apparmor: fix off-by-one comparison on MAXMAPPED_SIG

This came in yesterday, and I have verified our regression tests were missing this and it can cause an oops. Please apply. There is a an off-by-one comparision on sig against MAXMAPPED_SIG that can lead to a read outside the sig_map array if sig is MAXMAPPED_SIG. Fix this. Verified that the check is an out of bounds case that can cause an oops. Revised: add comparison fix to second case Fixes: cd1dbf7 ("apparmor: add the ability to mediate signals") Signed-off-by: Colin Ian King <[email protected]> Signed-off-by: John Johansen <[email protected]> Signed-off-by: Linus Torvalds <[email protected]>
open-power-host-os · Nov 8, 2017 · f7dc4c9 · f7dc4c9
1 parent fbc3edf
commit f7dc4c9
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/security/apparmor/ipc.c b/security/apparmor/ipc.c
@@ -128,7 +128,7 @@ static inline int map_signal_num(int sig)
 		return SIGUNKNOWN;
 	else if (sig >= SIGRTMIN)
 		return sig - SIGRTMIN + 128;	/* rt sigs mapped to 128 */
-	else if (sig <= MAXMAPPED_SIG)
+	else if (sig < MAXMAPPED_SIG)
 		return sig_map[sig];
 	return SIGUNKNOWN;
 }
@@ -163,7 +163,7 @@ static void audit_signal_cb(struct audit_buffer *ab, void *va)
 			audit_signal_mask(ab, aad(sa)->denied);
 		}
 	}
-	if (aad(sa)->signal <= MAXMAPPED_SIG)
+	if (aad(sa)->signal < MAXMAPPED_SIG)
 		audit_log_format(ab, " signal=%s", sig_names[aad(sa)->signal]);
 	else
 		audit_log_format(ab, " signal=rtmin+%d",