From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev,
Qualys Security Advisory <qsa@qualys.com>,
Salvatore Bonaccorso <carnil@debian.org>,
Georgia Garcia <georgia.garcia@canonical.com>,
Cengiz Can <cengiz.can@canonical.com>,
John Johansen <john.johansen@canonical.com>
Subject: [PATCH 6.1 20/55] apparmor: fix differential encoding verification
Date: Mon, 13 Apr 2026 18:00:54 +0200 [thread overview]
Message-ID: <20260413155725.582790269@linuxfoundation.org> (raw)
In-Reply-To: <20260413155724.820472494@linuxfoundation.org>
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: John Johansen <john.johansen@canonical.com>
commit 39440b137546a3aa383cfdabc605fb73811b6093 upstream.
Differential encoding allows loops to be created if it is abused. To
prevent this the unpack should verify that a diff-encode chain
terminates.
Unfortunately the differential encode verification had two bugs.
1. it conflated states that had gone through check and already been
marked, with states that were currently being checked and marked.
This means that loops in the current chain being verified are treated
as a chain that has already been verified.
2. the order bailout on already checked states compared current chain
check iterators j,k instead of using the outer loop iterator i.
Meaning a step backwards in states in the current chain verification
was being mistaken for moving to an already verified state.
Move to a double mark scheme where already verified states get a
different mark, than the current chain being kept. This enables us
to also drop the backwards verification check that was the cause of
the second error as any already verified state is already marked.
Fixes: 031dcc8f4e84 ("apparmor: dfa add support for state differential encoding")
Reported-by: Qualys Security Advisory <qsa@qualys.com>
Tested-by: Salvatore Bonaccorso <carnil@debian.org>
Reviewed-by: Georgia Garcia <georgia.garcia@canonical.com>
Reviewed-by: Cengiz Can <cengiz.can@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
security/apparmor/include/match.h | 1 +
security/apparmor/match.c | 23 +++++++++++++++++++----
2 files changed, 20 insertions(+), 4 deletions(-)
--- a/security/apparmor/include/match.h
+++ b/security/apparmor/include/match.h
@@ -190,6 +190,7 @@ static inline void aa_put_dfa(struct aa_
#define MATCH_FLAG_DIFF_ENCODE 0x80000000
#define MARK_DIFF_ENCODE 0x40000000
#define MATCH_FLAG_OOB_TRANSITION 0x20000000
+#define MARK_DIFF_ENCODE_VERIFIED 0x10000000
#define MATCH_FLAGS_MASK 0xff000000
#define MATCH_FLAGS_VALID (MATCH_FLAG_DIFF_ENCODE | MATCH_FLAG_OOB_TRANSITION)
#define MATCH_FLAGS_INVALID (MATCH_FLAGS_MASK & ~MATCH_FLAGS_VALID)
--- a/security/apparmor/match.c
+++ b/security/apparmor/match.c
@@ -246,16 +246,31 @@ static int verify_dfa(struct aa_dfa *dfa
size_t j, k;
for (j = i;
- (BASE_TABLE(dfa)[j] & MATCH_FLAG_DIFF_ENCODE) &&
- !(BASE_TABLE(dfa)[j] & MARK_DIFF_ENCODE);
+ ((BASE_TABLE(dfa)[j] & MATCH_FLAG_DIFF_ENCODE) &&
+ !(BASE_TABLE(dfa)[j] & MARK_DIFF_ENCODE_VERIFIED));
j = k) {
+ if (BASE_TABLE(dfa)[j] & MARK_DIFF_ENCODE)
+ /* loop in current chain */
+ goto out;
k = DEFAULT_TABLE(dfa)[j];
if (j == k)
+ /* self loop */
goto out;
- if (k < j)
- break; /* already verified */
BASE_TABLE(dfa)[j] |= MARK_DIFF_ENCODE;
}
+ /* move mark to verified */
+ for (j = i;
+ (BASE_TABLE(dfa)[j] & MATCH_FLAG_DIFF_ENCODE);
+ j = k) {
+ k = DEFAULT_TABLE(dfa)[j];
+ if (j < i)
+ /* jumps to state/chain that has been
+ * verified
+ */
+ break;
+ BASE_TABLE(dfa)[j] &= ~MARK_DIFF_ENCODE;
+ BASE_TABLE(dfa)[j] |= MARK_DIFF_ENCODE_VERIFIED;
+ }
}
error = 0;
next prev parent reply other threads:[~2026-04-13 16:17 UTC|newest]
