]> git.ipfire.org Git - thirdparty/linux.git/commitdiff
projects / thirdparty / linux.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | combined (merge: dd6c438 11b7df0)
Merge tag 'apparmor-pr-2026-04-23' of git://git.kernel.org/pub/scm/linux/kernel/git...
authorLinus Torvalds <torvalds@linux-foundation.org>
Fri, 24 Apr 2026 16:22:21 +0000 (09:22 -0700)
committerLinus Torvalds <torvalds@linux-foundation.org>
Fri, 24 Apr 2026 16:22:21 +0000 (09:22 -0700)
Pull apparmor updates from John Johansen:
 "Cleanups
   - Use sysfs_emit in param_get_{audit,mode}
   - Remove redundant if check in sk_peer_get_label
   - Replace memcpy + NUL termination with kmemdup_nul in do_setattr

  Bug Fixes:
   - Fix aa_dfa_unpack's error handling in aa_setup_dfa_engine
   - Fix string overrun due to missing termination
   - Fix wrong dentry in RENAME_EXCHANGE uid check
   - fix unpack_tags to properly return error in failure cases
   - fix dfa size check
   - return error on namespace mismatch in verify_header
   - use target task's context in apparmor_getprocattr()"

* tag 'apparmor-pr-2026-04-23' of git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor:
  apparmor/lsm: Fix aa_dfa_unpack's error handling in aa_setup_dfa_engine
  apparmor: Fix string overrun due to missing termination
  apparmor: Fix wrong dentry in RENAME_EXCHANGE uid check
  apparmor: fix unpack_tags to properly return error in failure cases
  apparmor: fix dfa size check
  apparmor: Use sysfs_emit in param_get_{audit,mode}
  apparmor: Remove redundant if check in sk_peer_get_label
  apparmor: Replace memcpy + NUL termination with kmemdup_nul in do_setattr
  apparmor: return error on namespace mismatch in verify_header
  apparmor: use target task's context in apparmor_getprocattr()

1  2 
security/apparmor/match.c patch | diff1 | diff2 | blob | history
security/apparmor/policy_unpack.c patch | diff1 | diff2 | blob | history

diff --cc security/apparmor/match.c
index e9fac67e5178c35f278d7acc11f2d266e1c93759,4704b5904b150f4737995f8f802f9ea5961cee75..3a2c6cf02b3c7ee89ad40c564ef5453380eda3f4
--- 1/security/apparmor/match.c
--- 2/security/apparmor/match.c
+++ b/security/apparmor/match.c
@@@ -157,13 -157,12 +157,13 @@@ static int verify_dfa(struct aa_dfa *df
  
        state_count = dfa->tables[YYTD_ID_BASE]->td_lolen;
        trans_count = dfa->tables[YYTD_ID_NXT]->td_lolen;
-       if (state_count == 0)
+       if (state_count < 2)
                goto out;
        for (i = 0; i < state_count; i++) {
 -              if (!(BASE_TABLE(dfa)[i] & MATCH_FLAG_DIFF_ENCODE) &&
 -                  (DEFAULT_TABLE(dfa)[i] >= state_count))
 +              if (DEFAULT_TABLE(dfa)[i] >= state_count) {
 +                      pr_err("AppArmor DFA default state out of bounds");
                        goto out;
 +              }
                if (BASE_TABLE(dfa)[i] & MATCH_FLAGS_INVALID) {
                        pr_err("AppArmor DFA state with invalid match flags");
                        goto out;
diff --cc security/apparmor/policy_unpack.c
Simple merge
A mirror of Linus' kernel repository