From patchwork Tue Oct 18 18:58:46 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: James Carter X-Patchwork-Id: 9382803 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 82238600CA for ; Tue, 18 Oct 2016 18:59:18 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 72E5B29690 for ; Tue, 18 Oct 2016 18:59:18 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 67E8C29708; Tue, 18 Oct 2016 18:59:18 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-4.2 required=2.0 tests=BAYES_00, RCVD_IN_DNSWL_MED autolearn=ham version=3.3.1 Received: from emsm-gh1-uea11.nsa.gov (smtp.nsa.gov [8.44.101.9]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id B0B1029690 for ; Tue, 18 Oct 2016 18:59:17 +0000 (UTC) X-IronPort-AV: E=Sophos;i="5.31,362,1473120000"; d="scan'208";a="16883" IronPort-PHdr: =?us-ascii?q?9a23=3AhHT/aBY4FbQNr2ADPW+CToT/LSx+4OfEezUN459i?= =?us-ascii?q?sYplN5qZpcm4bnLW6fgltlLVR4KTs6sC0LuM9f28EjVavd6oizMrSNR0TRgLiM?= =?us-ascii?q?EbzUQLIfWuLgnFFsPsdDEwB89YVVVorDmROElRH9viNRWJ+iXhpQAbFhi3Dwdp?= =?us-ascii?q?POO9QteU1JXtkb3usMSJP01hv3mUWftKNhK4rAHc5IE9oLBJDeIP8CbPuWZCYO?= =?us-ascii?q?9MxGlldhq5lhf44dqsrtY4q3wD888784Z8dYmyP+FiFf0LRAghZns44MztqAnr?= =?us-ascii?q?URqE5nxaVH4f1BVPHVvr9hb/C7X4tybh/sF0wjWXJ4WiT68/UC6+tY93WRToj2?= =?us-ascii?q?EBLDd//2bJ3J8jxJlHqQ6s8kQsi7XfZ5uYYb8kJq4=3D?= X-IPAS-Result: =?us-ascii?q?A2FEBQDibwZY/wHyM5BcHAEBBAEBCgEBGAEFAQsBgxEBAQE?= =?us-ascii?q?BAR2BRA+6cCWICkwBAQEBAQEBAQIBAl8ngjIEAxMFghECBAECJBMUIA4DCQEBF?= =?us-ascii?q?ykICAMBLRURDgsFGASIMcN3jysRAWiFEwWBIQGNHotGApAGAooAhXWQe1RGhR9?= =?us-ascii?q?WhXl4gSgBAQE?= Received: from unknown (HELO tarius.tycho.ncsc.mil) ([144.51.242.1]) by emsm-gh1-uea11.nsa.gov with ESMTP; 18 Oct 2016 18:59:16 +0000 Received: from prometheus.infosec.tycho.ncsc.mil (prometheus [192.168.25.40]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u9IIxG3b022431; Tue, 18 Oct 2016 14:59:16 -0400 Received: from tarius.tycho.ncsc.mil (tarius.infosec.tycho.ncsc.mil [144.51.242.1]) by prometheus.infosec.tycho.ncsc.mil (8.15.2/8.15.2) with ESMTP id u9IIvWuX189956 for ; Tue, 18 Oct 2016 14:57:32 -0400 Received: from moss-lions.infosec.tycho.ncsc.mil (moss-lions [192.168.25.4]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u9IIvVjd022041 for ; Tue, 18 Oct 2016 14:57:32 -0400 From: James Carter To: selinux@tycho.nsa.gov Subject: [PATCH 5/7] libsepol/cil: Check that permission is not an empty list Date: Tue, 18 Oct 2016 14:58:46 -0400 Message-Id: <1476817128-16108-6-git-send-email-jwcart2@tycho.nsa.gov> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1476817128-16108-1-git-send-email-jwcart2@tycho.nsa.gov> References: <1476817128-16108-1-git-send-email-jwcart2@tycho.nsa.gov> X-BeenThere: selinux@tycho.nsa.gov X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Post: List-Help: MIME-Version: 1.0 Errors-To: selinux-bounces@tycho.nsa.gov Sender: "Selinux" X-Virus-Scanned: ClamAV using ClamSMTP Nicolas Looss found while fuzzing secilc with AFL that the statement "(class C (()))" will cause a segfault. CIL expects a list of permissions in the class declaration and "(())" is a valid list. Each item of the list is expected to be an identifier and as the list is processed each item is checked to see if it is a list. An error is given if it is a list, otherwise the item is assumed to be an identifier. Unfortunately, the check only works if the list is not empty. In this case, the item passes the check and is assumed to be an identifier and a NULL is passed as the string for name verification. If name verification assumes that a non-NULL value will be passed in, a segfault will occur. Add a check for an empty list when processing a permission list and improve the error handling for permissions when building the AST. Signed-off-by: James Carter --- libsepol/cil/src/cil_build_ast.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/libsepol/cil/src/cil_build_ast.c b/libsepol/cil/src/cil_build_ast.c index ee283b5..e4a0539 100644 --- a/libsepol/cil/src/cil_build_ast.c +++ b/libsepol/cil/src/cil_build_ast.c @@ -482,6 +482,10 @@ int cil_gen_perm(struct cil_db *db, struct cil_tree_node *parse_current, struct cil_perm_init(&perm); key = parse_current->data; + if (key == NULL) { + cil_log(CIL_ERR, "Bad permission\n"); + goto exit; + } rc = cil_gen_node(db, ast_node, (struct cil_symtab_datum*)perm, (hashtab_key_t)key, CIL_SYM_PERMS, flavor); if (rc != SEPOL_OK) { @@ -529,6 +533,7 @@ int cil_gen_perm_nodes(struct cil_db *db, struct cil_tree_node *current_perm, st rc = cil_gen_perm(db, current_perm, new_ast, flavor, num_perms); if (rc != SEPOL_OK) { + cil_tree_node_destroy(&new_ast); goto exit; } @@ -546,6 +551,8 @@ int cil_gen_perm_nodes(struct cil_db *db, struct cil_tree_node *current_perm, st exit: cil_log(CIL_ERR, "Bad permissions\n"); + cil_tree_children_destroy(ast_node); + cil_clear_node(ast_node); return rc; }