Message ID | 20201003131908.1867282-1-nicolas.iooss@m4x.org (mailing list archive) |
---|---|
State | Accepted |
Headers | show |
Series | [userspace] libsepol/cil: fix signed overflow caused by using (1 << 31) - 1 | expand |
On Sat, Oct 03, 2020 at 03:19:08PM +0200, Nicolas Iooss wrote: > When compiling SELinux userspace tools with -ftrapv (this option > generates traps for signed overflow on addition, subtraction, > multiplication operations, instead of silently wrapping around), > semodule crashes when running the tests from > scripts/ci/fedora-test-runner.sh in a Fedora 32 virtual machine: > > [root@localhost selinux-testsuite]# make test > make -C policy load > make[1]: Entering directory '/root/selinux-testsuite/policy' > # Test for "expand-check = 0" in /etc/selinux/semanage.conf > # General policy build > make[2]: Entering directory '/root/selinux-testsuite/policy/test_policy' > Compiling targeted test_policy module > Creating targeted test_policy.pp policy package > rm tmp/test_policy.mod.fc > make[2]: Leaving directory '/root/selinux-testsuite/policy/test_policy' > # General policy load > domain_fd_use --> off > /usr/sbin/semodule -i test_policy/test_policy.pp test_mlsconstrain.cil test_overlay_defaultrange.cil test_add_levels.cil test_glblub.cil > make[1]: *** [Makefile:174: load] Aborted (core dumped) > > Using "coredumpctl gdb" leads to the following strack trace: > > (gdb) bt > #0 0x00007f608fe4fa25 in raise () from /lib64/libc.so.6 > #1 0x00007f608fe38895 in abort () from /lib64/libc.so.6 > #2 0x00007f6090028aca in __addvsi3.cold () from /lib64/libsepol.so.1 > #3 0x00007f6090096f59 in __avrule_xperm_setrangebits (low=30, high=30, xperms=0x8b9eea0) > at ../cil/src/cil_binary.c:1551 > #4 0x00007f60900970dd in __cil_permx_bitmap_to_sepol_xperms_list (xperms=0xb650a30, xperms_list=0x7ffce2653b18) > at ../cil/src/cil_binary.c:1596 > #5 0x00007f6090097286 in __cil_avrulex_ioctl_to_policydb (k=0xb8ec200 "@\023\214\022\006", datum=0xb650a30, > args=0x239a640) at ../cil/src/cil_binary.c:1649 > #6 0x00007f609003f1e5 in hashtab_map (h=0x41f8710, apply=0x7f60900971da <__cil_avrulex_ioctl_to_policydb>, > args=0x239a640) at hashtab.c:234 > #7 0x00007f609009ea19 in cil_binary_create_allocated_pdb (db=0x2394f10, policydb=0x239a640) > at ../cil/src/cil_binary.c:4969 > #8 0x00007f609009d19d in cil_binary_create (db=0x2394f10, policydb=0x7ffce2653d30) at ../cil/src/cil_binary.c:4329 > #9 0x00007f609008ec23 in cil_build_policydb_create_pdb (db=0x2394f10, sepol_db=0x7ffce2653d30) > at ../cil/src/cil.c:631 > #10 0x00007f608fff4bf3 in semanage_direct_commit () from /lib64/libsemanage.so.1 > #11 0x00007f608fff9fae in semanage_commit () from /lib64/libsemanage.so.1 > #12 0x0000000000403e2b in main (argc=7, argv=0x7ffce2655058) at semodule.c:753 > > (gdb) f 3 > #3 0x00007f6090096f59 in __avrule_xperm_setrangebits (low=30, high=30, xperms=0x8b9eea0) > at ../cil/src/cil_binary.c:1551 > 1551 xperms->perms[i] |= XPERM_SETBITS(h) - XPERM_SETBITS(low); > > A signed integer overflow therefore occurs in XPERM_SETBITS(h): > > #define XPERM_SETBITS(x) ((1 << (x & 0x1f)) - 1) > > This macro is expanded with h=31, so "(1 << 31) - 1" is computed: > > * (1 << 31) = -0x80000000 is the lowest signed 32-bit integer value > * (1 << 31) - 1 overflows the capacity of a signed 32-bit integer and > results in 0x7fffffff (which is unsigned) > > Using unsigned integers (with "1U") fixes the crash, as > (1U << 31) = 0x80000000U has no overflowing issues. > > Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org> Acked-by: