diff options
author | John Johansen <john.johansen@canonical.com> | 2019-09-01 00:55:45 +0200 |
---|---|---|
committer | John Johansen <john.johansen@canonical.com> | 2020-01-19 00:37:49 +0100 |
commit | dae6029325a4744e639eb048c13f53c24320aeda (patch) | |
tree | 8cbf2b4b7a5070fecca75bef1bfb4cb01843eb1b /security | |
parent | apparmor: add a valid state flags check (diff) | |
download | linux-dae6029325a4744e639eb048c13f53c24320aeda.tar.xz linux-dae6029325a4744e639eb048c13f53c24320aeda.zip |
apparmor: add consistency check between state and dfa diff encode flags
Check that a states diff encode flag is only set if diff encode is
enabled in the dfa header.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Diffstat (limited to 'security')
-rw-r--r-- | security/apparmor/match.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/security/apparmor/match.c b/security/apparmor/match.c index b477352305ed..651dbb6e38b8 100644 --- a/security/apparmor/match.c +++ b/security/apparmor/match.c @@ -206,6 +206,12 @@ static int verify_dfa(struct aa_dfa *dfa) pr_err("AppArmor DFA state with invalid match flags"); goto out; } + if ((BASE_TABLE(dfa)[i] & MATCH_FLAG_DIFF_ENCODE)) { + if (!(dfa->flags & YYTH_FLAG_DIFF_ENCODE)) { + pr_err("AppArmor DFA diff encoded transition state without header flag"); + goto out; + } + } if (base_idx(BASE_TABLE(dfa)[i]) + 255 >= trans_count) { pr_err("AppArmor DFA next/check upper bounds error\n"); goto out; |