From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.8 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SIGNED_OFF_BY, SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 27D5EC43613 for ; Mon, 24 Jun 2019 10:07:51 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id E8C4B208E3 for ; Mon, 24 Jun 2019 10:07:50 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1561370871; bh=d/cT9knU3Q7SoiUiMZRHfIV+IRBC2ybsYASLgBI09oI=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=SwluUPa8s4pIFlqi07McmDaHBLR/SBNDH/vqG1lONDH460lx1QP8LZTHs8kdUyOHy 5z62/Ui42fZAKz4YjopOycM2q3lTjszduvDXy7mftaMmmUXLDaJWCbp8isGSqCPBLO GrH/MURVUWlxce3vrfTGEvjqeywIJEUCxjrb9BcU= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729980AbfFXKHt (ORCPT ); Mon, 24 Jun 2019 06:07:49 -0400 Received: from mail.kernel.org ([198.145.29.99]:40114 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729814AbfFXKHf (ORCPT ); Mon, 24 Jun 2019 06:07:35 -0400 Received: from localhost (f4.8f.5177.ip4.static.sl-reverse.com [119.81.143.244]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id D0728205C9; Mon, 24 Jun 2019 10:07:33 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1561370854; bh=d/cT9knU3Q7SoiUiMZRHfIV+IRBC2ybsYASLgBI09oI=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=DGyL/7v3s8G3K7qJwgCQ6I0wuuGIuaOM8tqXilH3wRB7YK2aaIe+07xq9HkY1KWD9 x3F8IYfHKT/nOgihGtvIyXFwrVJ3Fa/ppdxCvhD0FGGqe7VDx1C9s2TI8etl7v2z+k VAhIzqQRB514btzY000OM7/tqhGdAzQvGD9wUS+4= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, John Johansen Subject: [PATCH 5.1 025/121] apparmor: fix PROFILE_MEDIATES for untrusted input Date: Mon, 24 Jun 2019 17:55:57 +0800 Message-Id: <20190624092321.992568736@linuxfoundation.org> X-Mailer: git-send-email 2.22.0 In-Reply-To: <20190624092320.652599624@linuxfoundation.org> References: <20190624092320.652599624@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: John Johansen commit 23375b13f98c5464c2b4d15f983cc062940f1f4e upstream. While commit 11c236b89d7c2 ("apparmor: add a default null dfa") ensure every profile has a policy.dfa it does not resize the policy.start[] to have entries for every possible start value. Which means PROFILE_MEDIATES is not safe to use on untrusted input. Unforunately commit b9590ad4c4f2 ("apparmor: remove POLICY_MEDIATES_SAFE") did not take into account the start value usage. The input string in profile_query_cb() is user controlled and is not properly checked to be within the limited start[] entries, even worse it can't be as userspace policy is allowed to make us of entries types the kernel does not know about. This mean usespace can currently cause the kernel to access memory up to 240 entries beyond the start array bounds. Cc: stable@vger.kernel.org Fixes: b9590ad4c4f2 ("apparmor: remove POLICY_MEDIATES_SAFE") Signed-off-by: John Johansen Signed-off-by: Greg Kroah-Hartman --- security/apparmor/include/policy.h | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) --- a/security/apparmor/include/policy.h +++ b/security/apparmor/include/policy.h @@ -217,7 +217,16 @@ static inline struct aa_profile *aa_get_ return labels_profile(aa_get_newest_label(&p->label)); } -#define PROFILE_MEDIATES(P, T) ((P)->policy.start[(unsigned char) (T)]) +static inline unsigned int PROFILE_MEDIATES(struct aa_profile *profile, + unsigned char class) +{ + if (class <= AA_CLASS_LAST) + return profile->policy.start[class]; + else + return aa_dfa_match_len(profile->policy.dfa, + profile->policy.start[0], &class, 1); +} + static inline unsigned int PROFILE_MEDIATES_AF(struct aa_profile *profile, u16 AF) { unsigned int state = PROFILE_MEDIATES(profile, AA_CLASS_NET);