libsepol: fix invalid read when policy file is corrupt

Message ID	1470674654-13930-1-git-send-email-william.c.roberts@intel.com (mailing list archive)
State	Not Applicable
Headers	show Return-Path: <selinux-bounces@tycho.nsa.gov> IronPort-PHdr: =?us-ascii?q?9a23=3APcCbDBP2iTjT9Odpalcl6mtUPXoX/o7sNwtQ0KIM?= =?us-ascii?q?zox0KPX5rarrMEGX3/hxlliBBdydsKMczbuO+Pm4ACQp2tWoiDg6aptCVhsI24?= =?us-ascii?q?09vjcLJ4q7M3D9N+PgdCcgHc5PBxdP9nC/NlVJSo6lPwWB6kO74TNaIBjjLw09?= =?us-ascii?q?fr2zQd+KyZXvnLnqotX6WEZhvHKFe7R8LRG7/036l/I9ps9cEJs30QbDuXBSeu?= =?us-ascii?q?5blitCLFOXmAvgtI/rpMYwuxlKv7od0+IIEeCjJ+VrBYBfWS8rN2Ez+d3DqQjI?= =?us-ascii?q?TQzJ4GAVFGoRjF4AGAXM6h3gWZb99y/7rfZVxDiRPcqwS6s9Hzul8eMjUxPzoD?= =?us-ascii?q?sWPD4+tmfMg4p/i7wIjgimoklgworQYYiQcvE4ZKTXcMkGXkJAWNpcU2pKBYbv?= =?us-ascii?q?PMM0E+MdMLMA/MHGrFwUoE77XFGh?= IronPort-PHdr: =?us-ascii?q?9a23=3Aw/LPmBZMwyAuw6b6aojSuEz/LSx+4OfEezUN459i?= =?us-ascii?q?sYplN5qZpM29bnLW6fgltlLVR4KTs6sC0LuO9fG4EjVYuN6oizMrSNR0TRgLiM?= =?us-ascii?q?EbzUQLIfWuLgnFFsPsdDEwB89YVVVorDmROElRH9viNRWJ+iXhpQAbFhi3Dwdp?= =?us-ascii?q?POO9QteU1JXvkbHqsMSLOk1hv3mUWftKNhK4rAHc5IE9oLBJDeIP8CbPuWZCYO?= =?us-ascii?q?9MxGlldhq5lhf44dqsrtY4q3wD89pozcNLUL37cqIkVvQYSW1+ayFm0vbsrwXO?= =?us-ascii?q?QTGC7XoECC1WzkIJUED560ThU5PwtDbqnvZs0ymde8vtRPY7Xirmp7xmQRnkki?= =?us-ascii?q?AGO3s98XrLotBhh6Jc5hS6rlpwxJCQKJqZL9Jib6jdepUcXmMHUcFPBAJbBYbp?= =?us-ascii?q?cIoLC+sIOKBT6ZP6rVYUsQCWBA+wCeepwThN1Sy+5rEzz+l0SVKO5wcnBd9b9S?= =?us-ascii?q?qMoQ=3D=3D?= From: william.c.roberts@intel.com To: selinux@tycho.nsa.gov, seandroid-list@tycho.nsa.gov, sds@tycho.nsa.gov Subject: [PATCH] libsepol: fix invalid read when policy file is corrupt Date: Mon, 8 Aug 2016 09:44:14 -0700 Message-Id: <1470674654-13930-1-git-send-email-william.c.roberts@intel.com> Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: selinux-bounces@tycho.nsa.gov Sender: "Selinux" <selinux-bounces@tycho.nsa.gov>

Message ID

1470674654-13930-1-git-send-email-william.c.roberts@intel.com (mailing list archive)

State

Not Applicable

Headers

IronPort-PHdr: =?us-ascii?q?9a23=3APcCbDBP2iTjT9Odpalcl6mtUPXoX/o7sNwtQ0KIM?=
	=?us-ascii?q?zox0KPX5rarrMEGX3/hxlliBBdydsKMczbuO+Pm4ACQp2tWoiDg6aptCVhsI24?=
	=?us-ascii?q?09vjcLJ4q7M3D9N+PgdCcgHc5PBxdP9nC/NlVJSo6lPwWB6kO74TNaIBjjLw09?=
	=?us-ascii?q?fr2zQd+KyZXvnLnqotX6WEZhvHKFe7R8LRG7/036l/I9ps9cEJs30QbDuXBSeu?=
	=?us-ascii?q?5blitCLFOXmAvgtI/rpMYwuxlKv7od0+IIEeCjJ+VrBYBfWS8rN2Ez+d3DqQjI?=
	=?us-ascii?q?TQzJ4GAVFGoRjF4AGAXM6h3gWZb99y/7rfZVxDiRPcqwS6s9Hzul8eMjUxPzoD?=
	=?us-ascii?q?sWPD4+tmfMg4p/i7wIjgimoklgworQYYiQcvE4ZKTXcMkGXkJAWNpcU2pKBYbv?=
	=?us-ascii?q?PMM0E+MdMLMA/MHGrFwUoE77XFGh?=
IronPort-PHdr: =?us-ascii?q?9a23=3Aw/LPmBZMwyAuw6b6aojSuEz/LSx+4OfEezUN459i?=
	=?us-ascii?q?sYplN5qZpM29bnLW6fgltlLVR4KTs6sC0LuO9fG4EjVYuN6oizMrSNR0TRgLiM?=
	=?us-ascii?q?EbzUQLIfWuLgnFFsPsdDEwB89YVVVorDmROElRH9viNRWJ+iXhpQAbFhi3Dwdp?=
	=?us-ascii?q?POO9QteU1JXvkbHqsMSLOk1hv3mUWftKNhK4rAHc5IE9oLBJDeIP8CbPuWZCYO?=
	=?us-ascii?q?9MxGlldhq5lhf44dqsrtY4q3wD89pozcNLUL37cqIkVvQYSW1+ayFm0vbsrwXO?=
	=?us-ascii?q?QTGC7XoECC1WzkIJUED560ThU5PwtDbqnvZs0ymde8vtRPY7Xirmp7xmQRnkki?=
	=?us-ascii?q?AGO3s98XrLotBhh6Jc5hS6rlpwxJCQKJqZL9Jib6jdepUcXmMHUcFPBAJbBYbp?=
	=?us-ascii?q?cIoLC+sIOKBT6ZP6rVYUsQCWBA+wCeepwThN1Sy+5rEzz+l0SVKO5wcnBd9b9S?=
	=?us-ascii?q?qMoQ=3D=3D?=
From: william.c.roberts@intel.com
To: selinux@tycho.nsa.gov, seandroid-list@tycho.nsa.gov, sds@tycho.nsa.gov
Subject: [PATCH] libsepol: fix invalid read when policy file is corrupt
Date: Mon,  8 Aug 2016 09:44:14 -0700
Message-Id: <1470674654-13930-1-git-send-email-william.c.roberts@intel.com>
Precedence: list
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: selinux-bounces@tycho.nsa.gov
Sender: "Selinux" <selinux-bounces@tycho.nsa.gov>

