apparmor: fix off-by-one comparison on MAXMAPPED_SIG
authorJohn Johansen <john.johansen@canonical.com>
Wed, 8 Nov 2017 16:09:52 +0000 (08:09 -0800)
committerLinus Torvalds <torvalds@linux-foundation.org>
Wed, 8 Nov 2017 18:56:22 +0000 (10:56 -0800)
This came in yesterday, and I have verified our regression tests
were missing this and it can cause an oops. Please apply.

There is a an off-by-one comparision on sig against MAXMAPPED_SIG
that can lead to a read outside the sig_map array if sig
is MAXMAPPED_SIG. Fix this.

Verified that the check is an out of bounds case that can cause an oops.

Revised: add comparison fix to second case
Fixes: cd1dbf76b23d ("apparmor: add the ability to mediate signals")
Signed-off-by: Colin Ian King <colin.king@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
security/apparmor/ipc.c

index 66fb9ede9447adc71e3fd27a0b90d306b095c0fe..7ca0032e7ba96ef374aefe98d47acb919f3f81d3 100644 (file)
@@ -128,7 +128,7 @@ static inline int map_signal_num(int sig)
                return SIGUNKNOWN;
        else if (sig >= SIGRTMIN)
                return sig - SIGRTMIN + 128;    /* rt sigs mapped to 128 */
-       else if (sig <= MAXMAPPED_SIG)
+       else if (sig < MAXMAPPED_SIG)
                return sig_map[sig];
        return SIGUNKNOWN;
 }
@@ -163,7 +163,7 @@ static void audit_signal_cb(struct audit_buffer *ab, void *va)
                        audit_signal_mask(ab, aad(sa)->denied);
                }
        }
-       if (aad(sa)->signal <= MAXMAPPED_SIG)
+       if (aad(sa)->signal < MAXMAPPED_SIG)
                audit_log_format(ab, " signal=%s", sig_names[aad(sa)->signal]);
        else
                audit_log_format(ab, " signal=rtmin+%d",