From patchwork Thu Sep 29 18:07:51 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: James Carter <jwcart2@tycho.nsa.gov>
X-Patchwork-Id: 9356867
Return-Path: <selinux-bounces@tycho.nsa.gov>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	0ED166077A for <patchwork-selinux@patchwork.kernel.org>;
	Thu, 29 Sep 2016 18:08:28 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 02A0B29B84
	for <patchwork-selinux@patchwork.kernel.org>;
	Thu, 29 Sep 2016 18:08:28 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id EBC3A29B96; Thu, 29 Sep 2016 18:08:27 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.2 required=2.0 tests=BAYES_00, RCVD_IN_DNSWL_MED
	autolearn=ham version=3.3.1
Received: from emsm-gh1-uea11.nsa.gov (smtp.nsa.gov [8.44.101.9])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id DF3CE29B84
	for <patchwork-selinux@patchwork.kernel.org>;
	Thu, 29 Sep 2016 18:08:26 +0000 (UTC)
X-IronPort-AV: E=Sophos;i="5.31,268,1473120000"; d="scan'208";a="19676191"
IronPort-PHdr: =?us-ascii?q?9a23=3A1K7gNBRHP4txCeOKlsI6Lngu19psv+yvbD5Q0YIu?=
	=?us-ascii?q?jvd0So/mwa64YRaN2/xhgRfzUJnB7Loc0qyN4vqmAD1LuMzZ+Fk5M7V0Hycfjs?=
	=?us-ascii?q?sXmwFySOWkMmbcaMDQUiohAc5ZX0Vk9XzoeWJcGcL5ekGA6ibqtW1aJBzzOEJP?=
	=?us-ascii?q?K/jvHcaK1oLshrr0osyYOl8QzBOGIppKZC2sqgvQssREyaBDEY0WjiXzn31TZu?=
	=?us-ascii?q?5NznlpL1/A1zz158O34YIxu38I46FpytREGZneU+x4COYATWduD2dg/8DvtB/e?=
	=?us-ascii?q?XSOT93AcVSMQiRMODA/bvz/gWZKkkCL/u/E18yCAIcDsBeQ2Rj+r9bsxYAP5gy?=
	=?us-ascii?q?cAcTgi+SfYjdIm3/ETmw6ouxEqm92cW4qSLvcrO/mFcA=3D=3D?=
X-IPAS-Result: =?us-ascii?q?A2HXBABUWO1X/wHyM5BdHAEBBAEBCgEBFwEBBAEBCgEBgxQ?=
	=?us-ascii?q?BAQEBAR6BRA+6UCCHbUwBAQEBAQEBAQIBAlsngjIEAxMFghgCJBMUIA4DCQIXK?=
	=?us-ascii?q?QgIAwEtFR8LBRgEiCy8A48iEQGFegWONYtAAo9wAol9hW0CkGlUgllEHIFsVoU?=
	=?us-ascii?q?meIEoAQEB?=
Received: from unknown (HELO tarius.tycho.ncsc.mil) ([144.51.242.1])
	by emsm-gh1-uea11.nsa.gov with ESMTP; 29 Sep 2016 18:07:43 +0000
Received: from prometheus.infosec.tycho.ncsc.mil (prometheus [192.168.25.40])
	by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u8TI7gmr004893;
	Thu, 29 Sep 2016 14:07:42 -0400
Received: from tarius.tycho.ncsc.mil (tarius.infosec.tycho.ncsc.mil
	[144.51.242.1])
	by prometheus.infosec.tycho.ncsc.mil (8.15.2/8.15.2) with ESMTP id
	u8TI6qhY019948 for <selinux@prometheus.infosec.tycho.ncsc.mil>;
	Thu, 29 Sep 2016 14:06:52 -0400
Received: from moss-lions.infosec.tycho.ncsc.mil (moss-lions [192.168.25.4])
	by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id
	u8TI6qDM004759
	for <selinux@tycho.nsa.gov>; Thu, 29 Sep 2016 14:06:52 -0400
From: James Carter <jwcart2@tycho.nsa.gov>
To: selinux@tycho.nsa.gov
Subject: [PATCH] libsepol/cil: Check for too many permissions in classes and
	commons
Date: Thu, 29 Sep 2016 14:07:51 -0400
Message-Id: <1475172471-25069-1-git-send-email-jwcart2@tycho.nsa.gov>
X-Mailer: git-send-email 2.7.4
X-BeenThere: selinux@tycho.nsa.gov
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: "Security-Enhanced Linux \(SELinux\) mailing list"
	<selinux.tycho.nsa.gov>
List-Post: <mailto:selinux@tycho.nsa.gov>
List-Help: <mailto:selinux-request@tycho.nsa.gov?subject=help>
MIME-Version: 1.0
Errors-To: selinux-bounces@tycho.nsa.gov
Sender: "Selinux" <selinux-bounces@tycho.nsa.gov>
X-Virus-Scanned: ClamAV using ClamSMTP

Fixes bug found by Nicolas Iooss as described below in the way suggested by Steve Lawrence.

