/**
* verify_dfa - verify that all the transitions and states in the dfa tables
* are in bounds.
* @dfa: dfa to test (NOT NULL)
* @flags: flags controlling what type of accept table are acceptable
*
* Assumes dfa has gone through the first pass verification done by unpacking
* NOTE: this does not valid accept table values
*
* Returns: %0 else error code on failure to verify
*/
static int verify_dfa(struct aa_dfa *dfa, int flags)
{
size_t i, state_count, trans_count;
int error = -EPROTO;
/* check that required tables exist */
if (!(dfa->tables[YYTD_ID_DEF] &&
dfa->tables[YYTD_ID_BASE] &&
dfa->tables[YYTD_ID_NXT] && dfa->tables[YYTD_ID_CHK]))
goto out;
/* accept.size == default.size == base.size */
state_count = dfa->tables[YYTD_ID_BASE]->td_lolen;
if (ACCEPT1_FLAGS(flags)) {
if (!dfa->tables[YYTD_ID_ACCEPT])
goto out;
if (state_count != dfa->tables[YYTD_ID_ACCEPT]->td_lolen)
goto out;
}
if (ACCEPT2_FLAGS(flags)) {
if (!dfa->tables[YYTD_ID_ACCEPT2])
goto out;
if (state_count != dfa->tables[YYTD_ID_ACCEPT2]->td_lolen)
goto out;
}
if (state_count != dfa->tables[YYTD_ID_DEF]->td_lolen)
goto out;
/* next.size == chk.size */
trans_count = dfa->tables[YYTD_ID_NXT]->td_lolen;
if (trans_count != dfa->tables[YYTD_ID_CHK]->td_lolen)
goto out;
/* if equivalence classes then its table size must be 256 */
if (dfa->tables[YYTD_ID_EC] &&
dfa->tables[YYTD_ID_EC]->td_lolen != 256)
goto out;
if (flags & DFA_FLAG_VERIFY_STATES) {
for (i = 0; i < state_count; i++) {
if (DEFAULT_TABLE(dfa)[i] >= state_count)
goto out;
/* TODO: do check that DEF state recursion terminates */
if (BASE_TABLE(dfa)[i] >= trans_count + 256)
goto out;
}
for (i = 0; i < trans_count; i++) {
if (NEXT_TABLE(dfa)[i] >= state_count)
goto out;
if (CHECK_TABLE(dfa)[i] >= state_count)
goto out;
}
}
error = 0;
out:
return error;
}
/**
* verify_table_headers - verify that the tables headers are as expected
* @tables - array of dfa tables to check (NOT NULL)
* @flags: flags controlling what type of accept table are acceptable
*
* Assumes dfa has gone through the first pass verification done by unpacking
* NOTE: this does not valid accept table values
*
* Returns: %0 else error code on failure to verify
*/
static int verify_table_headers(struct table_header **tables, int flags)
{
size_t state_count, trans_count;
int error = -EPROTO;
/* check that required tables exist */
if (!(tables[YYTD_ID_DEF] && tables[YYTD_ID_BASE] &&
tables[YYTD_ID_NXT] && tables[YYTD_ID_CHK]))
goto out;
/* accept.size == default.size == base.size */
state_count = tables[YYTD_ID_BASE]->td_lolen;
if (ACCEPT1_FLAGS(flags)) {
if (!tables[YYTD_ID_ACCEPT])
goto out;
if (state_count != tables[YYTD_ID_ACCEPT]->td_lolen)
goto out;
}
if (ACCEPT2_FLAGS(flags)) {
if (!tables[YYTD_ID_ACCEPT2])
goto out;
if (state_count != tables[YYTD_ID_ACCEPT2]->td_lolen)
goto out;
}
if (state_count != tables[YYTD_ID_DEF]->td_lolen)
goto out;
/* next.size == chk.size */
trans_count = tables[YYTD_ID_NXT]->td_lolen;
if (trans_count != tables[YYTD_ID_CHK]->td_lolen)
goto out;
/* if equivalence classes then its table size must be 256 */
if (tables[YYTD_ID_EC] && tables[YYTD_ID_EC]->td_lolen != 256)
goto out;
error = 0;
out:
return error;
}
/**
* aa_dfa_unpack - unpack the binary tables of a serialized dfa
* @blob: aligned serialized stream of data to unpack (NOT NULL)
