From patchwork Tue Oct 18 18:58:43 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: James Carter X-Patchwork-Id: 9382801 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 8C31F600CA for ; Tue, 18 Oct 2016 18:59:14 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 7D27829690 for ; Tue, 18 Oct 2016 18:59:14 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 7237829708; Tue, 18 Oct 2016 18:59:14 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-4.2 required=2.0 tests=BAYES_00, RCVD_IN_DNSWL_MED autolearn=ham version=3.3.1 Received: from emsm-gh1-uea11.nsa.gov (smtp.nsa.gov [8.44.101.9]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 0E96329690 for ; Tue, 18 Oct 2016 18:59:13 +0000 (UTC) X-IronPort-AV: E=Sophos;i="5.31,362,1473120000"; d="scan'208";a="16867" IronPort-PHdr: =?us-ascii?q?9a23=3AI1cFbBO8A2nSiE5tv24l6mtUPXoX/o7sNwtQ0KIM?= =?us-ascii?q?zox0KPn5rarrMEGX3/hxlliBBdydsKMezbeK+Pm6BSQp2tWoiDg6aptCVhsI24?= =?us-ascii?q?09vjcLJ4q7M3D9N+PgdCcgHc5PBxdP9nC/NlVJSo6lPwWB6kO74TNaIBjjLw09?= =?us-ascii?q?fr2zQd+IyZnrnLnop9X6WEZhvHKFe7R8LRG7/036l/I9ps9cEJs30QbDuXBSeu?= =?us-ascii?q?5blitCLFOXmAvgtI/rpMYwuxlKv7od0+IIEeCgJ+VrBYBfWS8rN2Ez+d3DqQjI?= =?us-ascii?q?TQzJ4GAVFGoRjElmGQ/AuTPzW5rq+gDzrPZwwmHOP9L9RKooAxy+/qxrT1nuky?= =?us-ascii?q?5BODknpjKEwvdshb5W9Ury7yd0xJTZNcTPbPc=3D?= X-IPAS-Result: =?us-ascii?q?A2FEBQDibwZY/wHyM5BcHAEBBAEBCgEBGAEFAQsBgxEBAQE?= =?us-ascii?q?BAR2BRA+6bSiICkwBAQEBAQEBAQIBAl8ngjIEAxMFghECBAECJBMUIA4DCQEBF?= =?us-ascii?q?ykICAMBLRURDgsFGASIMcN3jysRAWiFEwWBIQGYZAKQBgKKAIV1kHtURoNJgVZ?= =?us-ascii?q?WhXl4gSgBAQE?= Received: from unknown (HELO tarius.tycho.ncsc.mil) ([144.51.242.1]) by emsm-gh1-uea11.nsa.gov with ESMTP; 18 Oct 2016 18:59:13 +0000 Received: from prometheus.infosec.tycho.ncsc.mil (prometheus [192.168.25.40]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u9IIxCWK022399; Tue, 18 Oct 2016 14:59:12 -0400 Received: from tarius.tycho.ncsc.mil (tarius.infosec.tycho.ncsc.mil [144.51.242.1]) by prometheus.infosec.tycho.ncsc.mil (8.15.2/8.15.2) with ESMTP id u9IIvWo6189947 for ; Tue, 18 Oct 2016 14:57:32 -0400 Received: from moss-lions.infosec.tycho.ncsc.mil (moss-lions [192.168.25.4]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u9IIvVja022041 for ; Tue, 18 Oct 2016 14:57:31 -0400 From: James Carter To: selinux@tycho.nsa.gov Subject: [PATCH 2/7] libsepol/cil: Use empty list for category expression evaluated as empty Date: Tue, 18 Oct 2016 14:58:43 -0400 Message-Id: <1476817128-16108-3-git-send-email-jwcart2@tycho.nsa.gov> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1476817128-16108-1-git-send-email-jwcart2@tycho.nsa.gov> References: <1476817128-16108-1-git-send-email-jwcart2@tycho.nsa.gov> X-BeenThere: selinux@tycho.nsa.gov X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Post: List-Help: MIME-Version: 1.0 Errors-To: selinux-bounces@tycho.nsa.gov Sender: "Selinux" X-Virus-Scanned: ClamAV using ClamSMTP Nicolas Looss found while fuzzing secilc with AFL that the following policy will cause a segfault. (category c0) (category c1) (categoryorder (c0 c1)) (sensitivity s0) (sensitivitycategory s0 (not (all))) The expression "(not (all))" is evaluated as containing no categories. There is a check for the resulting empty list and the category datum expression is set to NULL. The segfault occurs because the datum expression is assumed to be non-NULL after evaluation. Assign the list to the datum expression even if it is empty. Signed-off-by: James Carter --- libsepol/cil/src/cil_post.c | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/libsepol/cil/src/cil_post.c b/libsepol/cil/src/cil_post.c index caf3321..687962e 100644 --- a/libsepol/cil/src/cil_post.c +++ b/libsepol/cil/src/cil_post.c @@ -865,13 +865,7 @@ static int __evaluate_cat_expression(struct cil_cats *cats, struct cil_db *db) ebitmap_destroy(&bitmap); cil_list_destroy(&cats->datum_expr, CIL_FALSE); - if (new->head != NULL) { - cats->datum_expr = new; - } else { - /* empty list */ - cil_list_destroy(&new, CIL_FALSE); - cats->datum_expr = NULL; - } + cats->datum_expr = new; cats->evaluated = CIL_TRUE;