From: John Johansen <john.johansen@canonical.com>
Date: Sat, 31 Aug 2019 22:55:45 +0000 (-0700)
Subject: apparmor: add consistency check between state and dfa diff encode flags
X-Git-Url: http://git.maquefel.me/?a=commitdiff_plain;h=dae6029325a4744e639eb048c13f53c24320aeda;p=linux.git

apparmor: add consistency check between state and dfa diff encode flags

Check that a states diff encode flag is only set if diff encode is
enabled in the dfa header.

Signed-off-by: John Johansen <john.johansen@canonical.com>
---

diff --git a/security/apparmor/match.c b/security/apparmor/match.c
index b477352305edf..651dbb6e38b81 100644
--- a/security/apparmor/match.c
+++ b/security/apparmor/match.c
@@ -206,6 +206,12 @@ static int verify_dfa(struct aa_dfa *dfa)
 			pr_err("AppArmor DFA state with invalid match flags");
 			goto out;
 		}
+		if ((BASE_TABLE(dfa)[i] & MATCH_FLAG_DIFF_ENCODE)) {
+			if (!(dfa->flags & YYTH_FLAG_DIFF_ENCODE)) {
+				pr_err("AppArmor DFA diff encoded transition state without header flag");
+				goto out;
+			}
+		}
 		if (base_idx(BASE_TABLE(dfa)[i]) + 255 >= trans_count) {
 			pr_err("AppArmor DFA next/check upper bounds error\n");
 			goto out;