[apparmor] [PATCH 03/16] AppArmor: Fix underflow in xindex calculation

John Johansen john.johansen at canonical.com
Wed Feb 22 20:44:54 UTC 2012


On 02/22/2012 12:27 PM, Kees Cook wrote:
> On Wed, Feb 22, 2012 at 09:10:28AM -0800, John Johansen wrote:
>> If the xindex value stored in the accept tables is 0, the extraction of
>> that value will result in an underflow (0 - 4).
>>
>> In properly compiled policy this should not happen for file rules but
>> it may be possible for other rule types in the future.
>>
>> To exploit this underflow a user would have to be able to load a corrupt
>> policy, which requires CAP_MAC_ADMIN, overwrite system policy in kernel
>> memory or know of a compiler error resulting in the flaw being present
>> for loaded policy (no such flaw is known at this time).
>>
>> Signed-off-by: John Johansen <john.johansen at canonical.com>
>> ---
>>  security/apparmor/include/file.h |    2 +-
>>  1 files changed, 1 insertions(+), 1 deletions(-)
>>
>> diff --git a/security/apparmor/include/file.h b/security/apparmor/include/file.h
>> index ab8c6d8..f98fd47 100644
>> --- a/security/apparmor/include/file.h
>> +++ b/security/apparmor/include/file.h
>> @@ -117,7 +117,7 @@ static inline u16 dfa_map_xindex(u16 mask)
>>  		index |= AA_X_NAME;
>>  	} else if (old_index == 3) {
>>  		index |= AA_X_NAME | AA_X_CHILD;
>> -	} else {
>> +	} else if (old_index) {
>>  		index |= AA_X_TABLE;
>>  		index |= old_index - 4;
>>  	}
> 
> What about the cases where old_index < 4, but != 0?
> 
look above cases 1, 2, and 3 are covered by the if blocks
eg.

} else if (old_index == 3) {
	index |= AA_X_NAME | AA_X_CHILD;



More information about the AppArmor mailing list