From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev,
Qualys Security Advisory <qsa@qualys.com>,
Salvatore Bonaccorso <carnil@debian.org>,
Georgia Garcia <georgia.garcia@canonical.com>,
Cengiz Can <cengiz.can@canonical.com>,
Massimiliano Pellizzer <massimiliano.pellizzer@canonical.com>,
John Johansen <john.johansen@canonical.com>
Subject: [PATCH 6.1 12/55] apparmor: validate DFA start states are in bounds in unpack_pdb
Date: Mon, 13 Apr 2026 18:00:46 +0200 [thread overview]
Message-ID: <20260413155725.287455051@linuxfoundation.org> (raw)
In-Reply-To: <20260413155724.820472494@linuxfoundation.org>
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Massimiliano Pellizzer <massimiliano.pellizzer@canonical.com>
commit 9063d7e2615f4a7ab321de6b520e23d370e58816 upstream.
Backport for conflicts caused by
ad596ea74e74 ("apparmor: group dfa policydb unpacking") which rearrange
and consolidated the unpack.
Start states are read from untrusted data and used as indexes into the
DFA state tables. The aa_dfa_next() function call in unpack_pdb() will
access dfa->tables[YYTD_ID_BASE][start], and if the start state exceeds
the number of states in the DFA, this results in an out-of-bound read.
==================================================================
BUG: KASAN: slab-out-of-bounds in aa_dfa_next+0x2a1/0x360
Read of size 4 at addr ffff88811956fb90 by task su/1097
...
Reject policies with out-of-bounds start states during unpacking
to prevent the issue.
Fixes: ad5ff3db53c6 ("AppArmor: Add ability to load extended policy")
Reported-by: Qualys Security Advisory <qsa@qualys.com>
Tested-by: Salvatore Bonaccorso <carnil@debian.org>
Reviewed-by: Georgia Garcia <georgia.garcia@canonical.com>
Reviewed-by: Cengiz Can <cengiz.can@canonical.com>
Signed-off-by: Massimiliano Pellizzer <massimiliano.pellizzer@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
security/apparmor/policy_unpack.c | 21 +++++++++++++++++++--
1 file changed, 19 insertions(+), 2 deletions(-)
--- a/security/apparmor/policy_unpack.c
+++ b/security/apparmor/policy_unpack.c
@@ -824,9 +824,18 @@ static struct aa_profile *unpack_profile
error = -EPROTO;
goto fail;
}
- if (!aa_unpack_u32(e, &profile->policy.start[0], "start"))
+ if (!aa_unpack_u32(e, &profile->policy.start[0], "start")) {
/* default start state */
profile->policy.start[0] = DFA_START;
+ } else {
+ size_t state_count = profile->policy.dfa->tables[YYTD_ID_BASE]->td_lolen;
+
+ if (profile->policy.start[0] >= state_count) {
+ info = "invalid dfa start state";
+ goto fail;
+ }
+ }
+
/* setup class index */
for (i = AA_CLASS_FILE; i <= AA_CLASS_LAST; i++) {
profile->policy.start[i] =
@@ -847,9 +856,17 @@ static struct aa_profile *unpack_profile
info = "failed to unpack profile file rules";
goto fail;
} else if (profile->file.dfa) {
- if (!aa_unpack_u32(e, &profile->file.start, "dfa_start"))
+ if (!aa_unpack_u32(e, &profile->file.start, "dfa_start")) {
/* default start state */
profile->file.start = DFA_START;
+ } else {
+ size_t state_count = profile->file.dfa->tables[YYTD_ID_BASE]->td_lolen;
+
+ if (profile->file.start >= state_count) {
+ info = "invalid dfa start state";
+ goto fail;
+ }
+ }
} else if (profile->policy.dfa &&
profile->policy.start[AA_CLASS_FILE]) {
profile->file.dfa = aa_get_dfa(profile->policy.dfa);
next prev parent reply other threads:[~2026-04-13 16:16 UTC|newest]