Thread overview: 68+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-13 16:00 [PATCH 6.1 00/55] 6.1.169-rc1 review Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.1 01/55] lib/crypto: chacha: Zeroize permuted_state before it leaves scope Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.1 02/55] wifi: rt2x00usb: fix devres lifetime Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.1 03/55] xfrm_user: fix info leak in build_report() Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.1 04/55] mptcp: fix slab-use-after-free in __inet_lookup_established Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.1 05/55] Input: uinput - fix circular locking dependency with ff-core Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.1 06/55] Input: uinput - take event lock when submitting FF request "event" Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.1 07/55] MIPS: Always record SEGBITS in cpu_data.vmbits Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.1 08/55] MIPS: mm: Suppress TLB uniquification on EHINV hardware Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.1 09/55] MIPS: mm: Rewrite TLB uniquification for the hidden bit feature Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.1 10/55] media: uvcvideo: Mark invalid entities with id UVC_INVALID_ENTITY_ID Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.1 11/55] media: uvcvideo: Use heuristic to find stream entity Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.1 12/55] apparmor: validate DFA start states are in bounds in unpack_pdb Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.1 13/55] apparmor: fix memory leak in verify_header Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.1 14/55] apparmor: replace recursive profile removal with iterative approach Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.1 15/55] apparmor: fix: limit the number of levels of policy namespaces Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.1 16/55] apparmor: fix side-effect bug in match_char() macro usage Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.1 17/55] apparmor: fix missing bounds check on DEFAULT table in verify_dfa() Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.1 18/55] apparmor: Fix double free of ns_name in aa_replace_profiles() Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.1 19/55] apparmor: fix unprivileged local user can do privileged policy management Greg Kroah-Hartman
2026-04-13 16:00 ` Greg Kroah-Hartman [this message]
2026-04-13 16:00 ` [PATCH 6.1 21/55] apparmor: fix race on rawdata dereference Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.1 22/55] apparmor: fix race between freeing data and fs accessing it Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.1 23/55] usb: gadget: u_ether: Fix race between gether_disconnect and eth_stop Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.1 24/55] Revert "ACPI: EC: Evaluate orphan _REG under EC device" Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.1 25/55] ACPICA: Add a depth argument to acpi_execute_reg_methods() Greg Kroah-Hartman
2026-04-13 16:01 ` [PATCH 6.1 26/55] ACPI: EC: Evaluate _REG outside the EC scope more carefully Greg Kroah-Hartman
2026-04-13 16:01 ` [PATCH 6.1 27/55] usb: gadget: f_hid: move list and spinlock inits from bind to alloc Greg Kroah-Hartman
2026-04-13 16:01 ` [PATCH 6.1 28/55] rfkill: Use sysfs_emit() to instead of sprintf() Greg Kroah-Hartman
2026-04-13 16:01 ` [PATCH 6.1 29/55] rfkill: sync before userspace visibility/changes Greg Kroah-Hartman
2026-04-13 16:01 ` [PATCH 6.1 30/55] net: rfkill: reduce data->mtx scope in rfkill_fop_open Greg Kroah-Hartman