Petr Lautrbach <plautrba@redhat.com> > --- > checkpolicy/policy_define.c | 2 +- > libsepol/cil/src/cil_binary.c | 2 +- > 2 files changed, 2 insertions(+), 2 deletions(-) > > diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c > index 395f62284e3c..bf6c3e68bef3 100644 > --- a/checkpolicy/policy_define.c > +++ b/checkpolicy/policy_define.c > @@ -2147,7 +2147,7 @@ out: > /* index of the u32 containing the permission */ > #define XPERM_IDX(x) (x >> 5) > /* set bits 0 through x-1 within the u32 */ > -#define XPERM_SETBITS(x) ((1 << (x & 0x1f)) - 1) > +#define XPERM_SETBITS(x) ((1U << (x & 0x1f)) - 1) > /* low value for this u32 */ > #define XPERM_LOW(x) (x << 5) > /* high value for this u32 */ > diff --git a/libsepol/cil/src/cil_binary.c b/libsepol/cil/src/cil_binary.c > index 36720eda4549..e417c5c28b8b 100644 > --- a/libsepol/cil/src/cil_binary.c > +++ b/libsepol/cil/src/cil_binary.c > @@ -1526,7 +1526,7 @@ int cil_avrule_to_policydb(policydb_t *pdb, const struct cil_db *db, struct cil_ > /* index of the u32 containing the permission */ > #define XPERM_IDX(x) (x >> 5) > /* set bits 0 through x-1 within the u32 */ > -#define XPERM_SETBITS(x) ((1 << (x & 0x1f)) - 1) > +#define XPERM_SETBITS(x) ((1U << (x & 0x1f)) - 1) > /* low value for this u32 */ > #define XPERM_LOW(x) (x << 5) > /* high value for this u32 */ > -- > 2.28.0 >
On Wed, Oct 14, 2020 at 08:01:06PM +0200, Petr Lautrbach wrote: > On Sat, Oct 03, 2020 at 03:19:08PM +0200, Nicolas Iooss wrote: > > When compiling SELinux userspace tools with -ftrapv (this option > > generates traps for signed overflow on addition, subtraction, > > multiplication operations, instead of silently wrapping around), > > semodule crashes when running the tests from > > scripts/ci/fedora-test-runner.sh in a Fedora 32 virtual machine: > > > > [root@localhost selinux-testsuite]# make test > > make -C policy load > > make[1]: Entering directory '/root/selinux-testsuite/policy' > > # Test for "expand-check = 0" in /etc/selinux/semanage.conf > > # General policy build > > make[2]: Entering directory '/root/selinux-testsuite/policy/test_policy' > > Compiling targeted test_policy module > > Creating targeted test_policy.pp policy package > > rm tmp/test_policy.mod.fc > > make[2]: Leaving directory '/root/selinux-testsuite/policy/test_policy' > > # General policy load > > domain_fd_use --> off > > /usr/sbin/semodule -i test_policy/test_policy.pp test_mlsconstrain.cil test_overlay_defaultrange.cil test_add_levels.cil test_glblub.cil > > make[1]: *** [Makefile:174: load] Aborted (core dumped) > > > > Using "coredumpctl gdb" leads to the following strack trace: > > > > (gdb) bt > > #0 0x00007f608fe4fa25 in raise () from /lib64/libc.so.6 > > #1 0x00007f608fe38895 in abort () from /lib64/libc.so.6 > > #2 0x00007f6090028aca in __addvsi3.cold () from /lib64/libsepol.so.1 > > #3 0x00007f6090096f59 in __avrule_xperm_setrangebits (low=30, high=30, xperms=0x8b9eea0) > > at ../cil/src/cil_binary.c:1551 > > #4 0x00007f60900970dd in __cil_permx_bitmap_to_sepol_xperms_list (xperms=0xb650a30, xperms_list=0x7ffce2653b18) > > at ../cil/src/cil_binary.c:1596 > > #5 0x00007f6090097286 in __cil_avrulex_ioctl_to_policydb (k=0xb8ec200 "@\023\214\022\006", datum=0xb650a30, > > args=0x239a640) at ../cil/src/cil_binary.c:1649 > > #6 0x00007f609003f1e5 in hashtab_map (h=0x41f8710, apply=0x7f60900971da <__cil_avrulex_ioctl_to_policydb>, > > args=0x239a640) at hashtab.c:234 > > #7 0x00007f609009ea19 in cil_binary_create_allocated_pdb (db=0x2394f10, policydb=0x239a640) > > at ../cil/src/cil_binary.c:4969 > > #8 0x00007f609009d19d in cil_binary_create (db=0x2394f10, policydb=0x7ffce2653d30) at ../cil/src/cil_binary.c:4329 > > #9 0x00007f609008ec23 in cil_build_policydb_create_pdb (db=0x2394f10, sepol_db=0x7ffce2653d30) > > at ../cil/src/cil.c:631 > > #10 0x00007f608fff4bf3 in semanage_direct_commit () from /lib64/libsemanage.so.1 > > #11 0x00007f608fff9fae in semanage_commit () from /lib64/libsemanage.so.1 > > #12 0x0000000000403e2b in main (argc=7, argv=0x7ffce2655058) at semodule.c:753 > > > > (gdb) f 3 > > #3 0x00007f6090096f59 in __avrule_xperm_setrangebits (low=30, high=30, xperms=0x8b9eea0) > > at ../cil/src/cil_binary.c:1551 > > 1551 xperms->perms[i] |= XPERM_SETBITS(h) - XPERM_SETBITS(low); > > > > A signed integer overflow therefore occurs in XPERM_SETBITS(h): > > > > #define XPERM_SETBITS(x) ((1 << (x & 0x1f)) - 1) > > > > This macro is expanded with h=31, so "(1 << 31) - 1" is computed: > > > > * (1 << 31) = -0x80000000 is the lowest signed 32-bit integer value > > * (1 << 31) - 1 overflows the capacity of a signed 32-bit integer and > > results in 0x7fffffff (which is unsigned) > > > > Using unsigned integers (with "1U") fixes the crash, as > > (1U << 31) = 0x80000000U has no overflowing issues. > > > > Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org> > > Acked-by: Petr Lautrbach <plautrba@redhat.com> Merged, thanks! > > --- > > checkpolicy/policy_define.c | 2 +- > > libsepol/cil/src/cil_binary.c | 2 +- > > 2 files changed, 2 insertions(+), 2 deletions(-) > > > > diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c > > index 395f62284e3c..bf6c3e68bef3 100644 > > --- a/checkpolicy/policy_define.c > > +++ b/checkpolicy/policy_define.c > > @@ -2147,7 +2147,7 @@ out: > > /* index of the u32 containing the permission */ > > #define XPERM_IDX(x) (x >> 5) > > /* set bits 0 through x-1 within the u32 */ > > -#define XPERM_SETBITS(x) ((1 << (x & 0x1f)) - 1) > > +#define XPERM_SETBITS(x) ((1U << (x & 0x1f)) - 1) > > /* low value for this u32 */ > > #define XPERM_LOW(x) (x << 5) > > /* high value for this u32 */ > > diff --git a/libsepol/cil/src/cil_binary.c b/libsepol/cil/src/cil_binary.c > > index 36720eda4549..e417c5c28b8b 100644 > > --- a/libsepol/cil/src/cil_binary.c > > +++ b/libsepol/cil/src/cil_binary.c > > @@ -1526,7 +1526,7 @@ int cil_avrule_to_policydb(policydb_t *pdb, const struct cil_db *db, struct cil_ > > /* index of the u32 containing the permission */ > > #define XPERM_IDX(x) (x >> 5) > > /* set bits 0 through x-1 within the u32 */ > > -#define XPERM_SETBITS(x) ((1 << (x & 0x1f)) - 1) > > +#define XPERM_SETBITS(x) ((1U << (x & 0x1f)) - 1) > > /* low value for this u32 */ > > #define XPERM_LOW(x) (x << 5) > > /* high value for this u32 */ > > -- > > 2.28.0 > > >
diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c index 395f62284e3c..bf6c3e68bef3 100644 --- a/checkpolicy/policy_define.c +++ b/checkpolicy/policy_define.c @@ -2147,7 +2147,7 @@ out: /* index of the u32 containing the permission */ #define XPERM_IDX(x) (x >> 5) /* set bits 0 through x-1 within the u32 */ -#define XPERM_SETBITS(x) ((1 << (x & 0x1f)) - 1) +#define XPERM_SETBITS(x) ((1U << (x & 0x1f)) - 1) /* low value for this u32 */ #define XPERM_LOW(x) (x << 5) /* high value for this u32 */ diff --git a/libsepol/cil/src/cil_binary.c b/libsepol/cil/src/cil_binary.c index 36720eda4549..e417c5c28b8b 100644 --- a/libsepol/cil/src/cil_binary.c +++ b/libsepol/cil/src/cil_binary.c @@ -1526,7 +1526,7 @@ int cil_avrule_to_policydb(policydb_t *pdb, const struct cil_db *db, struct cil_ /* index of the u32 containing the permission */ #define XPERM_IDX(x) (x >> 5) /* set bits 0 through x-1 within the u32 */ -#define XPERM_SETBITS(x) ((1 << (x & 0x1f)) - 1) +#define XPERM_SETBITS(x) ((1U << (x & 0x1f)) - 1) /* low value for this u32 */ #define XPERM_LOW(x) (x << 5) /* high value for this u32 */