Thread overview: 68+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-13 16:00 [PATCH 6.1 00/55] 6.1.169-rc1 review Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.1 01/55] lib/crypto: chacha: Zeroize permuted_state before it leaves scope Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.1 02/55] wifi: rt2x00usb: fix devres lifetime Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.1 03/55] xfrm_user: fix info leak in build_report() Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.1 04/55] mptcp: fix slab-use-after-free in __inet_lookup_established Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.1 05/55] Input: uinput - fix circular locking dependency with ff-core Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.1 06/55] Input: uinput - take event lock when submitting FF request "event" Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.1 07/55] MIPS: Always record SEGBITS in cpu_data.vmbits Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.1 08/55] MIPS: mm: Suppress TLB uniquification on EHINV hardware Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.1 09/55] MIPS: mm: Rewrite TLB uniquification for the hidden bit feature Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.1 10/55] media: uvcvideo: Mark invalid entities with id UVC_INVALID_ENTITY_ID Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.1 11/55] media: uvcvideo: Use heuristic to find stream entity Greg Kroah-Hartman
2026-04-13 16:00 ` Greg Kroah-Hartman [this message]
2026-04-13 16:00 ` [PATCH 6.1 13/55] apparmor: fix memory leak in verify_header Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.1 14/55] apparmor: replace recursive profile removal with iterative approach Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.1 15/55] apparmor: fix: limit the number of levels of policy namespaces Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.1 16/55] apparmor: fix side-effect bug in match_char() macro usage Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.1 17/55] apparmor: fix missing bounds check on DEFAULT table in verify_dfa() Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.1 18/55] apparmor: Fix double free of ns_name in aa_replace_profiles() Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.1 19/55] apparmor: fix unprivileged local user can do privileged policy management Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.1 20/55] apparmor: fix differential encoding verification Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.1 21/55] apparmor: fix race on rawdata dereference Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.1 22/55] apparmor: fix race between freeing data and fs accessing it Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.1 23/55] usb: gadget: u_ether: Fix race between gether_disconnect and eth_stop Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.1 24/55] Revert "ACPI: EC: Evaluate orphan _REG under EC device" Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.1 25/55] ACPICA: Add a depth argument to acpi_execute_reg_methods() Greg Kroah-Hartman
2026-04-13 16:01 ` [PATCH 6.1 26/55] ACPI: EC: Evaluate _REG outside the EC scope more carefully Greg Kroah-Hartman
2026-04-13 16:01 ` [PATCH 6.1 27/55] usb: gadget: f_hid: move list and spinlock inits from bind to alloc Greg Kroah-Hartman
2026-04-13 16:01 ` [PATCH 6.1 28/55] rfkill: Use sysfs_emit() to instead of sprintf() Greg Kroah-Hartman
2026-04-13 16:01 ` [PATCH 6.1 29/55] rfkill: sync before userspace visibility/changes Greg Kroah-Hartman
2026-04-13 16:01 ` [PATCH 6.1 30/55] net: rfkill: reduce data->mtx scope in rfkill_fop_open Greg Kroah-Hartman
2026-04-13 16:01 ` [PATCH 6.1 31/55] net: rfkill: prevent unlimited numbers of rfkill events from being created Greg Kroah-Hartman
