From: John Johansen <john.johansen@canonical.com>
Date: Thu, 2 Jun 2016 09:37:02 +0000 (-0700)
Subject: apparmor: add missing id bounds check on dfa verification
X-Git-Tag: v3.12.70~19
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1e612988489ab3ec2d2949161ebe498d29bf9940;p=thirdparty%2Fkernel%2Fstable.git

apparmor: add missing id bounds check on dfa verification

commit 15756178c6a65b261a080e21af4766f59cafc112 upstream.

Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---

diff --git a/security/apparmor/include/match.h b/security/apparmor/include/match.h
index 001c43aa04065..a1c04fe867902 100644
--- a/security/apparmor/include/match.h
+++ b/security/apparmor/include/match.h
@@ -62,6 +62,7 @@ struct table_set_header {
 #define YYTD_ID_ACCEPT2 6
 #define YYTD_ID_NXT	7
 #define YYTD_ID_TSIZE	8
+#define YYTD_ID_MAX	8
 
 #define YYTD_DATA8	1
 #define YYTD_DATA16	2
diff --git a/security/apparmor/match.c b/security/apparmor/match.c
index 727eb4200d5c9..f9f57c626f549 100644
--- a/security/apparmor/match.c
+++ b/security/apparmor/match.c
@@ -47,6 +47,8 @@ static struct table_header *unpack_table(char *blob, size_t bsize)
 	 * it every time we use td_id as an index
 	 */
 	th.td_id = be16_to_cpu(*(u16 *) (blob)) - 1;
+	if (th.td_id > YYTD_ID_MAX)
+		goto out;
 	th.td_flags = be16_to_cpu(*(u16 *) (blob + 2));
 	th.td_lolen = be32_to_cpu(*(u32 *) (blob + 8));
 	blob += sizeof(struct table_header);