When compiling SELinux userspace tools with -ftrapv (this option generates traps for signed overflow on addition, subtraction, multiplication operations, instead of silently wrapping around), semodule crashes when running the tests from scripts/ci/fedora-test-runner.sh in a Fedora 32 virtual machine: [root@localhost selinux-testsuite]# make test make -C policy load make[1]: Entering directory '/root/selinux-testsuite/policy' # Test for "expand-check = 0" in /etc/selinux/semanage.conf # General policy build make[2]: Entering directory '/root/selinux-testsuite/policy/test_policy' Compiling targeted test_policy module Creating targeted test_policy.pp policy package rm tmp/test_policy.mod.fc make[2]: Leaving directory '/root/selinux-testsuite/policy/test_policy' # General policy load domain_fd_use --> off /usr/sbin/semodule -i test_policy/test_policy.pp test_mlsconstrain.cil test_overlay_defaultrange.cil test_add_levels.cil test_glblub.cil make[1]: *** [Makefile:174: load] Aborted (core dumped) Using "coredumpctl gdb" leads to the following strack trace: (gdb) bt #0 0x00007f608fe4fa25 in raise () from /lib64/libc.so.6 #1 0x00007f608fe38895 in abort () from /lib64/libc.so.6 #2 0x00007f6090028aca in __addvsi3.cold () from /lib64/libsepol.so.1 #3 0x00007f6090096f59 in __avrule_xperm_setrangebits (low=30, high=30, xperms=0x8b9eea0) at ../cil/src/cil_binary.c:1551 #4 0x00007f60900970dd in __cil_permx_bitmap_to_sepol_xperms_list (xperms=0xb650a30, xperms_list=0x7ffce2653b18) at ../cil/src/cil_binary.c:1596 #5 0x00007f6090097286 in __cil_avrulex_ioctl_to_policydb (k=0xb8ec200 "@\023\214\022\006", datum=0xb650a30, args=0x239a640) at ../cil/src/cil_binary.c:1649 #6 0x00007f609003f1e5 in hashtab_map (h=0x41f8710, apply=0x7f60900971da <__cil_avrulex_ioctl_to_policydb>, args=0x239a640) at hashtab.c:234 #7 0x00007f609009ea19 in cil_binary_create_allocated_pdb (db=0x2394f10, policydb=0x239a640) at ../cil/src/cil_binary.c:4969 #8 0x00007f609009d19d in cil_binary_create (db=0x2394f10, policydb=0x7ffce2653d30) at ../cil/src/cil_binary.c:4329 #9 0x00007f609008ec23 in cil_build_policydb_create_pdb (db=0x2394f10, sepol_db=0x7ffce2653d30) at ../cil/src/cil.c:631 #10 0x00007f608fff4bf3 in semanage_direct_commit () from /lib64/libsemanage.so.1 #11 0x00007f608fff9fae in semanage_commit () from /lib64/libsemanage.so.1 #12 0x0000000000403e2b in main (argc=7, argv=0x7ffce2655058) at semodule.c:753 (gdb) f 3 #3 0x00007f6090096f59 in __avrule_xperm_setrangebits (low=30, high=30, xperms=0x8b9eea0) at ../cil/src/cil_binary.c:1551 1551 xperms->perms[i] |= XPERM_SETBITS(h) - XPERM_SETBITS(low); A signed integer overflow therefore occurs in XPERM_SETBITS(h): #define XPERM_SETBITS(x) ((1 << (x & 0x1f)) - 1) This macro is expanded with h=31, so "(1 << 31) - 1" is computed: * (1 << 31) = -0x80000000 is the lowest signed 32-bit integer value * (1 << 31) - 1 overflows the capacity of a signed 32-bit integer and results in 0x7fffffff (which is unsigned) Using unsigned integers (with "1U") fixes the crash, as (1U << 31) = 0x80000000U has no overflowing issues. Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org> --- checkpolicy/policy_define.c | 2 +- libsepol/cil/src/cil_binary.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-)