* @size: size of data to unpack
* @flags: flags controlling what type of accept tables are acceptable
*
* Unpack a dfa that has been serialized. To find information on the dfa
* format look in Documentation/admin-guide/LSM/apparmor.rst
* Assumes the dfa @blob stream has been aligned on a 8 byte boundary
*
* Returns: an unpacked dfa ready for matching or ERR_PTR on failure
*/
struct aa_dfa *aa_dfa_unpack(void *blob, size_t size, int flags)
{
int hsize;
int error = -ENOMEM;
char *data = blob;
struct table_header *table = NULL;
struct aa_dfa *dfa = kzalloc(sizeof(struct aa_dfa), GFP_KERNEL);
if (!dfa)
goto fail;
kref_init(&dfa->count);
error = -EPROTO;
/* get dfa table set header */
if (size < sizeof(struct table_set_header))
goto fail;
if (ntohl(*(__be32 *) data) != YYTH_MAGIC)
goto fail;
hsize = ntohl(*(__be32 *) (data + 4));
if (size < hsize)
goto fail;
dfa->flags = ntohs(*(__be16 *) (data + 12));
if (dfa->flags != 0 && dfa->flags != YYTH_FLAG_DIFF_ENCODE)
goto fail;
data += hsize;
size -= hsize;
while (size > 0) {
table = unpack_table(data, size);
if (!table)
goto fail;
switch (table->td_id) {
case YYTD_ID_ACCEPT:
if (!(table->td_flags & ACCEPT1_FLAGS(flags)))
goto fail;
break;
case YYTD_ID_ACCEPT2:
if (!(table->td_flags & ACCEPT2_FLAGS(flags)))
goto fail;
break;
case YYTD_ID_BASE:
if (table->td_flags != YYTD_DATA32)
goto fail;
break;
case YYTD_ID_DEF:
case YYTD_ID_NXT:
case YYTD_ID_CHK:
if (table->td_flags != YYTD_DATA16)
goto fail;
break;
case YYTD_ID_EC:
if (table->td_flags != YYTD_DATA8)
goto fail;
break;
default:
goto fail;
}
/* check for duplicate table entry */
if (dfa->tables[table->td_id])
goto fail;
dfa->tables[table->td_id] = table;
data += table_size(table->td_lolen, table->td_flags);
size -= table_size(table->td_lolen, table->td_flags);
table = NULL;
}
error = verify_table_headers(dfa->tables, flags);
if (error)
goto fail;
if (flags & DFA_FLAG_VERIFY_STATES) {
error = verify_dfa(dfa);
if (error)
goto fail;
}
return dfa;
fail:
kvfree(table);
dfa_free(dfa);
return ERR_PTR(error);
}
static int verify_dfa(struct aa_dfa *dfa, int flags)
{
size_t i, state_count, trans_count;
int error = -EPROTO;
if (!(dfa->tables[YYTD_ID_DEF] &&
dfa->tables[YYTD_ID_BASE] &&
dfa->tables[YYTD_ID_NXT] && dfa->tables[YYTD_ID_CHK]))
goto out;
state_count = dfa->tables[YYTD_ID_BASE]->td_lolen;
if (ACCEPT1_FLAGS(flags)) {
if (!dfa->tables[YYTD_ID_ACCEPT])
goto out;
if (state_count != dfa->tables[YYTD_ID_ACCEPT]->td_lolen)
goto out;
}
if (ACCEPT2_FLAGS(flags)) {
if (!dfa->tables[YYTD_ID_ACCEPT2])
goto out;
if (state_count != dfa->tables[YYTD_ID_ACCEPT2]->td_lolen)
goto out;
}
if (state_count != dfa->tables[YYTD_ID_DEF]->td_lolen)
goto out;
trans_count = dfa->tables[YYTD_ID_NXT]->td_lolen;
if (trans_count != dfa->tables[YYTD_ID_CHK]->td_lolen)
goto out;
if (dfa->tables[YYTD_ID_EC] &&
dfa->tables[YYTD_ID_EC]->td_lolen != 256)
goto out;
if (flags & DFA_FLAG_VERIFY_STATES) {
for (i = 0; i < state_count; i++) {
if (DEFAULT_TABLE(dfa)[i] >= state_count)
goto out;
if (BASE_TABLE(dfa)[i] + 255 >= trans_count) {
printk(KERN_ERR "AppArmor DFA next/check upper "
"bounds error\n");
goto out;
}
}
for (i = 0; i < trans_count; i++) {
if (NEXT_TABLE(dfa)[i] >= state_count)
goto out;
if (CHECK_TABLE(dfa)[i] >= state_count)
goto out;
}
}
error = 0;
out:
return error;
}