diff mbox series

libsepol: validate common classes have at least one permissions

Message ID 20231113192632.22509-1-cgzones@googlemail.com (mailing list archive)
State Accepted
Commit 4f6a3abc4f68
Delegated to: Petr Lautrbach
Headers show
Series libsepol: validate common classes have at least one permissions | expand

Commit Message

Christian Göttsche Nov. 13, 2023, 7:26 p.m. UTC 
The traditional language and CIL permit common classes only to be
defined with at least one permission.  Thus writing a common class
without one will fail.

Reported-by: oss-fuzz (issue 64059)
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
---
 libsepol/src/policydb_validate.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

James Carter Nov. 14, 2023, 8:40 p.m. UTC | #1 
On Mon, Nov 13, 2023 at 2:26 PM Christian Göttsche
<cgzones@googlemail.com> wrote:
>
> The traditional language and CIL permit common classes only to be
> defined with at least one permission.  Thus writing a common class
> without one will fail.
>
> Reported-by: oss-fuzz (issue 64059)
> Signed-off-by: Christian Göttsche <cgzones@googlemail.com>

Acked-by: James Carter <jwcart2@gmail.com>

> ---
>  libsepol/src/policydb_validate.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/libsepol/src/policydb_validate.c b/libsepol/src/policydb_validate.c
> index 016ab655..1121c8bb 100644
> --- a/libsepol/src/policydb_validate.c
> +++ b/libsepol/src/policydb_validate.c
> @@ -369,7 +369,7 @@ static int validate_common_datum(sepol_handle_t *handle, const common_datum_t *c
>  {
>         if (validate_value(common->s.value, &flavors[SYM_COMMONS]))
>                 goto bad;
> -       if (common->permissions.nprim > PERM_SYMTAB_SIZE)
> +       if (common->permissions.table->nel == 0 || common->permissions.nprim > PERM_SYMTAB_SIZE)
>                 goto bad;
>
>         return 0;
> --
> 2.42.0
>
James Carter Nov. 16, 2023, 2:57 p.m. UTC | #2 
On Tue, Nov 14, 2023 at 3:40 PM James Carter <jwcart2@gmail.com> wrote:
>
> On Mon, Nov 13, 2023 at 2:26 PM Christian Göttsche
> <cgzones@googlemail.com> wrote:
> >
> > The traditional language and CIL permit common classes only to be
> > defined with at least one permission.  Thus writing a common class
> > without one will fail.
> >
> > Reported-by: oss-fuzz (issue 64059)
> > Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
>
> Acked-by: James Carter <jwcart2@gmail.com>
>

This patch has been merged.
Thanks,
Jim

> > ---
> >  libsepol/src/policydb_validate.c | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/libsepol/src/policydb_validate.c b/libsepol/src/policydb_validate.c
> > index 016ab655..1121c8bb 100644
> > --- a/libsepol/src/policydb_validate.c
> > +++ b/libsepol/src/policydb_validate.c
> > @@ -369,7 +369,7 @@ static int validate_common_datum(sepol_handle_t *handle, const common_datum_t *c
> >  {
> >         if (validate_value(common->s.value, &flavors[SYM_COMMONS]))
> >                 goto bad;
> > -       if (common->permissions.nprim > PERM_SYMTAB_SIZE)
> > +       if (common->permissions.table->nel == 0 || common->permissions.nprim > PERM_SYMTAB_SIZE)
> >                 goto bad;
> >
> >         return 0;
> > --
> > 2.42.0
> >
diff mbox series

Patch

diff --git a/libsepol/src/policydb_validate.c b/libsepol/src/policydb_validate.c
index 016ab655..1121c8bb 100644
--- a/libsepol/src/policydb_validate.c
+++ b/libsepol/src/policydb_validate.c
@@ -369,7 +369,7 @@  static int validate_common_datum(sepol_handle_t *handle, const common_datum_t *c
 {
 	if (validate_value(common->s.value, &flavors[SYM_COMMONS]))
 		goto bad;
-	if (common->permissions.nprim > PERM_SYMTAB_SIZE)
+	if (common->permissions.table->nel == 0 || common->permissions.nprim > PERM_SYMTAB_SIZE)
 		goto bad;
 
 	return 0;