--- /dev/null
+From benh@debian.org Tue Jun 16 19:07:21 2026
+From: Ben Hutchings <benh@debian.org>
+Date: Thu, 28 May 2026 17:16:49 +0200
+Subject: apparmor: validate default DFA states are in bounds
+To: Sasha Levin <sashal@kernel.org>, Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: John Johansen <john.johansen@canonical.com>, Qualys Security Advisory <qsa@qualys.com>, Salvatore Bonaccorso <carnil@debian.org>, Georgia Garcia <georgia.garcia@canonical.com>, Cengiz Can <cengiz.can@canonical.com>, Massimiliano Pellizzer <massimiliano.pellizzer@canonical.com>, stable@vger.kernel.org
+Message-ID: <ahhcYci93VUlA_f2@decadent.org.uk>
+Content-Disposition: inline
+
+From: Ben Hutchings <benh@debian.org>
+
+Some backports of commit 9063d7e2615f ("apparmor: validate DFA start
+states are in bounds in unpack_pdb") limited the bounds checks on DFA
+start states to the case where the start state was explicit in the
+policy. However, the default DFA start state (DFA_START = 1) could
+also be out-of-bounds.
+
+Move these checks out of the else-branches so that they are applied
+regardless of how the start state was initialised.
+
+Fixes: 5443c027ec16 ("apparmor: validate DFA start states are in bounds in unpack_pdb")
+Signed-off-by: Ben Hutchings <benh@debian.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ security/apparmor/policy_unpack.c | 27 +++++++++++++++------------
+ 1 file changed, 15 insertions(+), 12 deletions(-)
+
+--- a/security/apparmor/policy_unpack.c
++++ b/security/apparmor/policy_unpack.c
+@@ -829,6 +829,8 @@ static struct aa_profile *unpack_profile
+ }
+
+ if (aa_unpack_nameX(e, AA_STRUCT, "policydb")) {
++ size_t state_count;
++
+ /* generic policy dfa - optional and may be NULL */
+ info = "failed to unpack policydb";
+ profile->policy.dfa = unpack_dfa(e);
+@@ -843,13 +845,12 @@ static struct aa_profile *unpack_profile
+ if (!aa_unpack_u32(e, &profile->policy.start[0], "start")) {
+ /* default start state */
+ profile->policy.start[0] = DFA_START;
+- } else {
+- size_t state_count = profile->policy.dfa->tables[YYTD_ID_BASE]->td_lolen;
++ }
+
+- if (profile->policy.start[0] >= state_count) {
+- info = "invalid dfa start state";
+- goto fail;
+- }
++ state_count = profile->policy.dfa->tables[YYTD_ID_BASE]->td_lolen;
++ if (profile->policy.start[0] >= state_count) {
++ info = "invalid dfa start state";
++ goto fail;
+ }
+
+ /* setup class index */
+@@ -872,16 +873,18 @@ static struct aa_profile *unpack_profile
+ info = "failed to unpack profile file rules";
+ goto fail;
+ } else if (profile->file.dfa) {
++ size_t state_count;
++
+ if (!aa_unpack_u32(e, &profile->file.start, "dfa_start")) {
+ /* default start state */
+ profile->file.start = DFA_START;
+- } else {
+- size_t state_count = profile->file.dfa->tables[YYTD_ID_BASE]->td_lolen;
++ }
++
++ state_count = profile->file.dfa->tables[YYTD_ID_BASE]->td_lolen;
+
+- if (profile->file.start >= state_count) {
+- info = "invalid dfa start state";
+- goto fail;
+- }
++ if (profile->file.start >= state_count) {
++ info = "invalid dfa start state";
++ goto fail;
+ }
+ } else if (profile->policy.dfa &&
+ profile->policy.start[AA_CLASS_FILE]) {
--- /dev/null
+From affc66cb96f865b3763a8e18add52e133d864f04 Mon Sep 17 00:00:00 2001
+From: "Borislav Petkov (AMD)" <bp@alien8.de>
+Date: Wed, 1 Nov 2023 11:28:31 +0100
+Subject: x86/CPU/AMD: Move the Zen3 BTC_NO detection to the Zen3 init function
+
+From: Borislav Petkov (AMD) <bp@alien8.de>
+
+commit affc66cb96f865b3763a8e18add52e133d864f04 upstream.
+
+No functional changes.
+
+Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
+Reviewed-by: Nikolay Borisov <nik.borisov@suse.com>
+Link: http://lore.kernel.org/r/20231120104152.13740-4-bp@alien8.de
+Stable-dep-of: 7c81ad8e8bc2 ("x86/CPU/AMD: Rename init_amd_zn() to init_amd_zen_common()")
+[bwh: Adjusted to apply after backports of the above commit which actually
+ depended on this]
+Signed-off-by: Ben Hutchings <benh@debian.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kernel/cpu/amd.c | 18 ++++++++++--------
+ 1 file changed, 10 insertions(+), 8 deletions(-)
+
+--- a/arch/x86/kernel/cpu/amd.c
++++ b/arch/x86/kernel/cpu/amd.c
+@@ -1087,14 +1087,6 @@ static void init_amd_zen1(struct cpuinfo
+ /* Erratum 1076: CPB feature bit not being set in CPUID. */
+ if (!cpu_has(c, X86_FEATURE_CPB))
+ set_cpu_cap(c, X86_FEATURE_CPB);
+-
+- /*
+- * Zen3 (Fam19 model < 0x10) parts are not susceptible to
+- * Branch Type Confusion, but predate the allocation of the
+- * BTC_NO bit.
+- */
+- if (c->x86 == 0x19 && !cpu_has(c, X86_FEATURE_BTC_NO))
+- set_cpu_cap(c, X86_FEATURE_BTC_NO);
+ }
+
+ pr_notice_once("AMD Zen1 FPDSS bug detected, enabling mitigation.\n");
+@@ -1154,6 +1146,16 @@ static void init_amd_zen2(struct cpuinfo
+ static void init_amd_zen3(struct cpuinfo_x86 *c)
+ {
+ init_amd_zen_common();
++
++ if (!cpu_has(c, X86_FEATURE_HYPERVISOR)) {
++ /*
++ * Zen3 (Fam19 model < 0x10) parts are not susceptible to
++ * Branch Type Confusion, but predate the allocation of the
++ * BTC_NO bit.
++ */
++ if (!cpu_has(c, X86_FEATURE_BTC_NO))
++ set_cpu_cap(c, X86_FEATURE_BTC_NO);
++ }
+ }
+
+ static void init_amd_zen4(struct cpuinfo_x86 *c)
projects / thirdparty / kernel / stable-queue.git / commitdiff
