From: Massimiliano Pellizzer <massimiliano.pellizzer@canonical.com> mainline inclusion from mainline-v7.0-rc4 commit 9063d7e2615f4a7ab321de6b520e23d370e58816 category: bugfix bugzilla: https://atomgit.com/src-openeuler/kernel/issues/13880 CVE: CVE-2026-23269 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i... -------------------------------- Start states are read from untrusted data and used as indexes into the DFA state tables. The aa_dfa_next() function call in unpack_pdb() will access dfa->tables[YYTD_ID_BASE][start], and if the start state exceeds the number of states in the DFA, this results in an out-of-bound read. ================================================================== BUG: KASAN: slab-out-of-bounds in aa_dfa_next+0x2a1/0x360 Read of size 4 at addr ffff88811956fb90 by task su/1097 ... Reject policies with out-of-bounds start states during unpacking to prevent the issue. Fixes: ad5ff3db53c6 ("AppArmor: Add ability to load extended policy") Reported-by: Qualys Security Advisory <qsa@qualys.com> Tested-by: Salvatore Bonaccorso <carnil@debian.org> Reviewed-by: Georgia Garcia <georgia.garcia@canonical.com> Reviewed-by: Cengiz Can <cengiz.can@canonical.com> Signed-off-by: Massimiliano Pellizzer <massimiliano.pellizzer@canonical.com> Signed-off-by: John Johansen <john.johansen@canonical.com> Conflicts: security/apparmor/policy_unpack.c [The conflict is due to the commit ad596ea74e746 ("apparmor: group dfa policydb unpacking") and 98b824ff8984f ("apparmor: refcount the pdb") not being merged. The first commit change profile->policy to *policy and move to a new function: unpack_pdb. And the second commit change *policy to *pdb. So keep use profile-policy in this commit.] Signed-off-by: Zhao Yipeng <zhaoyipeng5@huawei.com> --- security/apparmor/policy_unpack.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c index 33fac6489077..bac5cccbf2e9 100644 --- a/security/apparmor/policy_unpack.c +++ b/security/apparmor/policy_unpack.c @@ -860,6 +860,12 @@ static struct aa_profile *unpack_profile(struct aa_ext *e, char **ns_name) if (!unpack_u32(e, &profile->policy.start[0], "start")) /* default start state */ profile->policy.start[0] = DFA_START; + + if (profile->policy.start[0] >= profile->policy.dfa->tables[YYTD_ID_BASE]->td_lolen) { + info = "invalid dfa start state"; + goto fail; + } + /* setup class index */ for (i = AA_CLASS_FILE; i <= AA_CLASS_LAST; i++) { profile->policy.start[i] = @@ -890,6 +896,12 @@ static struct aa_profile *unpack_profile(struct aa_ext *e, char **ns_name) } else profile->file.dfa = aa_get_dfa(nulldfa); + if (profile->file.dfa && profile->file.start >= + profile->file.dfa->tables[YYTD_ID_BASE]->td_lolen) { + info = "invalid file dfa start state"; + goto fail; + } + if (!unpack_trans_table(e, profile)) { info = "failed to unpack profile transition table"; goto fail; -- 2.34.1