diff options
| author | John Johansen <john.johansen@canonical.com> | 2019-08-31 15:55:06 -0700 |
|---|---|---|
| committer | John Johansen <john.johansen@canonical.com> | 2020-01-18 15:37:24 -0800 |
| commit | c659696964a7530ddd9ae075919b44f263fba05c (patch) | |
| tree | bf7f0306da8dcf3d69aa9e3c96e09b06c6a1e2da /security/apparmor/match.c | |
| parent | e4f4e6ba5eaadb839d17cfe5235cff149a44b36a (diff) | |
| download | linux-c659696964a7530ddd9ae075919b44f263fba05c.tar.bz2 | |
apparmor: add a valid state flags check
Add a check to ensure only known state flags are set on each
state in the dfa.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Diffstat (limited to 'security/apparmor/match.c')
| -rw-r--r-- | security/apparmor/match.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/security/apparmor/match.c b/security/apparmor/match.c index 525ce22dc0e9..b477352305ed 100644 --- a/security/apparmor/match.c +++ b/security/apparmor/match.c @@ -202,6 +202,10 @@ static int verify_dfa(struct aa_dfa *dfa) if (!(BASE_TABLE(dfa)[i] & MATCH_FLAG_DIFF_ENCODE) && (DEFAULT_TABLE(dfa)[i] >= state_count)) goto out; + if (BASE_TABLE(dfa)[i] & MATCH_FLAGS_INVALID) { + pr_err("AppArmor DFA state with invalid match flags"); + goto out; + } if (base_idx(BASE_TABLE(dfa)[i]) + 255 >= trans_count) { pr_err("AppArmor DFA next/check upper bounds error\n"); goto out; |