git/linux-nf
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git synced 2026-04-03 23:38:12 -04:00
Code Issues Packages Projects Releases Wiki Activity
Files
9063d7e2615f4a7ab321de6b520e23d370e58816
linux-nf/security
History
Massimiliano Pellizzer 9063d7e261 apparmor: validate DFA start states are in bounds in unpack_pdb 
Start states are read from untrusted data and used as indexes into the
DFA state tables. The aa_dfa_next() function call in unpack_pdb() will
access dfa->tables[YYTD_ID_BASE][start], and if the start state exceeds
the number of states in the DFA, this results in an out-of-bound read.

==================================================================
 BUG: KASAN: slab-out-of-bounds in aa_dfa_next+0x2a1/0x360
 Read of size 4 at addr ffff88811956fb90 by task su/1097
 ...

Reject policies with out-of-bounds start states during unpacking
to prevent the issue.

Fixes: ad5ff3db53 ("AppArmor: Add ability to load extended policy")
Reported-by: Qualys Security Advisory <qsa@qualys.com>
Tested-by: Salvatore Bonaccorso <carnil@debian.org>
Reviewed-by: Georgia Garcia <georgia.garcia@canonical.com>
Reviewed-by: Cengiz Can <cengiz.can@canonical.com>
Signed-off-by: Massimiliano Pellizzer <massimiliano.pellizzer@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
2026-03-09 16:05:42 -07:00
..
apparmor
apparmor: validate DFA start states are in bounds in unpack_pdb
2026-03-09 16:05:42 -07:00
bpf
lsm: replace the name field with a pointer to the lsm_id struct
2025-10-22 19:24:18 -04:00
integrity
Convert remaining multi-line kmalloc_obj/flex GFP_KERNEL uses
2026-02-22 08:26:33 -08:00
ipe
Convert 'alloc_obj' family to use the new default GFP_KERNEL argument
2026-02-21 17:09:51 -08:00
keys
Convert 'alloc_obj' family to use the new default GFP_KERNEL argument
2026-02-21 17:09:51 -08:00
landlock
Convert 'alloc_flex' family to use the new default GFP_KERNEL argument
2026-02-21 17:09:51 -08:00
loadpin
Convert 'alloc_flex' family to use the new default GFP_KERNEL argument
2026-02-21 17:09:51 -08:00
lockdown
lockdown: move initcalls to the LSM framework
2025-10-22 19:24:27 -04:00
safesetid
Convert 'alloc_obj' family to use the new default GFP_KERNEL argument
2026-02-21 17:09:51 -08:00
selinux
Convert remaining multi-line kmalloc_obj/flex GFP_KERNEL uses
2026-02-22 08:26:33 -08:00
smack
Convert 'alloc_obj' family to use the new default GFP_KERNEL argument
2026-02-21 17:09:51 -08:00
tomoyo
treewide: Replace kmalloc with kmalloc_obj for non-scalar types
2026-02-21 01:02:28 -08:00
yama
Convert 'alloc_obj' family to use the new default GFP_KERNEL argument
2026-02-21 17:09:51 -08:00
commoncap_test.c
security: Add KUnit tests for kuid_root_in_ns and vfsuid_root_in_currentns
2026-01-09 11:28:28 -06:00
commoncap.c
security: Add KUnit tests for kuid_root_in_ns and vfsuid_root_in_currentns
2026-01-09 11:28:28 -06:00
device_cgroup.c
Convert 'alloc_obj' family to use the new default GFP_KERNEL argument
2026-02-21 17:09:51 -08:00
inode.c
Merge tag 'pull-persistency' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
2025-12-05 14:36:21 -08:00
Kconfig
security: Add KUnit tests for kuid_root_in_ns and vfsuid_root_in_currentns
2026-01-09 11:28:28 -06:00
Kconfig.hardening
rust: add bitmap API.
2025-09-22 15:52:44 -04:00
lsm_audit.c
net: Retire DCCP socket.
2025-04-11 18:58:10 -07:00
lsm_init.c
lsm: preserve /proc/sys/vm/mmap_min_addr when !CONFIG_SECURITY
2026-01-29 13:56:53 -05:00
lsm_notifier.c
lsm: split the notifier code out into lsm_notifier.c
2025-10-22 19:24:15 -04:00
lsm_syscalls.c
lsm: rework lsm_active_cnt and lsm_idlist[]
2025-10-22 19:24:19 -04:00
lsm.h
lsm: preserve /proc/sys/vm/mmap_min_addr when !CONFIG_SECURITY
2026-01-29 13:56:53 -05:00
Makefile
lsm: split the init code out into lsm_init.c
2025-10-22 19:24:16 -04:00
min_addr.c
lsm: preserve /proc/sys/vm/mmap_min_addr when !CONFIG_SECURITY
2026-01-29 13:56:53 -05:00
security.c
lsm: make keys for static branch static
2026-01-06 20:57:55 -05:00