diff options
| author | John Johansen <john.johansen@canonical.com> | 2026-03-05 05:24:01 +0300 |
|---|---|---|
| committer | John Johansen <john.johansen@canonical.com> | 2026-04-23 05:28:14 +0300 |
| commit | f17b68f0c33ff184713c356cd024035d437bac8c (patch) | |
| tree | 441ae33b2b93583a4cb63f89d971a99ded255004 | |
| parent | 497ad4be355b70a6786dd9344710d98b14b92848 (diff) | |
| download | linux-f17b68f0c33ff184713c356cd024035d437bac8c.tar.xz | |
apparmor: fix dfa size check
AppArmor dfas need a minimum of two states to be valid. State 0 is the
default trap state, and State 1 the default start state. When verifying
the dfa ensure that this is the case.
Fixes: c27c6bd2c4d6b ("apparmor: ensure that dfa state tables have entries")
Signed-off-by: John Johansen <john.johansen@canonical.com>
| -rw-r--r-- | security/apparmor/match.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/security/apparmor/match.c b/security/apparmor/match.c index 8fa0a1494acd..4704b5904b15 100644 --- a/security/apparmor/match.c +++ b/security/apparmor/match.c @@ -157,7 +157,7 @@ static int verify_dfa(struct aa_dfa *dfa) state_count = dfa->tables[YYTD_ID_BASE]->td_lolen; trans_count = dfa->tables[YYTD_ID_NXT]->td_lolen; - if (state_count == 0) + if (state_count < 2) goto out; for (i = 0; i < state_count; i++) { if (!(BASE_TABLE(dfa)[i] & MATCH_FLAG_DIFF_ENCODE) && |