| Message ID | 20210120161321.13656-1-nicolas.iooss@m4x.org (mailing list archive) |
|---|---|
| State | Superseded |
| Headers | show |
| Series | [v2,1/1] libsepol: do not decode out-of-bound rolebounds | expand |
On Wed, Jan 20, 2021 at 11:13 AM Nicolas Iooss <nicolas.iooss@m4x.org> wrote: > > While fuzzing /usr/libexec/hll/pp, a policy module was generated with a > role->bounds larger that the number of roles in the policy. > > This issue has been found while fuzzing hll/pp with the American Fuzzy > Lop. > > This patch was suggested by James Carter <jwcart2@gmail.com> in > https://lore.kernel.org/selinux/CAP+JOzQc3yXczhk5JfUrr+6rFe3AXis+yJAukCFbz=aQotriQQ@mail.gmail.com/T/#mdd4bed0972c7c6f339e28270f73e9b7b09bb359f > > Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org> > --- > libsepol/src/policydb.c | 4 ++++ > 1 file changed, 4 insertions(+) > > diff --git a/libsepol/src/policydb.c b/libsepol/src/policydb.c > index f5809315cc08..08c4cb18efcf 100644 > --- a/libsepol/src/policydb.c > +++ b/libsepol/src/policydb.c > @@ -1030,6 +1030,8 @@ static int role_index(hashtab_key_t key, hashtab_datum_t datum, void *datap) > return -EINVAL; > if (p->p_role_val_to_name[role->s.value - 1] != NULL) > return -EINVAL; > + if (role->bounds > p->p_roles.nprim) > + return -EINVAL; > p->p_role_val_to_name[role->s.value - 1] = (char *)key; > p->role_val_to_struct[role->s.value - 1] = role; > > @@ -1049,6 +1051,8 @@ static int type_index(hashtab_key_t key, hashtab_datum_t datum, void *datap) > return -EINVAL; > if (p->p_type_val_to_name[typdatum->s.value - 1] != NULL) > return -EINVAL; > + if (typdatum->bounds > p->p_types.nprim) > + return -EINVAL; This is very tricky, but for both of these the bounds value cannot be 0 or >= nprim because the value -1 is used as an index. It has taken me longer than I thought it would, but I am almost ready to send out a patch that should check everything in a policydb_t after it is read in. Maybe by the end of the day, but definitely before the end of the week. Thanks, Jim > p->p_type_val_to_name[typdatum->s.value - 1] = (char *)key; > p->type_val_to_struct[typdatum->s.value - 1] = typdatum; > } > -- > 2.30.0 >
diff --git a/libsepol/src/policydb.c b/libsepol/src/policydb.c index f5809315cc08..08c4cb18efcf 100644 --- a/libsepol/src/policydb.c +++ b/libsepol/src/policydb.c @@ -1030,6 +1030,8 @@ static int role_index(hashtab_key_t key, hashtab_datum_t datum, void *datap) return -EINVAL; if (p->p_role_val_to_name[role->s.value - 1] != NULL) return -EINVAL; + if (role->bounds > p->p_roles.nprim) + return -EINVAL; p->p_role_val_to_name[role->s.value - 1] = (char *)key; p->role_val_to_struct[role->s.value - 1] = role; @@ -1049,6 +1051,8 @@ static int type_index(hashtab_key_t key, hashtab_datum_t datum, void *datap) return -EINVAL; if (p->p_type_val_to_name[typdatum->s.value - 1] != NULL) return -EINVAL; + if (typdatum->bounds > p->p_types.nprim) + return -EINVAL; p->p_type_val_to_name[typdatum->s.value - 1] = (char *)key; p->type_val_to_struct[typdatum->s.value - 1] = typdatum; }
While fuzzing /usr/libexec/hll/pp, a policy module was generated with a role->bounds larger that the number of roles in the policy. This issue has been found while fuzzing hll/pp with the American Fuzzy Lop. This patch was suggested by James Carter <jwcart2@gmail.com> in https://lore.kernel.org/selinux/CAP+JOzQc3yXczhk5JfUrr+6rFe3AXis+yJAukCFbz=aQotriQQ@mail.gmail.com/T/#mdd4bed0972c7c6f339e28270f73e9b7b09bb359f Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org> --- libsepol/src/policydb.c | 4 ++++ 1 file changed, 4 insertions(+)