apparmor: validate DFA start states are in bounds in unpack_pdb - kernel

diff options

author	Massimiliano Pellizzer <massimiliano.pellizzer@canonical.com>	2026-01-15 15:30:50 +0100
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2026-03-13 17:20:47 +0100
commit	15c3eb8916e7db01cb246d04a1fe6f0fdc065b0c (patch)
tree	bec82cc906d9cba6f41b45880466f627e27b801a /.mailmap
parent	524ce8b4ea8f64900b6c52b6a28df74f6bc0801e (diff)

apparmor: validate DFA start states are in bounds in unpack_pdb

commit 9063d7e2615f4a7ab321de6b520e23d370e58816 upstream. Start states are read from untrusted data and used as indexes into the DFA state tables. The aa_dfa_next() function call in unpack_pdb() will access dfa->tables[YYTD_ID_BASE][start], and if the start state exceeds the number of states in the DFA, this results in an out-of-bound read. ================================================================== BUG: KASAN: slab-out-of-bounds in aa_dfa_next+0x2a1/0x360 Read of size 4 at addr ffff88811956fb90 by task su/1097 ... Reject policies with out-of-bounds start states during unpacking to prevent the issue. Fixes: ad5ff3db53c6 ("AppArmor: Add ability to load extended policy") Reported-by: Qualys Security Advisory <qsa@qualys.com> Tested-by: Salvatore Bonaccorso <carnil@debian.org> Reviewed-by: Georgia Garcia <georgia.garcia@canonical.com> Reviewed-by: Cengiz Can <cengiz.can@canonical.com> Signed-off-by: Massimiliano Pellizzer <massimiliano.pellizzer@canonical.com> Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Diffstat (limited to '.mailmap')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: