summaryrefslogtreecommitdiffstats
path: root/security
diff options
context:
space:
mode:
authorJohn Johansen <john.johansen@canonical.com>2019-09-01 00:55:45 +0200
committerJohn Johansen <john.johansen@canonical.com>2020-01-19 00:37:49 +0100
commitdae6029325a4744e639eb048c13f53c24320aeda (patch)
tree8cbf2b4b7a5070fecca75bef1bfb4cb01843eb1b /security
parentapparmor: add a valid state flags check (diff)
downloadlinux-dae6029325a4744e639eb048c13f53c24320aeda.tar.xz
linux-dae6029325a4744e639eb048c13f53c24320aeda.zip
apparmor: add consistency check between state and dfa diff encode flags
Check that a states diff encode flag is only set if diff encode is enabled in the dfa header. Signed-off-by: John Johansen <john.johansen@canonical.com>
Diffstat (limited to 'security')
-rw-r--r--security/apparmor/match.c6
1 files changed, 6 insertions, 0 deletions
diff --git a/security/apparmor/match.c b/security/apparmor/match.c
index b477352305ed..651dbb6e38b8 100644
--- a/security/apparmor/match.c
+++ b/security/apparmor/match.c
@@ -206,6 +206,12 @@ static int verify_dfa(struct aa_dfa *dfa)
pr_err("AppArmor DFA state with invalid match flags");
goto out;
}
+ if ((BASE_TABLE(dfa)[i] & MATCH_FLAG_DIFF_ENCODE)) {
+ if (!(dfa->flags & YYTH_FLAG_DIFF_ENCODE)) {
+ pr_err("AppArmor DFA diff encoded transition state without header flag");
+ goto out;
+ }
+ }
if (base_idx(BASE_TABLE(dfa)[i]) + 255 >= trans_count) {
pr_err("AppArmor DFA next/check upper bounds error\n");
goto out;