tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

apparmor: validate DFA start states are in bounds in unpack_pdb

Start states are read from untrusted data and used as indexes into the
DFA state tables. The aa_dfa_next() function call in unpack_pdb() will
access dfa->tables[YYTD_ID_BASE][start], and if the start state exceeds
the number of states in the DFA, this results in an out-of-bound read.

==================================================================
BUG: KASAN: slab-out-of-bounds in aa_dfa_next+0x2a1/0x360
Read of size 4 at addr ffff88811956fb90 by task su/1097
...

Reject policies with out-of-bounds start states during unpacking
to prevent the issue.

Fixes: ad5ff3db53c6 ("AppArmor: Add ability to load extended policy")
Reported-by: Qualys Security Advisory <qsa@qualys.com>
Tested-by: Salvatore Bonaccorso <carnil@debian.org>
Reviewed-by: Georgia Garcia <georgia.garcia@canonical.com>
Reviewed-by: Cengiz Can <cengiz.can@canonical.com>
Signed-off-by: Massimiliano Pellizzer <massimiliano.pellizzer@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>

authored by

Massimiliano Pellizzer and committed by
John Johansen 9063d7e2 1f318b96

+11 -1
+11 -1
security/apparmor/policy_unpack.c
··· 1010 1010 if (!aa_unpack_u32(e, &pdb->start[AA_CLASS_FILE], "dfa_start")) { 1011 1011 /* default start state for xmatch and file dfa */ 1012 1012 pdb->start[AA_CLASS_FILE] = DFA_START; 1013 - } /* setup class index */ 1013 + } 1014 + 1015 + size_t state_count = pdb->dfa->tables[YYTD_ID_BASE]->td_lolen; 1016 + 1017 + if (pdb->start[0] >= state_count || 1018 + pdb->start[AA_CLASS_FILE] >= state_count) { 1019 + *info = "invalid dfa start state"; 1020 + goto fail; 1021 + } 1022 + 1023 + /* setup class index */ 1014 1024 for (i = AA_CLASS_FILE + 1; i <= AA_CLASS_LAST; i++) { 1015 1025 pdb->start[i] = aa_dfa_next(pdb->dfa, pdb->start[0], 1016 1026 i);