apparmor: access to uninitialized variable size may cause loop bounds overflow
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
linux (Ubuntu) |
New
|
High
|
John Johansen |
Bug Description
Function unpack_secmark on a failed aa_unpack_array call may not set variable size and so the fail path is executing a loop using an undefined bounds on size.
VISIBLE_IF_KUNIT bool aa_unpack_
{
void *pos = e->pos;
if (aa_unpack_nameX(e, AA_ARRAY, name)) {
if (!aa_inbounds(e, sizeof(u16)))
^^ *size not set
}
fail:
e->pos = pos;
return false;
}
....
static bool unpack_
{
void *pos = e->pos;
u16 size;
int i;
if (aa_unpack_nameX(e, AA_STRUCT, "secmark")) {
if (!aa_unpack_
^^^ size is not set
if (!rules->secmark)
for (i = 0; i < size; i++) {
}
if (!aa_unpack_
if (!aa_unpack_
}
return true;
fail:
if (rules->secmark) {
for (i = 0; i < size; i++)
^^ for-loop on unbounded size
}
e->pos = pos;
return false;
}
Changed in linux (Ubuntu): | |
importance: | Undecided → High |
assignee: | nobody → John Johansen (jjohansen) |
summary: |
- apparmor: access to uniniatliaed variable size may cause loop bounds + apparmor: access to uninitialized variable size may cause loop bounds overflow |