Commit Message

Roberts, William C Aug. 8, 2016, 4:44 p.m. UTC

From: William Roberts <william.c.roberts@intel.com>

AFL Found this bug:
==6523== Invalid read of size 8
==6523==    at 0x4166B4: type_set_expand (expand.c:2508)
==6523==    by 0x43A0B8: policydb_role_cache (policydb.c:790)
==6523==    by 0x41CD70: hashtab_map (hashtab.c:235)
==6523==    by 0x43AC9E: policydb_index_others (policydb.c:1103)
==6523==    by 0x441B14: policydb_read (policydb.c:3888)
==6523==    by 0x442A1F: sepol_policydb_read (policydb_public.c:174)
==6523==    by 0x407ED4: init (check_seapp.c:885)
==6523==    by 0x408D97: main (check_seapp.c:1231)

This occurs when the type_val_to_struct[] mapping array
doesn't contain the type indicated in the ebitmap.

Signed-off-by: William Roberts <william.c.roberts@intel.com>
---
 libsepol/src/expand.c | 8 ++++++++
 1 file changed, 8 insertions(+)

Comments

James Carter Aug. 9, 2016, 8:23 p.m. UTC | #1

On 08/08/2016 12:44 PM, william.c.roberts@intel.com wrote:
> From: William Roberts <william.c.roberts@intel.com>
>
> AFL Found this bug:
> ==6523== Invalid read of size 8
> ==6523==    at 0x4166B4: type_set_expand (expand.c:2508)
> ==6523==    by 0x43A0B8: policydb_role_cache (policydb.c:790)
> ==6523==    by 0x41CD70: hashtab_map (hashtab.c:235)
> ==6523==    by 0x43AC9E: policydb_index_others (policydb.c:1103)
> ==6523==    by 0x441B14: policydb_read (policydb.c:3888)
> ==6523==    by 0x442A1F: sepol_policydb_read (policydb_public.c:174)
> ==6523==    by 0x407ED4: init (check_seapp.c:885)
> ==6523==    by 0x408D97: main (check_seapp.c:1231)
>
> This occurs when the type_val_to_struct[] mapping array
> doesn't contain the type indicated in the ebitmap.
>
> Signed-off-by: William Roberts <william.c.roberts@intel.com>

Applied.

Thanks,
Jim

> ---
>  libsepol/src/expand.c | 8 ++++++++
>  1 file changed, 8 insertions(+)
>
> diff --git a/libsepol/src/expand.c b/libsepol/src/expand.c
> index 9cb7965..4d3c623 100644
> --- a/libsepol/src/expand.c
> +++ b/libsepol/src/expand.c
> @@ -2505,6 +2505,14 @@ int type_set_expand(type_set_t * set, ebitmap_t * t, policydb_t * p,
>  		/* First go through the types and OR all the attributes to types */
>  		ebitmap_for_each_bit(&set->types, tnode, i) {
>  			if (ebitmap_node_get_bit(tnode, i)) {
> +
> +				/*
> +				 * invalid policies might have more types set in the ebitmap than
> +				 * what's available in the type_val_to_struct mapping
> +				 */
> +				if (i > p->p_types.nprim - 1)
> +						return -1;
> +
>  				if (p->type_val_to_struct[i]->flavor ==
>  				    TYPE_ATTRIB) {
>  					if (ebitmap_union
>

diff --git a/libsepol/src/expand.c b/libsepol/src/expand.c
index 9cb7965..4d3c623 100644
--- a/libsepol/src/expand.c
+++ b/libsepol/src/expand.c
@@ -2505,6 +2505,14 @@  int type_set_expand(type_set_t * set, ebitmap_t * t, policydb_t * p,
 		/* First go through the types and OR all the attributes to types */
 		ebitmap_for_each_bit(&set->types, tnode, i) {
 			if (ebitmap_node_get_bit(tnode, i)) {
+
+				/*
+				 * invalid policies might have more types set in the ebitmap than
+				 * what's available in the type_val_to_struct mapping
+				 */
+				if (i > p->p_types.nprim - 1)
+						return -1;
+
 				if (p->type_val_to_struct[i]->flavor ==
 				    TYPE_ATTRIB) {
 					if (ebitmap_union

libsepol: fix invalid read when policy file is corrupt

Commit Message

Comments

Patch