apparmor: fix PROFILE_MEDIATES for untrusted input
While commit11c236b89d
("apparmor: add a default null dfa") ensure every profile has a policy.dfa it does not resize the policy.start[] to have entries for every possible start value. Which means PROFILE_MEDIATES is not safe to use on untrusted input. Unforunately commitb9590ad4c4
("apparmor: remove POLICY_MEDIATES_SAFE") did not take into account the start value usage. The input string in profile_query_cb() is user controlled and is not properly checked to be within the limited start[] entries, even worse it can't be as userspace policy is allowed to make us of entries types the kernel does not know about. This mean usespace can currently cause the kernel to access memory up to 240 entries beyond the start array bounds. Cc: stable@vger.kernel.org Fixes:b9590ad4c4
("apparmor: remove POLICY_MEDIATES_SAFE") Signed-off-by: John Johansen <john.johansen@canonical.com>
This commit is contained in:
parent
9e0babf2c0
commit
23375b13f9
|
@ -213,7 +213,16 @@ static inline struct aa_profile *aa_get_newest_profile(struct aa_profile *p)
|
|||
return labels_profile(aa_get_newest_label(&p->label));
|
||||
}
|
||||
|
||||
#define PROFILE_MEDIATES(P, T) ((P)->policy.start[(unsigned char) (T)])
|
||||
static inline unsigned int PROFILE_MEDIATES(struct aa_profile *profile,
|
||||
unsigned char class)
|
||||
{
|
||||
if (class <= AA_CLASS_LAST)
|
||||
return profile->policy.start[class];
|
||||
else
|
||||
return aa_dfa_match_len(profile->policy.dfa,
|
||||
profile->policy.start[0], &class, 1);
|
||||
}
|
||||
|
||||
static inline unsigned int PROFILE_MEDIATES_AF(struct aa_profile *profile,
|
||||
u16 AF) {
|
||||
unsigned int state = PROFILE_MEDIATES(profile, AA_CLASS_NET);
|
||||
|
|
Loading…
Reference in New Issue