Nicolass reported:

When compiling a CIL policy with more than 32 items in a class (e.g. in
(class capability (chown ...)) with many items),
cil_classorder_to_policydb() overflows perm_value_to_cil[class_index]
array. As this array is allocated on the heap through
calloc(PERMS_PER_CLASS+1, sizeof(...)), this makes secilc crash with the
following message:

    *** Error in `/usr/bin/secilc': double free or corruption (!prev): 0x000000000062be80 ***
    ======= Backtrace: =========
    /usr/lib/libc.so.6(+0x70c4b)[0x7ffff76a7c4b]
    /usr/lib/libc.so.6(+0x76fe6)[0x7ffff76adfe6]
    /usr/lib/libc.so.6(+0x777de)[0x7ffff76ae7de]
    /lib/libsepol.so.1(+0x14fbda)[0x7ffff7b24bda]
    /lib/libsepol.so.1(+0x152db8)[0x7ffff7b27db8]
    /lib/libsepol.so.1(cil_build_policydb+0x63)[0x7ffff7af8723]
    /usr/bin/secilc[0x40273b]
    /usr/lib/libc.so.6(__libc_start_main+0xf1)[0x7ffff7657291]
    /usr/bin/secilc[0x402f7a]

This bug has been found by fuzzing secilc with american fuzzy lop.

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
---
 libsepol/cil/src/cil_build_ast.c   | 9 +++++++++
 libsepol/cil/src/cil_internal.h    | 2 ++
 libsepol/cil/src/cil_resolve_ast.c | 6 ++++++
 3 files changed, 17 insertions(+)

diff --git a/libsepol/cil/src/cil_build_ast.c b/libsepol/cil/src/cil_build_ast.c
index 1505873..a96c2a9 100644
--- a/libsepol/cil/src/cil_build_ast.c
+++ b/libsepol/cil/src/cil_build_ast.c
@@ -377,6 +377,11 @@ int cil_gen_class(struct cil_db *db, struct cil_tree_node *parse_current, struct
 		if (rc != SEPOL_OK) {
 			goto exit;
 		}
+		if (class->num_perms > CIL_PERMS_PER_CLASS) {
+			cil_tree_log(parse_current, CIL_ERR, "Too many permissions in class '%s'", class->datum.name);
+			goto exit;
+		}
+
 	}
 
 	return SEPOL_OK;
@@ -939,6 +944,10 @@ int cil_gen_common(struct cil_db *db, struct cil_tree_node *parse_current, struc
 	if (rc != SEPOL_OK) {
 		goto exit;
 	}
+	if (common->num_perms > CIL_PERMS_PER_CLASS) {
+		cil_tree_log(parse_current, CIL_ERR, "Too many permissions in common '%s'", common->datum.name);
+		goto exit;
+	}
 
 	return SEPOL_OK;
 
diff --git a/libsepol/cil/src/cil_internal.h b/libsepol/cil/src/cil_internal.h
index 5875dc9..03672bb 100644
--- a/libsepol/cil/src/cil_internal.h
+++ b/libsepol/cil/src/cil_internal.h
@@ -37,6 +37,7 @@
 
 #include <sepol/policydb/services.h>
 #include <sepol/policydb/policydb.h>
+#include <sepol/policydb/flask_types.h>
 
 #include <cil/cil.h>
 
@@ -270,6 +271,7 @@ enum cil_sym_array {
 extern int cil_sym_sizes[CIL_SYM_ARRAY_NUM][CIL_SYM_NUM];
 
 #define CIL_CLASS_SYM_SIZE	256
+#define CIL_PERMS_PER_CLASS (sizeof(sepol_access_vector_t) * 8)
 
 struct cil_db {
 	struct cil_tree *parse;
diff --git a/libsepol/cil/src/cil_resolve_ast.c b/libsepol/cil/src/cil_resolve_ast.c
index 8348d57..917adf8 100644
--- a/libsepol/cil/src/cil_resolve_ast.c
+++ b/libsepol/cil/src/cil_resolve_ast.c
@@ -717,6 +717,10 @@ int cil_resolve_classcommon(struct cil_tree_node *current, void *extra_args)
 	cil_symtab_map(&class->perms, __class_update_perm_values, &common->num_perms);
 
 	class->num_perms += common->num_perms;
+	if (class->num_perms > CIL_PERMS_PER_CLASS) {
+		cil_tree_log(current, CIL_ERR, "Too many permissions in class '%s' when including common permissions", class->datum.name);
+		goto exit;
+	}
 
 	return SEPOL_OK;
 
@@ -1447,6 +1451,7 @@ int cil_resolve_classorder(struct cil_tree_node *current, void *extra_args)
 	return SEPOL_OK;
 
 exit:
+	cil_list_destroy(&new, CIL_FALSE);
 	return rc;
 }
 
@@ -3919,6 +3924,7 @@ exit:
 	__cil_ordered_lists_destroy(&extra_args.catorder_lists);
 	__cil_ordered_lists_destroy(&extra_args.sensitivityorder_lists);
 	cil_list_destroy(&extra_args.in_list, CIL_FALSE);
+	cil_list_destroy(&extra_args.unordered_classorder_lists, CIL_FALSE);
 
 	return rc;
 }