From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev,
Qualys Security Advisory <qsa@qualys.com>,
Salvatore Bonaccorso <carnil@debian.org>,
Georgia Garcia <georgia.garcia@canonical.com>,
Cengiz Can <cengiz.can@canonical.com>,
Massimiliano Pellizzer <massimiliano.pellizzer@canonical.com>,
John Johansen <john.johansen@canonical.com>
Subject: [PATCH 6.19 07/13] apparmor: fix side-effect bug in match_char() macro usage
Date: Thu, 12 Mar 2026 21:03:39 +0100 [thread overview]
Message-ID: <20260312200321.942323555@linuxfoundation.org> (raw)
In-Reply-To: <20260312200321.671986598@linuxfoundation.org>
6.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Massimiliano Pellizzer <massimiliano.pellizzer@canonical.com>
commit 8756b68edae37ff546c02091989a4ceab3f20abd upstream.
The match_char() macro evaluates its character parameter multiple
times when traversing differential encoding chains. When invoked
with *str++, the string pointer advances on each iteration of the
inner do-while loop, causing the DFA to check different characters
at each iteration and therefore skip input characters.
This results in out-of-bounds reads when the pointer advances past
the input buffer boundary.
[ 94.984676] ==================================================================
[ 94.985301] BUG: KASAN: slab-out-of-bounds in aa_dfa_match+0x5ae/0x760
[ 94.985655] Read of size 1 at addr ffff888100342000 by task file/976
[ 94.986319] CPU: 7 UID: 1000 PID: 976 Comm: file Not tainted 6.19.0-rc7-next-20260127 #1 PREEMPT(lazy)
[ 94.986322] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[ 94.986329] Call Trace:
[ 94.986341] <TASK>
[ 94.986347] dump_stack_lvl+0x5e/0x80
[ 94.986374] print_report+0xc8/0x270
[ 94.986384] ? aa_dfa_match+0x5ae/0x760
[ 94.986388] kasan_report+0x118/0x150
[ 94.986401] ? aa_dfa_match+0x5ae/0x760
[ 94.986405] aa_dfa_match+0x5ae/0x760
[ 94.986408] __aa_path_perm+0x131/0x400
[ 94.986418] aa_path_perm+0x219/0x2f0
[ 94.986424] apparmor_file_open+0x345/0x570
[ 94.986431] security_file_open+0x5c/0x140
[ 94.986442] do_dentry_open+0x2f6/0x1120
[ 94.986450] vfs_open+0x38/0x2b0
[ 94.986453] ? may_open+0x1e2/0x2b0
[ 94.986466] path_openat+0x231b/0x2b30
[ 94.986469] ? __x64_sys_openat+0xf8/0x130
[ 94.986477] do_file_open+0x19d/0x360
[ 94.986487] do_sys_openat2+0x98/0x100
[ 94.986491] __x64_sys_openat+0xf8/0x130
[ 94.986499] do_syscall_64+0x8e/0x660
[ 94.986515] ? count_memcg_events+0x15f/0x3c0
[ 94.986526] ? srso_alias_return_thunk+0x5/0xfbef5
[ 94.986540] ? handle_mm_fault+0x1639/0x1ef0
[ 94.986551] ? vma_start_read+0xf0/0x320
[ 94.986558] ? srso_alias_return_thunk+0x5/0xfbef5
[ 94.986561] ? srso_alias_return_thunk+0x5/0xfbef5
[ 94.986563] ? fpregs_assert_state_consistent+0x50/0xe0
[ 94.986572] ? srso_alias_return_thunk+0x5/0xfbef5
[ 94.986574] ? arch_exit_to_user_mode_prepare+0x9/0xb0
[ 94.986587] ? srso_alias_return_thunk+0x5/0xfbef5
[ 94.986588] ? irqentry_exit+0x3c/0x590
[ 94.986595] entry_SYSCALL_64_after_hwframe+0x76/0x7e
[ 94.986597] RIP: 0033:0x7fda4a79c3ea
Fix by extracting the character value before invoking match_char,
ensuring single evaluation per outer loop.
