apparmor: Fix incorrect profile->signal range check

ColinIanKing · jrjohansen · commit 44fbeeb3087e · 2025-05-17T01:49:20.000-07:00
The check on profile->signal is always false, the value can never be less than 1 *and* greater than MAXMAPPED_SIG. Fix this by replacing the logical operator && with ||. Fixes: 84c455d ("apparmor: add support for profiles to define the kill signal") Signed-off-by: Colin Ian King <colin.i.king@gmail.com> Signed-off-by: John Johansen <john.johansen@canonical.com>
diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c
@@ -919,7 +919,7 @@ static struct aa_profile *unpack_profile(struct aa_ext *e, char **ns_name)
 
 	/* optional */
 	(void) aa_unpack_u32(e, &profile->signal, "kill");
-	if (profile->signal < 1 && profile->signal > MAXMAPPED_SIG) {
+	if (profile->signal < 1 || profile->signal > MAXMAPPED_SIG) {
 		info = "profile kill.signal invalid value";
 		goto fail;
 	}

Original file line number	Diff line number	Diff line change
`@@ -919,7 +919,7 @@ static struct aa_profile unpack_profile(struct aa_ext e, char **ns_name)`
`919`	`919`
`920`	`920`	`/* optional */`
`921`	`921`	`(void) aa_unpack_u32(e, &profile->signal, "kill");`
`922`		`- if (profile->signal < 1 && profile->signal > MAXMAPPED_SIG) {`
	`922`	`+ if (profile->signal < 1 \|\| profile->signal > MAXMAPPED_SIG) {`
`923`	`923`	`info = "profile kill.signal invalid value";`
`924`	`924`	`goto fail;`
`925`	`925`	`}`