Patchwork [1/2] Revert "UBUNTU: SAUCE: AppArmor: allow newer tools to load policy on older kernels"

login
register
mail settings
Submitter John Johansen
Date Sept. 17, 2010, 4:02 p.m.
Message ID <1284739355-17542-2-git-send-email-john.johansen@canonical.com>
Download mbox | patch
Permalink /patch/65084/
State Accepted
Delegated to: Leann Ogasawara
Headers show

Comments

John Johansen - Sept. 17, 2010, 4:02 p.m.
This reverts commit 1cfe0dc4352e879fef46f597560b851cd4260beb.

Revert because the patch was missing uncommitted changes, so in its
commited form it allows for kernel buffer overflows.

Signed-off-by: John Johansen <john.johansen@canonical.com>
---
 security/apparmor/policy_unpack.c |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

Patch

diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c
index ef11ba9..6b0637b 100644
--- a/security/apparmor/policy_unpack.c
+++ b/security/apparmor/policy_unpack.c
@@ -575,6 +575,9 @@  static struct aa_profile *unpack_profile(struct aa_ext *e)
 
 	size = unpack_array(e, "net_allowed_af");
 	if (size) {
+		if (size > AF_MAX)
+			goto fail;
+
 		for (i = 0; i < size; i++) {
 			if (!unpack_u16(e, &profile->net.allow[i], NULL))
 				goto fail;