AppArmor: Fix underflow in xindex calculation If the xindex value stored in the accept tables is 0, the extraction of that value will result in an underflow (0 - 4). In properly compiled policy this should not happen for file rules but it may be possible for other rule types in the future. To exploit this underflow a user would have to be able to load a corrupt policy, which requires CAP_MAC_ADMIN, overwrite system policy in kernel memory or know of a compiler error resulting in the flaw being present for loaded policy (no such flaw is known at this time). Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Kees Cook <kees@ubuntu.com>

commit: 8b964eae204d791421677ec56b94a7b18cf8740d [log] [tgz]
author: John Johansen <john.johansen@canonical.com> Wed Feb 22 00:32:30 2012 -0800
committer: John Johansen <john.johansen@canonical.com> Mon Feb 27 11:38:21 2012 -0800
tree: 7c1a7b5b6be9f2d9b60d8cba1094635d3f74466c
parent: ade3ddc01e2e426cc24c744be85dcaad4e8f8aba [diff]
diff --git a/security/apparmor/include/file.h b/security/apparmor/include/file.h
index ab8c6d8..f98fd47 100644
--- a/security/apparmor/include/file.h
+++ b/security/apparmor/include/file.h

@@ -117,7 +117,7 @@
 		index |= AA_X_NAME;
 	} else if (old_index == 3) {
 		index |= AA_X_NAME | AA_X_CHILD;
-	} else {
+	} else if (old_index) {
 		index |= AA_X_TABLE;
 		index |= old_index - 4;
 	}
commit	8b964eae204d791421677ec56b94a7b18cf8740d	[log] [tgz]
author	John Johansen <john.johansen@canonical.com>	Wed Feb 22 00:32:30 2012 -0800
committer	John Johansen <john.johansen@canonical.com>	Mon Feb 27 11:38:21 2012 -0800
tree	7c1a7b5b6be9f2d9b60d8cba1094635d3f74466c
parent	ade3ddc01e2e426cc24c744be85dcaad4e8f8aba [diff]