2026-04-13 16:01 ` [PATCH 6.1 31/55] net: rfkill: prevent unlimited numbers of rfkill events from being created Greg Kroah-Hartman
2026-04-13 16:01 ` [PATCH 6.1 32/55] seg6: separate dst_cache for input and output paths in seg6 lwtunnel Greg Kroah-Hartman
2026-04-13 16:01 ` [PATCH 6.1 33/55] Revert "mptcp: add needs_id for netlink appending addr" Greg Kroah-Hartman
2026-04-13 16:01 ` [PATCH 6.1 34/55] drm/scheduler: signal scheduled fence when kill job Greg Kroah-Hartman
2026-04-13 16:01 ` [PATCH 6.1 35/55] netfilter: nft_set_pipapo: do not rely on ZERO_SIZE_PTR Greg Kroah-Hartman
2026-04-13 16:01 ` [PATCH 6.1 36/55] netfilter: nft_ct: fix use-after-free in timeout object destroy Greg Kroah-Hartman
2026-04-13 16:01 ` [PATCH 6.1 37/55] xfrm: clear trailing padding in build_polexpire() Greg Kroah-Hartman
2026-04-13 16:01 ` [PATCH 6.1 38/55] tipc: fix bc_ackers underflow on duplicate GRP_ACK_MSG Greg Kroah-Hartman
2026-04-13 16:01 ` [PATCH 6.1 39/55] wifi: brcmsmac: Fix dma_free_coherent() size Greg Kroah-Hartman
2026-04-13 16:01 ` [PATCH 6.1 40/55] arm64: dts: hisilicon: poplar: Correct PCIe reset GPIO polarity Greg Kroah-Hartman
2026-04-13 16:01 ` [PATCH 6.1 41/55] arm64: dts: hisilicon: hi3798cv200: Add missing dma-ranges Greg Kroah-Hartman
2026-04-13 16:01 ` [PATCH 6.1 42/55] nfc: pn533: allocate rx skb before consuming bytes Greg Kroah-Hartman
2026-04-13 16:01 ` [PATCH 6.1 43/55] batman-adv: reject oversized global TT response buffers Greg Kroah-Hartman
2026-04-13 16:01 ` [PATCH 6.1 44/55] EDAC/mc: Fix error path ordering in edac_mc_alloc() Greg Kroah-Hartman
2026-04-13 16:01 ` [PATCH 6.1 45/55] net/tls: fix use-after-free in -EBUSY error path of tls_do_encryption Greg Kroah-Hartman
2026-04-13 16:01 ` [PATCH 6.1 46/55] net: altera-tse: fix skb leak on DMA mapping error in tse_start_xmit() Greg Kroah-Hartman
2026-04-13 16:01 ` [PATCH 6.1 47/55] batman-adv: hold claim backbone gateways by reference Greg Kroah-Hartman
2026-04-13 16:01 ` [PATCH 6.1 48/55] drm/i915/gt: fix refcount underflow in intel_engine_park_heartbeat Greg Kroah-Hartman
2026-04-13 16:01 ` [PATCH 6.1 49/55] net/mlx5: Update the list of the PCI supported devices Greg Kroah-Hartman
2026-04-13 16:01 ` [PATCH 6.1 50/55] mmc: vub300: fix NULL-deref on disconnect Greg Kroah-Hartman
2026-04-13 16:01 ` [PATCH 6.1 51/55] net: qualcomm: qca_uart: report the consumed byte on RX skb allocation failure Greg Kroah-Hartman
2026-04-13 16:01 ` [PATCH 6.1 52/55] net: stmmac: fix integer underflow in chain mode Greg Kroah-Hartman
2026-04-13 16:01 ` [PATCH 6.1 53/55] rxrpc: fix reference count leak in rxrpc_server_keyring() Greg Kroah-Hartman
2026-04-13 16:01 ` [PATCH 6.1 54/55] rxrpc: Fix key/keyring checks in setsockopt(RXRPC_SECURITY_KEY/KEYRING) Greg Kroah-Hartman
2026-04-13 16:01 ` [PATCH 6.1 55/55] Revert "PCI: Enable ACS after configuring IOMMU for OF platforms" Greg Kroah-Hartman
2026-04-13 17:38 ` [PATCH 6.1 00/55] 6.1.169-rc1 review Brett A C Sheffield
2026-04-13 18:51 ` Florian Fainelli
2026-04-14 7:53 ` Jon Hunter
2026-04-14 8:13 ` Pavel Machek
2026-04-14 8:20 ` Pavel Machek
2026-04-14 9:06 ` Peter Schneider
2026-04-14 11:49 ` Ron Economos
2026-04-14 12:30 ` Francesco Dolcini
2026-04-14 17:44 ` Shuah Khan
2026-04-14 17:44 ` Miguel Ojeda
2026-04-14 18:18 ` Mark Brown
2026-04-16 22:09 ` Barry K. Nathan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260413155725.582790269@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=carnil@debian.org \
--cc=cengiz.can@canonical.com \
--cc=georgia.garcia@canonical.com \
--cc=john.johansen@canonical.com \
--cc=patches@lists.linux.dev \
--cc=qsa@qualys.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox