From patchwork Fri Dec 3 22:14:23 2010 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: John Johansen X-Patchwork-Id: 74215 X-Patchwork-Delegate: brad.figg@canonical.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from chlorine.canonical.com (chlorine.canonical.com [91.189.94.204]) by ozlabs.org (Postfix) with ESMTP id A0F1AB7043 for ; Sat, 4 Dec 2010 09:14:46 +1100 (EST) Received: from localhost ([127.0.0.1] helo=chlorine.canonical.com) by chlorine.canonical.com with esmtp (Exim 4.69) (envelope-from ) id 1POdtl-0007eJ-RE; Fri, 03 Dec 2010 22:14:37 +0000 Received: from adelie.canonical.com ([91.189.90.139]) by chlorine.canonical.com with esmtp (Exim 4.69) (envelope-from ) id 1POdtk-0007e8-7h for kernel-team@lists.ubuntu.com; Fri, 03 Dec 2010 22:14:36 +0000 Received: from hutte.canonical.com ([91.189.90.181]) by adelie.canonical.com with esmtp (Exim 4.69 #1 (Debian)) id 1POdtk-0003QP-1G for ; Fri, 03 Dec 2010 22:14:36 +0000 Received: from pool-74-107-151-238.ptldor.fios.verizon.net ([74.107.151.238] helo=canonical.com) by hutte.canonical.com with esmtpsa (TLS-1.0:DHE_RSA_AES_128_CBC_SHA1:16) (Exim 4.69) (envelope-from ) id 1POdti-00025t-QI for kernel-team@lists.ubuntu.com; Fri, 03 Dec 2010 22:14:36 +0000 From: John Johansen To: kernel-team@lists.ubuntu.com Subject: [PATCH 1/2] AppArmor: fix the upper bound check for the next/check table Date: Fri, 3 Dec 2010 14:14:23 -0800 Message-Id: <1291414464-6518-2-git-send-email-john.johansen@canonical.com> X-Mailer: git-send-email 1.7.1 In-Reply-To: <1291414464-6518-1-git-send-email-john.johansen@canonical.com> References: <1291414464-6518-1-git-send-email-john.johansen@canonical.com> X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.9 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: kernel-team-bounces@lists.ubuntu.com Errors-To: kernel-team-bounces@lists.ubuntu.com BugLink: http://bugs.launchpad.net/bugs/581525 SRU Justification (apparmor) impact of the bug is medium for stable releases. There are two parts to this bug: the kernel side OOPSing when a the parser generates invalid tables, and the parser generating correct tables. The lucid kernel should receive the fix sometime in the future, but the userspace should also be fixed. The kernel bug was a broken test in verifying the dfa next/check table size (so the userspace bug was not caught when it should have been). This means that it can at times reference beyond the dfa table (by at most 255 entries). The userspace bug is that the next/check table is not correctly padded with 0 entries, so that it is impossible to reference beyond the end of the table when in the states that use the end of the table for their references. The next/check table needs to be >= largest base value + 255 (byte range being 0..255) to avoid any possible bounds violations. Fix the test which incorrectly was testing that the next/check table + 256 <= base values. Signed-off-by: John Johansen Acked-by: Tim Gardner Acked-by: Brad Figg --- security/apparmor/match.c | 4 +++- 1 files changed, 3 insertions(+), 1 deletions(-) diff --git a/security/apparmor/match.c b/security/apparmor/match.c index a3730e2..b456495 100644 --- a/security/apparmor/match.c +++ b/security/apparmor/match.c @@ -177,8 +177,10 @@ static int verify_dfa(struct aa_dfa *dfa, int flags) if (DEFAULT_TABLE(dfa)[i] >= state_count) goto out; /* TODO: do check that DEF state recursion terminates */ - if (BASE_TABLE(dfa)[i] >= trans_count + 256) + if (BASE_TABLE(dfa)[i] + 255 >= trans_count) { + printk("AppArmor DFA next/check upper bounds error\n"); goto out; + } } for (i = 0; i < trans_count; i++) {