diff options
Diffstat (limited to 'pkgs/os-specific/linux/kernel/apparmor-patches/3.2/0003-AppArmor-Allow-dfa-backward-compatibility-with-broke.patch')
| -rw-r--r-- | pkgs/os-specific/linux/kernel/apparmor-patches/3.2/0003-AppArmor-Allow-dfa-backward-compatibility-with-broke.patch | 69 |
1 files changed, 0 insertions, 69 deletions
diff --git a/pkgs/os-specific/linux/kernel/apparmor-patches/3.2/0003-AppArmor-Allow-dfa-backward-compatibility-with-broke.patch b/pkgs/os-specific/linux/kernel/apparmor-patches/3.2/0003-AppArmor-Allow-dfa-backward-compatibility-with-broke.patch deleted file mode 100644 index 7dd55781fdaa..000000000000 --- a/pkgs/os-specific/linux/kernel/apparmor-patches/3.2/0003-AppArmor-Allow-dfa-backward-compatibility-with-broke.patch +++ /dev/null @@ -1,69 +0,0 @@ -From e5d90918aa31f948ecec2f3c088567dbab30c90b Mon Sep 17 00:00:00 2001 -From: John Johansen <john.johansen@canonical.com> -Date: Wed, 10 Aug 2011 22:02:41 -0700 -Subject: [PATCH 3/3] AppArmor: Allow dfa backward compatibility with broken - userspace - -The apparmor_parser when compiling policy could generate invalid dfas -that did not have sufficient padding to avoid invalid references, when -used by the kernel. The kernels check to verify the next/check table -size was broken meaning invalid dfas were being created by userspace -and not caught. - -To remain compatible with old tools that are not fixed, pad the loaded -dfas next/check table. The dfa's themselves are valid except for the -high padding for potentially invalid transitions (high bounds error), -which have a maximimum is 256 entries. So just allocate an extra null filled -256 entries for the next/check tables. This will guarentee all bounds -are good and invalid transitions go to the null (0) state. - -Signed-off-by: John Johansen <john.johansen@canonical.com> ---- - security/apparmor/match.c | 17 +++++++++++++++++ - 1 file changed, 17 insertions(+) - -diff --git a/security/apparmor/match.c b/security/apparmor/match.c -index 94de6b4..081491e 100644 ---- a/security/apparmor/match.c -+++ b/security/apparmor/match.c -@@ -57,8 +57,17 @@ static struct table_header *unpack_table(char *blob, size_t bsize) - if (bsize < tsize) - goto out; - -+ /* Pad table allocation for next/check by 256 entries to remain -+ * backwards compatible with old (buggy) tools and remain safe without -+ * run time checks -+ */ -+ if (th.td_id == YYTD_ID_NXT || th.td_id == YYTD_ID_CHK) -+ tsize += 256 * th.td_flags; -+ - table = kvmalloc(tsize); - if (table) { -+ /* ensure the pad is clear, else there will be errors */ -+ memset(table, 0, tsize); - *table = th; - if (th.td_flags == YYTD_DATA8) - UNPACK_ARRAY(table->td_data, blob, th.td_lolen, -@@ -134,11 +143,19 @@ static int verify_dfa(struct aa_dfa *dfa, int flags) - goto out; - - if (flags & DFA_FLAG_VERIFY_STATES) { -+ int warning = 0; - for (i = 0; i < state_count; i++) { - if (DEFAULT_TABLE(dfa)[i] >= state_count) - goto out; - /* TODO: do check that DEF state recursion terminates */ - if (BASE_TABLE(dfa)[i] + 255 >= trans_count) { -+ if (warning) -+ continue; -+ printk(KERN_WARNING "AppArmor DFA next/check " -+ "upper bounds error fixed, upgrade " -+ "user space tools \n"); -+ warning = 1; -+ } else if (BASE_TABLE(dfa)[i] >= trans_count) { - printk(KERN_ERR "AppArmor DFA next/check upper " - "bounds error\n"); - goto out; --- -1.7.9.5 - |