| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <lsq.1544392233.181027988@decadent.org.uk>
Date: Sun, 09 Dec 2018 21:50:33 +0000
From: Ben Hutchings <ben@...adent.org.uk>
To: linux-kernel@...r.kernel.org, stable@...r.kernel.org
CC: akpm@...ux-foundation.org,
"Dan Carpenter" <dan.carpenter@...cle.com>,
"John Johansen" <john.johansen@...onical.com>
Subject: [PATCH 3.16 156/328] apparmor: remove no-op permission check in
policy_unpack
3.16.62-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: John Johansen <john.johansen@...onical.com>
commit c037bd615885f1d9d3bdb48531bace79fae1505d upstream.
The patch 736ec752d95e: "AppArmor: policy routines for loading and
unpacking policy" from Jul 29, 2010, leads to the following static
checker warning:
security/apparmor/policy_unpack.c:410 verify_accept()
warn: bitwise AND condition is false here
security/apparmor/policy_unpack.c:413 verify_accept()
warn: bitwise AND condition is false here
security/apparmor/policy_unpack.c
392 #define DFA_VALID_PERM_MASK 0xffffffff
393 #define DFA_VALID_PERM2_MASK 0xffffffff
394
395 /**
396 * verify_accept - verify the accept tables of a dfa
397 * @dfa: dfa to verify accept tables of (NOT NULL)
398 * @flags: flags governing dfa
399 *
400 * Returns: 1 if valid accept tables else 0 if error
401 */
402 static bool verify_accept(struct aa_dfa *dfa, int flags)
403 {
404 int i;
405
406 /* verify accept permissions */
407 for (i = 0; i < dfa->tables[YYTD_ID_ACCEPT]->td_lolen; i++) {
408 int mode = ACCEPT_TABLE(dfa)[i];
409
410 if (mode & ~DFA_VALID_PERM_MASK)
411 return 0;
412
413 if (ACCEPT_TABLE2(dfa)[i] & ~DFA_VALID_PERM2_MASK)
414 return 0;
fixes: 736ec752d95e ("AppArmor: policy routines for loading and unpacking policy")
Reported-by: Dan Carpenter <dan.carpenter@...cle.com>
Signed-off-by: John Johansen <john.johansen@...onical.com>
Signed-off-by: Ben Hutchings <ben@...adent.org.uk>
---
security/apparmor/policy_unpack.c | 32 -------------------------------
1 file changed, 32 deletions(-)
--- a/security/apparmor/policy_unpack.c
+++ b/security/apparmor/policy_unpack.c
@@ -290,32 +290,6 @@ static int unpack_strdup(struct aa_ext *
return res;
}
-#define DFA_VALID_PERM_MASK 0xffffffff
-#define DFA_VALID_PERM2_MASK 0xffffffff
-
-/**
- * verify_accept - verify the accept tables of a dfa
- * @dfa: dfa to verify accept tables of (NOT NULL)
- * @flags: flags governing dfa
- *
- * Returns: 1 if valid accept tables else 0 if error
- */
-static bool verify_accept(struct aa_dfa *dfa, int flags)
-{
- int i;
-
- /* verify accept permissions */
- for (i = 0; i < dfa->tables[YYTD_ID_ACCEPT]->td_lolen; i++) {
- int mode = ACCEPT_TABLE(dfa)[i];
-
- if (mode & ~DFA_VALID_PERM_MASK)
- return 0;
-
- if (ACCEPT_TABLE2(dfa)[i] & ~DFA_VALID_PERM2_MASK)
- return 0;
- }
- return 1;
-}
/**
* unpack_dfa - unpack a file rule dfa
@@ -351,15 +325,9 @@ static struct aa_dfa *unpack_dfa(struct
if (IS_ERR(dfa))
return dfa;
- if (!verify_accept(dfa, flags))
- goto fail;
}
return dfa;
-
-fail:
- aa_put_dfa(dfa);
- return ERR_PTR(-EPROTO);
}
/**
Powered by blists - more mailing lists