2026-04-13 16:01 ` [PATCH 6.1 32/55] seg6: separate dst_cache for input and output paths in seg6 lwtunnel Greg Kroah-Hartman
2026-04-13 16:01 ` [PATCH 6.1 33/55] Revert "mptcp: add needs_id for netlink appending addr" Greg Kroah-Hartman
2026-04-13 16:01 ` [PATCH 6.1 34/55] drm/scheduler: signal scheduled fence when kill job Greg Kroah-Hartman
2026-04-13 16:01 ` [PATCH 6.1 35/55] netfilter: nft_set_pipapo: do not rely on ZERO_SIZE_PTR Greg Kroah-Hartman
2026-04-13 16:01 ` [PATCH 6.1 36/55] netfilter: nft_ct: fix use-after-free in timeout object destroy Greg Kroah-Hartman
2026-04-13 16:01 ` [PATCH 6.1 37/55] xfrm: clear trailing padding in build_polexpire() Greg Kroah-Hartman
2026-04-13 16:01 ` [PATCH 6.1 38/55] tipc: fix bc_ackers underflow on duplicate GRP_ACK_MSG Greg Kroah-Hartman
2026-04-13 16:01 ` [PATCH 6.1 39/55] wifi: brcmsmac: Fix dma_free_coherent() size Greg Kroah-Hartman
2026-04-13 16:01 ` [PATCH 6.1 40/55] arm64: dts: hisilicon: poplar: Correct PCIe reset GPIO polarity Greg Kroah-Hartman
2026-04-13 16:01 ` [PATCH 6.1 41/55] arm64: dts: hisilicon: hi3798cv200: Add missing dma-ranges Greg Kroah-Hartman
2026-04-13 16:01 ` [PATCH 6.1 42/55] nfc: pn533: allocate rx skb before consuming bytes Greg Kroah-Hartman
2026-04-13 16:01 ` [PATCH 6.1 43/55] batman-adv: reject oversized global TT response buffers Greg Kroah-Hartman
2026-04-13 16:01 ` [PATCH 6.1 44/55] EDAC/mc: Fix error path ordering in edac_mc_alloc() Greg Kroah-Hartman
2026-04-13 16:01 ` [PATCH 6.1 45/55] net/tls: fix use-after-free in -EBUSY error path of tls_do_encryption Greg Kroah-Hartman
2026-04-13 16:01 ` [PATCH 6.1 46/55] net: altera-tse: fix skb leak on DMA mapping error in tse_start_xmit() Greg Kroah-Hartman
2026-04-13 16:01 ` [PATCH 6.1 47/55] batman-adv: hold claim backbone gateways by reference Greg Kroah-Hartman
2026-04-13 16:01 ` [PATCH 6.1 48/55] drm/i915/gt: fix refcount underflow in intel_engine_park_heartbeat Greg Kroah-Hartman
2026-04-13 16:01 ` [PATCH 6.1 49/55] net/mlx5: Update the list of the PCI supported devices Greg Kroah-Hartman
2026-04-13 16:01 ` [PATCH 6.1 50/55] mmc: vub300: fix NULL-deref on disconnect Greg Kroah-Hartman
2026-04-13 16:01 ` [PATCH 6.1 51/55] net: qualcomm: qca_uart: report the consumed byte on RX skb allocation failure Greg Kroah-Hartman
2026-04-13 16:01 ` [PATCH 6.1 52/55] net: stmmac: fix integer underflow in chain mode Greg Kroah-Hartman
2026-04-13 16:01 ` [PATCH 6.1 53/55] rxrpc: fix reference count leak in rxrpc_server_keyring() Greg Kroah-Hartman
2026-04-13 16:01 ` [PATCH 6.1 54/55] rxrpc: Fix key/keyring checks in setsockopt(RXRPC_SECURITY_KEY/KEYRING) Greg Kroah-Hartman
2026-04-13 16:01 ` [PATCH 6.1 55/55] Revert "PCI: Enable ACS after configuring IOMMU for OF platforms" Greg Kroah-Hartman
2026-04-13 17:38 ` [PATCH 6.1 00/55] 6.1.169-rc1 review Brett A C Sheffield
2026-04-13 18:51 ` Florian Fainelli
2026-04-14 7:53 ` Jon Hunter
2026-04-14 8:13 ` Pavel Machek
2026-04-14 8:20 ` Pavel Machek
2026-04-14 9:06 ` Peter Schneider
2026-04-14 11:49 ` Ron Economos
2026-04-14 12:30 ` Francesco Dolcini
2026-04-14 17:44 ` Shuah Khan
2026-04-14 17:44 ` Miguel Ojeda
2026-04-14 18:18 ` Mark Brown
2026-04-16 22:09 ` Barry K. Nathan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260413155725.287455051@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=carnil@debian.org \
--cc=cengiz.can@canonical.com \
--cc=georgia.garcia@canonical.com \
--cc=john.johansen@canonical.com \
--cc=massimiliano.pellizzer@canonical.com \
--cc=patches@lists.linux.dev \
--cc=qsa@qualys.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox