Linux Kernel AppArmor Out-of-Bounds Read Vulnerability in DFA State Validation

A vulnerability in the Linux kernel's AppArmor module allows for an out-of-bounds read due to improper validation of Deterministic Finite Automaton (DFA) start states. The issue arises in the 'unpack_pdb' function, where start states are read from untrusted data and used as indexes into the DFA state tables. If a start state exceeds the number of states in the DFA, it leads to an out-of-bounds read, causing a memory access violation. This vulnerability was reported by Qualys and can be exploited by policies with invalid DFA start states.

Impact

Exploitation of this vulnerability causes a slab-out-of-bounds error, where the kernel's memory management system detects a read operation that exceeds the allocated memory bounds. This type of error can potentially be exploited to read sensitive information from memory or cause other unintended behavior in the kernel.

Reproduction

To reproduce this vulnerability, load an AppArmor policy that includes an invalid DFA start state. The 'unpack_pdb' function will attempt to access the DFA state tables using the out-of-bounds index, triggering the slab-out-of-bounds error. This can be done by manipulating the policy file to include a start state that exceeds the valid range.

Remediation

AppArmor policies should be reviewed and validated to ensure that DFA start states are within the acceptable range. The Linux kernel has been patched to reject policies with out-of-bounds start states during the unpacking process, preventing this vulnerability from being exploited.