diff options
| author | John Johansen <john.johansen@canonical.com> | 2013-02-18 19:12:34 -0500 |
|---|---|---|
| committer | John Johansen <john.johansen@canonical.com> | 2013-04-28 03:37:32 -0400 |
| commit | ed686308c6837ff67f56e4115d0fd6bdc65a4313 (patch) | |
| tree | f883525ee2c10d846c0f9f4c6fcb01208bee5a26 /security/apparmor | |
| parent | 4da05cc08da3f2058cecbe42ed9f4803d669730a (diff) | |
apparmor: reserve and mask off the top 8 bits of the base field
The top 8 bits of the base field have never been used, in fact can't
be used, by the current 'dfa16' format. However they will be used in the
future as flags, so mask them off when using base as an index value.
Note: the use of the top 8 bits, without masking is trapped by the verify
checks that base entries are within the size bounds.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Kees Cook <kees@ubuntu.com>
Diffstat (limited to 'security/apparmor')
| -rw-r--r-- | security/apparmor/match.c | 16 |
1 files changed, 9 insertions, 7 deletions
diff --git a/security/apparmor/match.c b/security/apparmor/match.c index 1ff823031c73..727eb4200d5c 100644 --- a/security/apparmor/match.c +++ b/security/apparmor/match.c | |||
| @@ -23,6 +23,8 @@ | |||
| 23 | #include "include/apparmor.h" | 23 | #include "include/apparmor.h" |
| 24 | #include "include/match.h" | 24 | #include "include/match.h" |
| 25 | 25 | ||
| 26 | #define base_idx(X) ((X) & 0xffffff) | ||
| 27 | |||
| 26 | /** | 28 | /** |
| 27 | * unpack_table - unpack a dfa table (one of accept, default, base, next check) | 29 | * unpack_table - unpack a dfa table (one of accept, default, base, next check) |
| 28 | * @blob: data to unpack (NOT NULL) | 30 | * @blob: data to unpack (NOT NULL) |
| @@ -137,7 +139,7 @@ static int verify_dfa(struct aa_dfa *dfa, int flags) | |||
| 137 | for (i = 0; i < state_count; i++) { | 139 | for (i = 0; i < state_count; i++) { |
| 138 | if (DEFAULT_TABLE(dfa)[i] >= state_count) | 140 | if (DEFAULT_TABLE(dfa)[i] >= state_count) |
| 139 | goto out; | 141 | goto out; |
| 140 | if (BASE_TABLE(dfa)[i] + 255 >= trans_count) { | 142 | if (base_idx(BASE_TABLE(dfa)[i]) + 255 >= trans_count) { |
| 141 | printk(KERN_ERR "AppArmor DFA next/check upper " | 143 | printk(KERN_ERR "AppArmor DFA next/check upper " |
| 142 | "bounds error\n"); | 144 | "bounds error\n"); |
| 143 | goto out; | 145 | goto out; |
| @@ -313,7 +315,7 @@ unsigned int aa_dfa_match_len(struct aa_dfa *dfa, unsigned int start, | |||
| 313 | u8 *equiv = EQUIV_TABLE(dfa); | 315 | u8 *equiv = EQUIV_TABLE(dfa); |
| 314 | /* default is direct to next state */ | 316 | /* default is direct to next state */ |
| 315 | for (; len; len--) { | 317 | for (; len; len--) { |
| 316 | pos = base[state] + equiv[(u8) *str++]; | 318 | pos = base_idx(base[state]) + equiv[(u8) *str++]; |
| 317 | if (check[pos] == state) | 319 | if (check[pos] == state) |
| 318 | state = next[pos]; | 320 | state = next[pos]; |
| 319 | else | 321 | else |
| @@ -322,7 +324,7 @@ unsigned int aa_dfa_match_len(struct aa_dfa *dfa, unsigned int start, | |||
| 322 | } else { | 324 | } else { |
| 323 | /* default is direct to next state */ | 325 | /* default is direct to next state */ |
| 324 | for (; len; len--) { | 326 | for (; len; len--) { |
| 325 | pos = base[state] + (u8) *str++; | 327 | pos = base_idx(base[state]) + (u8) *str++; |
| 326 | if (check[pos] == state) | 328 | if (check[pos] == state) |
| 327 | state = next[pos]; | 329 | state = next[pos]; |
| 328 | else | 330 | else |
| @@ -363,7 +365,7 @@ unsigned int aa_dfa_match(struct aa_dfa *dfa, unsigned int start, | |||
| 363 | u8 *equiv = EQUIV_TABLE(dfa); | 365 | u8 *equiv = EQUIV_TABLE(dfa); |
| 364 | /* default is direct to next state */ | 366 | /* default is direct to next state */ |
| 365 | while (*str) { | 367 | while (*str) { |
| 366 | pos = base[state] + equiv[(u8) *str++]; | 368 | pos = base_idx(base[state]) + equiv[(u8) *str++]; |
| 367 | if (check[pos] == state) | 369 | if (check[pos] == state) |
| 368 | state = next[pos]; | 370 | state = next[pos]; |
| 369 | else | 371 | else |
| @@ -372,7 +374,7 @@ unsigned int aa_dfa_match(struct aa_dfa *dfa, unsigned int start, | |||
| 372 | } else { | 374 | } else { |
| 373 | /* default is direct to next state */ | 375 | /* default is direct to next state */ |
| 374 | while (*str) { | 376 | while (*str) { |
| 375 | pos = base[state] + (u8) *str++; | 377 | pos = base_idx(base[state]) + (u8) *str++; |
| 376 | if (check[pos] == state) | 378 | if (check[pos] == state) |
| 377 | state = next[pos]; | 379 | state = next[pos]; |
| 378 | else | 380 | else |
| @@ -408,14 +410,14 @@ unsigned int aa_dfa_next(struct aa_dfa *dfa, unsigned int state, | |||
| 408 | u8 *equiv = EQUIV_TABLE(dfa); | 410 | u8 *equiv = EQUIV_TABLE(dfa); |
| 409 | /* default is direct to next state */ | 411 | /* default is direct to next state */ |
| 410 | 412 | ||
| 411 | pos = base[state] + equiv[(u8) c]; | 413 | pos = base_idx(base[state]) + equiv[(u8) c]; |
| 412 | if (check[pos] == state) | 414 | if (check[pos] == state) |
| 413 | state = next[pos]; | 415 | state = next[pos]; |
| 414 | else | 416 | else |
| 415 | state = def[state]; | 417 | state = def[state]; |
| 416 | } else { | 418 | } else { |
| 417 | /* default is direct to next state */ | 419 | /* default is direct to next state */ |
| 418 | pos = base[state] + (u8) c; | 420 | pos = base_idx(base[state]) + (u8) c; |
| 419 | if (check[pos] == state) | 421 | if (check[pos] == state) |
| 420 | state = next[pos]; | 422 | state = next[pos]; |
| 421 | else | 423 | else |