor/match.c b/security/apparmor/match.c
index 525ce22dc0e9..b477352305ed 100644
--- a/security/apparmor/match.c
+++ b/security/apparmor/match.c
@@ -202,6 +202,10 @@ static int verify_dfa(struct aa_dfa *dfa)
if (!(BASE_TABLE(dfa)[i] & MATCH_FLAG_DIFF_ENCODE) &&
(DEFAULT_TABLE(dfa)[i] >= state_count))
goto out;
+ if (BASE_TABLE(dfa)[i] & MATCH_FLAGS_INVALID) {
+ pr_err("AppArmor DFA state with invalid match flags");
+ goto out;
+ }
if (base_idx(BASE_TABLE(dfa)[i]) + 255 >= trans_count) {
pr_err("AppArmor DFA next/check upper bounds error\n");
goto out;