Fixes: 074c1cd798cb ("apparmor: dfa move character match into a macro")
Reported-by: Qualys Security Advisory <qsa@qualys.com>
Tested-by: Salvatore Bonaccorso <carnil@debian.org>
Reviewed-by: Georgia Garcia <georgia.garcia@canonical.com>
Reviewed-by: Cengiz Can <cengiz.can@canonical.com>
Signed-off-by: Massimiliano Pellizzer <massimiliano.pellizzer@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
security/apparmor/match.c | 30 ++++++++++++++++++++----------
1 file changed, 20 insertions(+), 10 deletions(-)
--- a/security/apparmor/match.c
+++ b/security/apparmor/match.c
@@ -463,13 +463,18 @@ aa_state_t aa_dfa_match_len(struct aa_df
if (dfa->tables[YYTD_ID_EC]) {
/* Equivalence class table defined */
u8 *equiv = EQUIV_TABLE(dfa);
- for (; len; len--)
- match_char(state, def, base, next, check,
- equiv[(u8) *str++]);
+ for (; len; len--) {
+ u8 c = equiv[(u8) *str];
+
+ match_char(state, def, base, next, check, c);
+ str++;
+ }
} else {
/* default is direct to next state */
- for (; len; len--)
- match_char(state, def, base, next, check, (u8) *str++);
+ for (; len; len--) {
+ match_char(state, def, base, next, check, (u8) *str);
+ str++;
+ }
}
return state;
@@ -503,13 +508,18 @@ aa_state_t aa_dfa_match(struct aa_dfa *d
/* Equivalence class table defined */
u8 *equiv = EQUIV_TABLE(dfa);
/* default is direct to next state */
- while (*str)
- match_char(state, def, base, next, check,
- equiv[(u8) *str++]);
+ while (*str) {
+ u8 c = equiv[(u8) *str];
+
+ match_char(state, def, base, next, check, c);
+ str++;
+ }
} else {
/* default is direct to next state */
- while (*str)
- match_char(state, def, base, next, check, (u8) *str++);
+ while (*str) {
+ match_char(state, def, base, next, check, (u8) *str);
+ str++;
+ }
}
return state;
next prev parent reply other threads:[~2026-03-12 20:04 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-12 20:03 [PATCH 6.19 00/13] 6.19.8-rc1 review Greg Kroah-Hartman
2026-03-12 20:03 ` [PATCH 6.19 01/13] net/sched: act_gate: snapshot parameters with RCU on replace Greg Kroah-Hartman
2026-03-12 20:03 ` [PATCH 6.19 02/13] net/sched: Only allow act_ct to bind to clsact/ingress qdiscs and shared blocks Greg Kroah-Hartman
2026-03-12 20:03 ` [PATCH 6.19 03/13] apparmor: validate DFA start states are in bounds in unpack_pdb Greg Kroah-Hartman
2026-03-12 20:03 ` [PATCH 6.19 04/13] apparmor: fix memory leak in verify_header Greg Kroah-Hartman
2026-03-12 20:03 ` [PATCH 6.19 05/13] apparmor: replace recursive profile removal with iterative approach Greg Kroah-Hartman
2026-03-12 20:03 ` [PATCH 6.19 06/13] apparmor: fix: limit the number of levels of policy namespaces Greg Kroah-Hartman
2026-03-12 20:03 ` Greg Kroah-Hartman [this message]
2026-03-12 20:03 ` [PATCH 6.19 08/13] apparmor: fix missing bounds check on DEFAULT table in verify_dfa() Greg Kroah-Hartman
2026-03-12 20:03 ` [PATCH 6.19 09/13] apparmor: Fix double free of ns_name in aa_replace_profiles() Greg Kroah-Hartman
2026-03-12 20:03 ` [PATCH 6.19 10/13] apparmor: fix unprivileged local user can do privileged policy management Greg Kroah-Hartman
2026-03-12 20:03 ` [PATCH 6.19 11/13] apparmor: fix differential encoding verification Greg Kroah-Hartman
2026-03-12 20:03 ` [PATCH 6.19 12/13] apparmor: fix race on rawdata dereference Greg Kroah-Hartman
2026-03-12 20:03 ` [PATCH 6.19 13/13] apparmor: fix race between freeing data and fs accessing it Greg Kroah-Hartman
2026-03-12 20:41 ` [PATCH 6.19 00/13] 6.19.8-rc1 review Brett A C Sheffield
2026-03-13 2:45 ` Shuah Khan
2026-03-13 4:04 ` Ronald Warsow
2026-03-13 5:19 ` Ron Economos
2026-03-13 12:36 ` Mark Brown
2026-03-13 14:11 ` Takeshi Ogasawara
2026-03-13 16:18 ` Jon Hunter
2026-03-13 18:33 ` Florian Fainelli
2026-03-13 21:19 ` Miguel Ojeda
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260312200321.942323555@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=carnil@debian.org \
--cc=cengiz.can@canonical.com \
--cc=georgia.garcia@canonical.com \
--cc=john.johansen@canonical.com \
--cc=massimiliano.pellizzer@canonical.com \
--cc=patches@lists.linux.dev \
--cc=qsa@qualys.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.