• John Johansen's avatar
    apparmor: fix PROFILE_MEDIATES for untrusted input · 23375b13
    John Johansen authored
    While commit 11c236b8 ("apparmor: add a default null dfa") ensure
    every profile has a policy.dfa it does not resize the policy.start[]
    to have entries for every possible start value. Which means
    PROFILE_MEDIATES is not safe to use on untrusted input. Unforunately
    commit b9590ad4 ("apparmor: remove POLICY_MEDIATES_SAFE") did not
    take into account the start value usage.
    
    The input string in profile_query_cb() is user controlled and is not
    properly checked to be within the limited start[] entries, even worse
    it can't be as userspace policy is allowed to make us of entries types
    the kernel does not know about. This mean usespace can currently cause
    the kernel to access memory up to 240 entries beyond the start array
    bounds.
    
    Cc: stable@vger.kernel.org
    Fixes: b9590ad4 ("apparmor: remove POLICY_MEDIATES_SAFE")
    Signed-off-by: default avatarJohn Johansen <john.johansen@canonical.com>
    23375b13
policy.h 8.63 KB