From: John Johansen <john.johansen@canonical.com>
Date: Thu, 5 Mar 2026 02:24:01 +0000 (-0700)
Subject: apparmor: fix dfa size check
X-Git-Tag: v7.1-rc1~32^2~4
X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=f17b68f0c33ff184713c356cd024035d437bac8c;p=thirdparty%2Fkernel%2Flinux.git

apparmor: fix dfa size check

AppArmor dfas need a minimum of two states to be valid. State 0 is the
default trap state, and State 1 the default start state. When verifying
the dfa ensure that this is the case.

Fixes: c27c6bd2c4d6b ("apparmor: ensure that dfa state tables have entries")
Signed-off-by: John Johansen <john.johansen@canonical.com>
---

diff --git a/security/apparmor/match.c b/security/apparmor/match.c
index 8fa0a1494acd..4704b5904b15 100644
--- a/security/apparmor/match.c
+++ b/security/apparmor/match.c
@@ -157,7 +157,7 @@ static int verify_dfa(struct aa_dfa *dfa)
 
 	state_count = dfa->tables[YYTD_ID_BASE]->td_lolen;
 	trans_count = dfa->tables[YYTD_ID_NXT]->td_lolen;
-	if (state_count == 0)
+	if (state_count < 2)
 		goto out;
 	for (i = 0; i < state_count; i++) {
 		if (!(BASE_TABLE(dfa)[i] & MATCH_FLAG_DIFF_ENCODE) &&