Commit f17b68f0 authored Mar 04, 2026 by John Johansen

apparmor: fix dfa size check

AppArmor dfas need a minimum of two states to be valid. State 0 is the
default trap state, and State 1 the default start state. When verifying
the dfa ensure that this is the case.

Fixes: c27c6bd2 ("apparmor: ensure that dfa state tables have entries")
Signed-off-by: John Johansen <john.johansen@canonical.com>

parent 497ad4be

security/apparmor/match.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -157,7 +157,7 @@ static int verify_dfa(struct aa_dfa *dfa)

		state_count = dfa->tables[YYTD_ID_BASE]->td_lolen;
		trans_count = dfa->tables[YYTD_ID_NXT]->td_lolen;
		if (state_count == 0)
		if (state_count < 2)
		goto out;
		for (i = 0; i < state_count; i++) {
		if (!(BASE_TABLE(dfa)[i] & MATCH_FLAG_DIFF_ENCODE) &&