diff options
| -rw-r--r-- | security/apparmor/match.c | 17 |
1 files changed, 17 insertions, 0 deletions
diff --git a/security/apparmor/match.c b/security/apparmor/match.c index 5cb4dc1f6992..0248bb305f90 100644 --- a/security/apparmor/match.c +++ b/security/apparmor/match.c @@ -57,8 +57,17 @@ static struct table_header *unpack_table(char *blob, size_t bsize) if (bsize < tsize) goto out; + /* Pad table allocation for next/check by 256 entries to remain + * backwards compatible with old (buggy) tools and remain safe without + * run time checks + */ + if (th.td_id == YYTD_ID_NXT || th.td_id == YYTD_ID_CHK) + tsize += 256 * th.td_flags; + table = kvmalloc(tsize); if (table) { + /* ensure the pad is clear, else there will be errors */ + memset(table, 0, tsize); *table = th; if (th.td_flags == YYTD_DATA8) UNPACK_ARRAY(table->td_data, blob, th.td_lolen, @@ -134,11 +143,19 @@ static int verify_dfa(struct aa_dfa *dfa, int flags) goto out; if (flags & DFA_FLAG_VERIFY_STATES) { + int warning = 0; for (i = 0; i < state_count; i++) { if (DEFAULT_TABLE(dfa)[i] >= state_count) goto out; /* TODO: do check that DEF state recursion terminates */ if (BASE_TABLE(dfa)[i] + 255 >= trans_count) { + if (warning) + continue; + printk(KERN_WARNING "AppArmor DFA next/check " + "upper bounds error fixed, upgrade " + "user space tools \n"); + warning = 1; + } else if (BASE_TABLE(dfa)[i] >= trans_count) { printk(KERN_ERR "AppArmor DFA next/check upper " "bounds error\n"); goto out; |