From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 62F383AC0CD; Thu, 12 Mar 2026 20:04:13 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1773345853; cv=none; b=agEQsj48gi3q9sRyfMoMTGzcEUoUdsI9cifeAsdGSq/YWngl8XZzK3VlfszTebOpFkW4c9VcZXFuJJ+HIc+RlA6i+16U96uLOVpAfIZ5+9Aa7Ly1qN/spAlqZMGLTrZ6M8Wh4aZ+KgoknR/0zdLFqhT6n/7zItN0BdQ4i3uEclo= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1773345853; c=relaxed/simple; bh=NfuKDMD39XQRq33/f+KLeQdgxKJVHC3mS3v56TYaRuk=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=Q46ThJQ8BgaDkWe1s4ij3jmp0Ge4rcnGUSQOM791bL7j7EdEyNuN2wyajK++/3dxteI2SIv3zb0dxTZqUC4K5DICb684tyrR2ZaKNF5CzLsEJP653GMY7H1iixwEmVdRsHAdfOxuglj9dG+x5te7LTS2p2D+ofDY1m1xRaP+gJQ= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=Hjflp6fT; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="Hjflp6fT" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 7EE54C4CEF7; Thu, 12 Mar 2026 20:04:12 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1773345853; bh=NfuKDMD39XQRq33/f+KLeQdgxKJVHC3mS3v56TYaRuk=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Hjflp6fTCkfvYAv6uh2u/+g27CVnkoo0GablJRMH8BOGXHp5OncVbDj9emBgCr/Vc CKRWgLY4Z9OYm0AxAEtiYf0R2YiPaVOG3JgFQ6BXRVg1J1Mq/Tkfb5OJCmVgk94VIP wyOBrcX5yN3q+j9uFxBNovq0T/B+jr0H51GIig/s= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, Qualys Security Advisory , Salvatore Bonaccorso , Georgia Garcia , Cengiz Can , John Johansen Subject: [PATCH 6.19 11/13] apparmor: fix differential encoding verification Date: Thu, 12 Mar 2026 21:03:43 +0100 Message-ID: <20260312200322.085947747@linuxfoundation.org> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260312200321.671986598@linuxfoundation.org> References: <20260312200321.671986598@linuxfoundation.org> User-Agent: quilt/0.69 X-stable: review X-Patchwork-Hint: ignore Precedence: bulk X-Mailing-List: stable@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit 6.19-stable review patch. If anyone has any objections, please let me know. ------------------ From: John Johansen commit 39440b137546a3aa383cfdabc605fb73811b6093 upstream. Differential encoding allows loops to be created if it is abused. To prevent this the unpack should verify that a diff-encode chain terminates. Unfortunately the differential encode verification had two bugs. 1. it conflated states that had gone through check and already been marked, with states that were currently being checked and marked. This means that loops in the current chain being verified are treated as a chain that has already been verified. 2. the order bailout on already checked states compared current chain check iterators j,k instead of using the outer loop iterator i. Meaning a step backwards in states in the current chain verification was being mistaken for moving to an already verified state. Move to a double mark scheme where already verified states get a different mark, than the current chain being kept. This enables us to also drop the backwards verification check that was the cause of the second error as any already verified state is already marked. Fixes: 031dcc8f4e84 ("apparmor: dfa add support for state differential encoding") Reported-by: Qualys Security Advisory Tested-by: Salvatore Bonaccorso Reviewed-by: Georgia Garcia Reviewed-by: Cengiz Can Signed-off-by: John Johansen Signed-off-by: Greg Kroah-Hartman --- security/apparmor/include/match.h | 1 + security/apparmor/match.c | 23 +++++++++++++++++++---- 2 files changed, 20 insertions(+), 4 deletions(-) --- a/security/apparmor/include/match.h +++ b/security/apparmor/include/match.h @@ -185,6 +185,7 @@ static inline void aa_put_dfa(struct aa_ #define MATCH_FLAG_DIFF_ENCODE 0x80000000 #define MARK_DIFF_ENCODE 0x40000000 #define MATCH_FLAG_OOB_TRANSITION 0x20000000 +#define MARK_DIFF_ENCODE_VERIFIED 0x10000000 #define MATCH_FLAGS_MASK 0xff000000 #define MATCH_FLAGS_VALID (MATCH_FLAG_DIFF_ENCODE | MATCH_FLAG_OOB_TRANSITION) #define MATCH_FLAGS_INVALID (MATCH_FLAGS_MASK & ~MATCH_FLAGS_VALID) --- a/security/apparmor/match.c +++ b/security/apparmor/match.c @@ -202,16 +202,31 @@ static int verify_dfa(struct aa_dfa *dfa size_t j, k; for (j = i; - (BASE_TABLE(dfa)[j] & MATCH_FLAG_DIFF_ENCODE) && - !(BASE_TABLE(dfa)[j] & MARK_DIFF_ENCODE); + ((BASE_TABLE(dfa)[j] & MATCH_FLAG_DIFF_ENCODE) && + !(BASE_TABLE(dfa)[j] & MARK_DIFF_ENCODE_VERIFIED)); j = k) { + if (BASE_TABLE(dfa)[j] & MARK_DIFF_ENCODE) + /* loop in current chain */ + goto out; k = DEFAULT_TABLE(dfa)[j]; if (j == k) + /* self loop */ goto out; - if (k < j) - break; /* already verified */ BASE_TABLE(dfa)[j] |= MARK_DIFF_ENCODE; } + /* move mark to verified */ + for (j = i; + (BASE_TABLE(dfa)[j] & MATCH_FLAG_DIFF_ENCODE); + j = k) { + k = DEFAULT_TABLE(dfa)[j]; + if (j < i) + /* jumps to state/chain that has been + * verified + */ + break; + BASE_TABLE(dfa)[j] &= ~MARK_DIFF_ENCODE; + BASE_TABLE(dfa)[j] |= MARK_DIFF_ENCODE_VERIFIED; + } } error = 0;