Home Explore Help
Register Sign In
phyus
/
linux-vybrid_public
8
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

apparmor: reserve and mask off the top 8 bits of the base field

The top 8 bits of the base field have never been used, in fact can't
be used, by the current 'dfa16' format.  However they will be used in the
future as flags, so mask them off when using base as an index value.

Note: the use of the top 8 bits, without masking is trapped by the verify
      checks that base entries are within the size bounds.

Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Kees Cook <kees@ubuntu.com>
John Johansen 12 years ago
parent
4da05cc08d
commit
ed686308c6
1 changed files with 9 additions and 7 deletions
Split View Show Diff Stats
  1. 9 7
      security/apparmor/match.c

+ 9 - 7
security/apparmor/match.c
View File 

@@ -23,6 +23,8 @@
 
 #include "include/apparmor.h"
 
 #include "include/match.h"
 
 
+#define base_idx(X) ((X) & 0xffffff)
 
+
 
 /**
 
  * unpack_table - unpack a dfa table (one of accept, default, base, next check)
 
  * @blob: data to unpack (NOT NULL)
 
@@ -137,7 +139,7 @@ static int verify_dfa(struct aa_dfa *dfa, int flags)
 
 		for (i = 0; i < state_count; i++) {
 
 			if (DEFAULT_TABLE(dfa)[i] >= state_count)
 
 				goto out;
 
-			if (BASE_TABLE(dfa)[i] + 255 >= trans_count) {
 
+			if (base_idx(BASE_TABLE(dfa)[i]) + 255 >= trans_count) {
 
 				printk(KERN_ERR "AppArmor DFA next/check upper "
 
 				       "bounds error\n");
 
 				goto out;
 
@@ -313,7 +315,7 @@ unsigned int aa_dfa_match_len(struct aa_dfa *dfa, unsigned int start,
 
 		u8 *equiv = EQUIV_TABLE(dfa);
 
 		/* default is direct to next state */
 
 		for (; len; len--) {
 
-			pos = base[state] + equiv[(u8) *str++];
 
+			pos = base_idx(base[state]) + equiv[(u8) *str++];
 
 			if (check[pos] == state)
 
 				state = next[pos];
 
 			else
 
@@ -322,7 +324,7 @@ unsigned int aa_dfa_match_len(struct aa_dfa *dfa, unsigned int start,
 
 	} else {
 
 		/* default is direct to next state */
 
 		for (; len; len--) {
 
-			pos = base[state] + (u8) *str++;
 
+			pos = base_idx(base[state]) + (u8) *str++;
 
 			if (check[pos] == state)
 
 				state = next[pos];
 
 			else
 
@@ -363,7 +365,7 @@ unsigned int aa_dfa_match(struct aa_dfa *dfa, unsigned int start,
 
 		u8 *equiv = EQUIV_TABLE(dfa);
 
 		/* default is direct to next state */
 
 		while (*str) {
 
-			pos = base[state] + equiv[(u8) *str++];
 
+			pos = base_idx(base[state]) + equiv[(u8) *str++];
 
 			if (check[pos] == state)
 
 				state = next[pos];
 
 			else
 
@@ -372,7 +374,7 @@ unsigned int aa_dfa_match(struct aa_dfa *dfa, unsigned int start,
 
 	} else {
 
 		/* default is direct to next state */
 
 		while (*str) {
 
-			pos = base[state] + (u8) *str++;
 
+			pos = base_idx(base[state]) + (u8) *str++;
 
 			if (check[pos] == state)
 
 				state = next[pos];
 
 			else
 
@@ -408,14 +410,14 @@ unsigned int aa_dfa_next(struct aa_dfa *dfa, unsigned int state,
 
 		u8 *equiv = EQUIV_TABLE(dfa);
 
 		/* default is direct to next state */
 
 
-		pos = base[state] + equiv[(u8) c];
 
+		pos = base_idx(base[state]) + equiv[(u8) c];
 
 		if (check[pos] == state)
 
 			state = next[pos];
 
 		else
 
 			state = def[state];
 
 	} else {
 
 		/* default is direct to next state */
 
-		pos = base[state] + (u8) c;
 
+		pos = base_idx(base[state]) + (u8) c;
 
 		if (check[pos] == state)
 
 			state = next[pos];
 
 		else