← Back to branch summary

~apparmor-dev/apparmor/master

« back to all changes in this revision

Viewing changes to kernel-patches/3.3/0003-AppArmor-Allow-dfa-backward-compatibility-with-broke.patch

  • Committer: Steve Beattie
  • Date: 2019-02-19 09:38:13 UTC
  • Revision ID: sbeattie@ubuntu.com-20190219093813-ud526ee6hwn8nljz
The AppArmor project has been converted to git and is now hosted on
gitlab.

To get the converted repository, please do
  git clone https://gitlab.com/apparmor/apparmor

Show diffs side-by-side

added added

removed removed

Lines of Context:
kernel-patches/3.3/0003-AppArmor-Allow-dfa-backward-compatibility-with-broke.patch
1
 
From 5d05f2909c12f6f03581bca9c1fa52dafa10fb0f Mon Sep 17 00:00:00 2001
2
 
From: John Johansen <john.johansen@canonical.com>
3
 
Date: Wed, 10 Aug 2011 22:02:41 -0700
4
 
Subject: [PATCH 3/3] AppArmor: Allow dfa backward compatibility with broken
5
 
 userspace
6
 
 
7
 
The apparmor_parser when compiling policy could generate invalid dfas
8
 
that did not have sufficient padding to avoid invalid references, when
9
 
used by the kernel.  The kernels check to verify the next/check table
10
 
size was broken meaning invalid dfas were being created by userspace
11
 
and not caught.
12
 
 
13
 
To remain compatible with old tools that are not fixed, pad the loaded
14
 
dfas next/check table.  The dfa's themselves are valid except for the
15
 
high padding for potentially invalid transitions (high bounds error),
16
 
which have a maximimum is 256 entries.  So just allocate an extra null filled
17
 
256 entries for the next/check tables.  This will guarentee all bounds
18
 
are good and invalid transitions go to the null (0) state.
19
 
 
20
 
Signed-off-by: John Johansen <john.johansen@canonical.com>
21
 
---
22
 
 security/apparmor/match.c |   17 +++++++++++++++++
23
 
 1 file changed, 17 insertions(+)
24
 
 
25
 
diff --git a/security/apparmor/match.c b/security/apparmor/match.c
26
 
index 94de6b4..081491e 100644
27
 
--- a/security/apparmor/match.c
28
 
+++ b/security/apparmor/match.c
29
 
@@ -57,8 +57,17 @@ static struct table_header *unpack_table(char *blob, size_t bsize)
30
 
        if (bsize < tsize)
31
 
                goto out;
32
 
 
33
 
+       /* Pad table allocation for next/check by 256 entries to remain
34
 
+        * backwards compatible with old (buggy) tools and remain safe without
35
 
+        * run time checks
36
 
+        */
37
 
+       if (th.td_id == YYTD_ID_NXT || th.td_id == YYTD_ID_CHK)
38
 
+               tsize += 256 * th.td_flags;
39
 
+
40
 
        table = kvmalloc(tsize);
41
 
        if (table) {
42
 
+               /* ensure the pad is clear, else there will be errors */
43
 
+               memset(table, 0, tsize);
44
 
                *table = th;
45
 
                if (th.td_flags == YYTD_DATA8)
46
 
                        UNPACK_ARRAY(table->td_data, blob, th.td_lolen,
47
 
@@ -134,11 +143,19 @@ static int verify_dfa(struct aa_dfa *dfa, int flags)
48
 
                goto out;
49
 
 
50
 
        if (flags & DFA_FLAG_VERIFY_STATES) {
51
 
+               int warning = 0;
52
 
                for (i = 0; i < state_count; i++) {
53
 
                        if (DEFAULT_TABLE(dfa)[i] >= state_count)
54
 
                                goto out;
55
 
                        /* TODO: do check that DEF state recursion terminates */
56
 
                        if (BASE_TABLE(dfa)[i] + 255 >= trans_count) {
57
 
+                               if (warning)
58
 
+                                       continue;
59
 
+                               printk(KERN_WARNING "AppArmor DFA next/check "
60
 
+                                      "upper bounds error fixed, upgrade "
61
 
+                                      "user space tools \n");
62
 
+                               warning = 1;
63
 
+                       } else if (BASE_TABLE(dfa)[i] >= trans_count) {
64
 
                                printk(KERN_ERR "AppArmor DFA next/check upper "
65
 
                                       "bounds error\n");
66
 
                                goto out;
67
 
1.7.9.5
68