apparmor: fix off-by-one comparison on MAXMAPPED_SIG

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

This came in yesterday, and I have verified our regression tests
were missing this and it can cause an oops. Please apply.

There is a an off-by-one comparision on sig against MAXMAPPED_SIG
that can lead to a read outside the sig_map array if sig
is MAXMAPPED_SIG. Fix this.

Verified that the check is an out of bounds case that can cause an oops.

Revised: add comparison fix to second case
Fixes: cd1dbf76b23d ("apparmor: add the ability to mediate signals")
Signed-off-by: Colin Ian King <colin.king@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

authored by

John Johansen and committed by

Linus Torvalds 8 years ago f7dc4c9a fbc3edf7

+2 -2

1 changed file

expand all

security

apparmor

ipc.c

+2 -2

security/apparmor/ipc.c

··· 128 128 return SIGUNKNOWN; 129 129 else if (sig >= SIGRTMIN) 130 130 return sig - SIGRTMIN + 128; /* rt sigs mapped to 128 */ 131 - else if (sig <= MAXMAPPED_SIG) 131 + else if (sig < MAXMAPPED_SIG) 132 132 return sig_map[sig]; 133 133 return SIGUNKNOWN; 134 134 } ··· 163 163 audit_signal_mask(ab, aad(sa)->denied); 164 164 } 165 165 } 166 - if (aad(sa)->signal <= MAXMAPPED_SIG) 166 + if (aad(sa)->signal < MAXMAPPED_SIG) 167 167 audit_log_format(ab, " signal=%s", sig_names[aad(sa)->signal]); 168 168 else 169 169 audit_log_format(ab, " signal=rtmin+%d",

Configure Feed

Configure Feed