From patchwork Tue Oct 18 18:58:45 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: James Carter <jwcart2@tycho.nsa.gov>
X-Patchwork-Id: 9382797
Return-Path: <selinux-bounces@tycho.nsa.gov>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	310BE600CA for <patchwork-selinux@patchwork.kernel.org>;
	Tue, 18 Oct 2016 18:59:08 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 21D89296FC
	for <patchwork-selinux@patchwork.kernel.org>;
	Tue, 18 Oct 2016 18:59:08 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 1655F2970A; Tue, 18 Oct 2016 18:59:08 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.2 required=2.0 tests=BAYES_00, RCVD_IN_DNSWL_MED
	autolearn=ham version=3.3.1
Received: from emsm-gh1-uea11.nsa.gov (smtp.nsa.gov [8.44.101.9])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 83318296FC
	for <patchwork-selinux@patchwork.kernel.org>;
	Tue, 18 Oct 2016 18:59:07 +0000 (UTC)
X-IronPort-AV: E=Sophos;i="5.31,362,1473120000";
   d="scan'208";a="16839"
IronPort-PHdr: =?us-ascii?q?9a23=3AELpjAh9vq+zuSf9uRHKM819IXTAuvvDOBiVQ1KB9?=
	=?us-ascii?q?1ugcTK2v8tzYMVDF4r011RmSDN+dtq4P0rCK+4nbGkU4qa6bt34DdJEeHzQksu?=
	=?us-ascii?q?4x2zIaPcieFEfgJ+TrZSFpVO5LVVti4m3peRMNQJW2WVTerzWI4CIIHV2nbEwu?=
	=?us-ascii?q?d76zR9KZ1p7rn8mJuLTrKz1SgzS8Zb4gZD6Xli728vcsvI15N6wqwQHIqHYbM8?=
	=?us-ascii?q?5fxGdvOE7B102kvpT4wYRnuxh0l7phspQYEPayQ6NtVrFcDTI7I0gp9cbrsl/F?=
	=?us-ascii?q?VgLJ6XwCAUsMlR8dIQHA4QqydZ7rribg/r5/xyKTJ9GsZawlUjSlqaFwQVnnjz?=
	=?us-ascii?q?lRZG1xy33elsEl1PETmxmmvREqhtSMbQ=3D=3D?=
X-IPAS-Result: =?us-ascii?q?A2FEBQDibwZY/wHyM5BcHAEBBAEBCgEBGAEFAQsBgxEBAQE?=
	=?us-ascii?q?BAR2BRA+6byaICkwBAQEBAQEBAQIBAl8ngjIEAxMFghECBAECNxQgDgMJAQEXK?=
	=?us-ascii?q?QgIAwEtFREOCwUYBIgxw3ePKQIRAWiFEwWBIQGNHotGApAGAooAhXWQe1RGhR9?=
	=?us-ascii?q?WhWoPF2GBKAEBAQ?=
Received: from unknown (HELO tarius.tycho.ncsc.mil) ([144.51.242.1])
	by emsm-gh1-uea11.nsa.gov with ESMTP; 18 Oct 2016 18:59:05 +0000
Received: from prometheus.infosec.tycho.ncsc.mil (prometheus [192.168.25.40])
	by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u9IIx5n2022332;
	Tue, 18 Oct 2016 14:59:05 -0400
Received: from tarius.tycho.ncsc.mil (tarius.infosec.tycho.ncsc.mil
	[144.51.242.1])
	by prometheus.infosec.tycho.ncsc.mil (8.15.2/8.15.2) with ESMTP id
	u9IIvWuA189953 for <selinux@prometheus.infosec.tycho.ncsc.mil>;
	Tue, 18 Oct 2016 14:57:32 -0400
Received: from moss-lions.infosec.tycho.ncsc.mil (moss-lions [192.168.25.4])
	by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id
	u9IIvVjc022041
	for <selinux@tycho.nsa.gov>; Tue, 18 Oct 2016 14:57:31 -0400
From: James Carter <jwcart2@tycho.nsa.gov>
To: selinux@tycho.nsa.gov
Subject: [PATCH 4/7] libsepol/cil: Check if identifier is NULL when verifying
	name
Date: Tue, 18 Oct 2016 14:58:45 -0400
Message-Id: <1476817128-16108-5-git-send-email-jwcart2@tycho.nsa.gov>
X-Mailer: git-send-email 2.7.4
In-Reply-To: <1476817128-16108-1-git-send-email-jwcart2@tycho.nsa.gov>
References: <1476817128-16108-1-git-send-email-jwcart2@tycho.nsa.gov>
X-BeenThere: selinux@tycho.nsa.gov
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: "Security-Enhanced Linux \(SELinux\) mailing list"
	<selinux.tycho.nsa.gov>
List-Post: <mailto:selinux@tycho.nsa.gov>
List-Help: <mailto:selinux-request@tycho.nsa.gov?subject=help>
MIME-Version: 1.0
Errors-To: selinux-bounces@tycho.nsa.gov
Sender: "Selinux" <selinux-bounces@tycho.nsa.gov>
X-Virus-Scanned: ClamAV using ClamSMTP

Nicolas Looss found while fuzzing secilc with AFL that the statement
"(class C (()))" will cause a segfault.

When CIL checks the syntax of the class statement it sees "(())" as a
valid permission list, but since "()" is not an identifier a NULL is
passed as the string for name verification. A segfault occurs because
name verification assumes that the string being checked is non-NULL.

Check if identifier is NULL when verifying name.

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
---
 libsepol/cil/src/cil_verify.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/libsepol/cil/src/cil_verify.c b/libsepol/cil/src/cil_verify.c
index 038f77a..47dcfaa 100644
--- a/libsepol/cil/src/cil_verify.c
+++ b/libsepol/cil/src/cil_verify.c
@@ -50,9 +50,15 @@
 int __cil_verify_name(const char *name)
 {
 	int rc = SEPOL_ERR;
-	int len = strlen(name);
+	int len;
 	int i = 0;
 
+	if (name == NULL) {
+		cil_log(CIL_ERR, "Name is NULL\n");
+		goto exit;
+	}
+
+	len = strlen(name);
 	if (len >= CIL_MAX_NAME_LENGTH) {
 		cil_log(CIL_ERR, "Name length greater than max name length of %d", 
 			CIL_MAX_NAME_LENGTH);