parser: fix integer overflow bug in rule priority comparisons

There is an integer overflow when comparing priorities when cmp is used because it uses subtraction to find lessthan, equal, and greater than in one operation. But INT_MAX and INT_MIN are being used by priorities and this results in INT_MAX - INT_MIN and INT_MIN - INT_MAX which are both overflows causing an incorrect comparison result and selection of the wrong rule permission. Closes: https://gitlab.com/apparmor/apparmor/-/issues/452 Fixes: e3fca60d1 ("parser: add the ability to specify a priority prefix to rules") Signed-off-by: John Johansen <john.johansen@canonical.com>
2025-08-31 06:16:03 +00:00 · 2024-08-15 13:22:19 -07:00
parent 8d6270e1fe
commit e2d55844a2
7 changed files with 46 additions and 15 deletions
--- a/parser/parser_regex.c
+++ b/parser/parser_regex.c
@@ -1093,9 +1093,10 @@ static const char *deny_file = ".*";
 *
 * Note: it turns out the above bug does exist for dbus rules in parsers
 * that do not support priority, and we don't have a way to fix it.
- * We fix it here by capping user specified priority to be < INT_MAX.
+ * We fix it here by capping user specified priority to be less than
+ * MAX_INTERNAL_PRIORITY.
 */
-static int mediates_priority = INT_MAX;
+static int mediates_priority = MAX_INTERNAL_PRIORITY;

 /* some rule types unfortunately encoded permissions on the class byte
 * to fix the above bug, they need a different solution. The generic
@@ -1106,7 +1107,7 @@ static int mediates_priority = INT_MAX;
 * and it is guaranteed to have the same priority as the highest priority
 * rule.
 */
-static int perms_onclass_mediates_priority = INT_MIN;
+static int perms_onclass_mediates_priority = MIN_INTERNAL_PRIORITY;

 int process_profile_policydb(Profile *prof)
 {