提交 ed686308 编写于 作者: J John Johansen

apparmor: reserve and mask off the top 8 bits of the base field

The top 8 bits of the base field have never been used, in fact can't
be used, by the current 'dfa16' format.  However they will be used in the
future as flags, so mask them off when using base as an index value.

Note: the use of the top 8 bits, without masking is trapped by the verify
      checks that base entries are within the size bounds.
Signed-off-by: NJohn Johansen <john.johansen@canonical.com>
Acked-by: NKees Cook <kees@ubuntu.com>
上级 4da05cc0
...@@ -23,6 +23,8 @@ ...@@ -23,6 +23,8 @@
#include "include/apparmor.h" #include "include/apparmor.h"
#include "include/match.h" #include "include/match.h"
#define base_idx(X) ((X) & 0xffffff)
/** /**
* unpack_table - unpack a dfa table (one of accept, default, base, next check) * unpack_table - unpack a dfa table (one of accept, default, base, next check)
* @blob: data to unpack (NOT NULL) * @blob: data to unpack (NOT NULL)
...@@ -137,7 +139,7 @@ static int verify_dfa(struct aa_dfa *dfa, int flags) ...@@ -137,7 +139,7 @@ static int verify_dfa(struct aa_dfa *dfa, int flags)
for (i = 0; i < state_count; i++) { for (i = 0; i < state_count; i++) {
if (DEFAULT_TABLE(dfa)[i] >= state_count) if (DEFAULT_TABLE(dfa)[i] >= state_count)
goto out; goto out;
if (BASE_TABLE(dfa)[i] + 255 >= trans_count) { if (base_idx(BASE_TABLE(dfa)[i]) + 255 >= trans_count) {
printk(KERN_ERR "AppArmor DFA next/check upper " printk(KERN_ERR "AppArmor DFA next/check upper "
"bounds error\n"); "bounds error\n");
goto out; goto out;
...@@ -313,7 +315,7 @@ unsigned int aa_dfa_match_len(struct aa_dfa *dfa, unsigned int start, ...@@ -313,7 +315,7 @@ unsigned int aa_dfa_match_len(struct aa_dfa *dfa, unsigned int start,
u8 *equiv = EQUIV_TABLE(dfa); u8 *equiv = EQUIV_TABLE(dfa);
/* default is direct to next state */ /* default is direct to next state */
for (; len; len--) { for (; len; len--) {
pos = base[state] + equiv[(u8) *str++]; pos = base_idx(base[state]) + equiv[(u8) *str++];
if (check[pos] == state) if (check[pos] == state)
state = next[pos]; state = next[pos];
else else
...@@ -322,7 +324,7 @@ unsigned int aa_dfa_match_len(struct aa_dfa *dfa, unsigned int start, ...@@ -322,7 +324,7 @@ unsigned int aa_dfa_match_len(struct aa_dfa *dfa, unsigned int start,
} else { } else {
/* default is direct to next state */ /* default is direct to next state */
for (; len; len--) { for (; len; len--) {
pos = base[state] + (u8) *str++; pos = base_idx(base[state]) + (u8) *str++;
if (check[pos] == state) if (check[pos] == state)
state = next[pos]; state = next[pos];
else else
...@@ -363,7 +365,7 @@ unsigned int aa_dfa_match(struct aa_dfa *dfa, unsigned int start, ...@@ -363,7 +365,7 @@ unsigned int aa_dfa_match(struct aa_dfa *dfa, unsigned int start,
u8 *equiv = EQUIV_TABLE(dfa); u8 *equiv = EQUIV_TABLE(dfa);
/* default is direct to next state */ /* default is direct to next state */
while (*str) { while (*str) {
pos = base[state] + equiv[(u8) *str++]; pos = base_idx(base[state]) + equiv[(u8) *str++];
if (check[pos] == state) if (check[pos] == state)
state = next[pos]; state = next[pos];
else else
...@@ -372,7 +374,7 @@ unsigned int aa_dfa_match(struct aa_dfa *dfa, unsigned int start, ...@@ -372,7 +374,7 @@ unsigned int aa_dfa_match(struct aa_dfa *dfa, unsigned int start,
} else { } else {
/* default is direct to next state */ /* default is direct to next state */
while (*str) { while (*str) {
pos = base[state] + (u8) *str++; pos = base_idx(base[state]) + (u8) *str++;
if (check[pos] == state) if (check[pos] == state)
state = next[pos]; state = next[pos];
else else
...@@ -408,14 +410,14 @@ unsigned int aa_dfa_next(struct aa_dfa *dfa, unsigned int state, ...@@ -408,14 +410,14 @@ unsigned int aa_dfa_next(struct aa_dfa *dfa, unsigned int state,
u8 *equiv = EQUIV_TABLE(dfa); u8 *equiv = EQUIV_TABLE(dfa);
/* default is direct to next state */ /* default is direct to next state */
pos = base[state] + equiv[(u8) c]; pos = base_idx(base[state]) + equiv[(u8) c];
if (check[pos] == state) if (check[pos] == state)
state = next[pos]; state = next[pos];
else else
state = def[state]; state = def[state];
} else { } else {
/* default is direct to next state */ /* default is direct to next state */
pos = base[state] + (u8) c; pos = base_idx(base[state]) + (u8) c;
if (check[pos] == state) if (check[pos] == state)
state = next[pos]; state = next[pos];
else else
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册