On Wed, Feb 22, 2012 at 09:10:28AM -0800, John Johansen wrote: > If the xindex value stored in the accept tables is 0, the extraction of > that value will result in an underflow (0 - 4). > > In properly compiled policy this should not happen for file rules but > it may be possible for other rule types in the future. > > To exploit this underflow a user would have to be able to load a corrupt > policy, which requires CAP_MAC_ADMIN, overwrite system policy in kernel > memory or know of a compiler error resulting in the flaw being present > for loaded policy (no such flaw is known at this time). > > Signed-off-by: John Johansen <[email protected]> > --- > security/apparmor/include/file.h | 2 +- > 1 files changed, 1 insertions(+), 1 deletions(-) > > diff --git a/security/apparmor/include/file.h > b/security/apparmor/include/file.h > index ab8c6d8..f98fd47 100644 > --- a/security/apparmor/include/file.h > +++ b/security/apparmor/include/file.h > @@ -117,7 +117,7 @@ static inline u16 dfa_map_xindex(u16 mask) > index |= AA_X_NAME; > } else if (old_index == 3) { > index |= AA_X_NAME | AA_X_CHILD; > - } else { > + } else if (old_index) { > index |= AA_X_TABLE; > index |= old_index - 4; > }
What about the cases where old_index < 4, but != 0? -- Kees Cook -- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
