apparmor: add consistency check between state and dfa diff encode flags

Check that a states diff encode flag is only set if diff encode is
enabled in the dfa header.

Signed-off-by: John Johansen <john.johansen@canonical.com>

diff --git a/security/apparmor/match.c b/security/apparmor/match.c
index b477352..651dbb6 100644 (file)
--- a/security/apparmor/match.c
+++ b/security/apparmor/match.c
@@ -206,6 +206,12 @@ static int verify_dfa(struct aa_dfa *dfa)
                        pr_err("AppArmor DFA state with invalid match flags");
                        goto out;
                }
+               if ((BASE_TABLE(dfa)[i] & MATCH_FLAG_DIFF_ENCODE)) {
+                       if (!(dfa->flags & YYTH_FLAG_DIFF_ENCODE)) {
+                               pr_err("AppArmor DFA diff encoded transition state without header flag");
+                               goto out;
+                       }
+               }
                if (base_idx(BASE_TABLE(dfa)[i]) + 255 >= trans_count) {
                        pr_err("AppArmor DFA next/check upper bounds error\n");
                        goto out;