From patchwork Wed Dec 30 10:07:45 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Nicolas Iooss X-Patchwork-Id: 11993083 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.0 required=3.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,UNWANTED_LANGUAGE_BODY, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 15973C433E6 for ; Wed, 30 Dec 2020 10:08:58 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id C82A4221F8 for ; Wed, 30 Dec 2020 10:08:57 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726285AbgL3KIm (ORCPT ); Wed, 30 Dec 2020 05:08:42 -0500 Received: from mx1.polytechnique.org ([129.104.30.34]:60812 "EHLO mx1.polytechnique.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726276AbgL3KIl (ORCPT ); Wed, 30 Dec 2020 05:08:41 -0500 Received: from localhost.localdomain (174.17.206.77.rev.sfr.net [77.206.17.174]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ssl.polytechnique.org (Postfix) with ESMTPSA id DB365565ABF for ; Wed, 30 Dec 2020 11:07:58 +0100 (CET) From: Nicolas Iooss To: selinux@vger.kernel.org Subject: [PATCH 5/6] libsepol/cil: fix out-of-bound read in cil_print_recursive_blockinherit Date: Wed, 30 Dec 2020 11:07:45 +0100 Message-Id: <20201230100746.2549568-5-nicolas.iooss@m4x.org> X-Mailer: git-send-email 2.29.2 In-Reply-To: <20201230100746.2549568-1-nicolas.iooss@m4x.org> References: <20201230100746.2549568-1-nicolas.iooss@m4x.org> MIME-Version: 1.0 X-AV-Checked: ClamAV using ClamSMTP at svoboda.polytechnique.org (Wed Dec 30 11:07:59 2020 +0100 (CET)) X-Org-Mail: nicolas.iooss.2010@polytechnique.org Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org OSS-Fuzz found a heap buffer overflow (out-of-bound reads) when the CIL compiler tries to report a recursive blockinherit with an optional block: $ echo '(block b (optional o (blockinherit b)))' > tmp.cil $ secilc tmp.cil Segmentation fault (core dumped) This is because cil_print_recursive_blockinherit() assumes that all nodes are either CIL_BLOCK or CIL_BLOCKINHERIT. Add support for other block kinds, using cil_node_to_string() to show them. Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28462 Signed-off-by: Nicolas Iooss Acked-by: James Carter --- libsepol/cil/src/cil_resolve_ast.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/libsepol/cil/src/cil_resolve_ast.c b/libsepol/cil/src/cil_resolve_ast.c index f6deb1002fbd..ecd05dfa5dab 100644 --- a/libsepol/cil/src/cil_resolve_ast.c +++ b/libsepol/cil/src/cil_resolve_ast.c @@ -2343,11 +2343,13 @@ void cil_print_recursive_blockinherit(struct cil_tree_node *bi_node, struct cil_ for (curr = bi_node; curr != terminating_node; curr = curr->parent) { if (curr->flavor == CIL_BLOCK) { cil_list_prepend(trace, CIL_NODE, curr); - } else { + } else if (curr->flavor == CIL_BLOCKINHERIT) { if (curr != bi_node) { cil_list_prepend(trace, CIL_NODE, NODE(((struct cil_blockinherit *)curr->data)->block)); } cil_list_prepend(trace, CIL_NODE, curr); + } else { + cil_list_prepend(trace, CIL_NODE, curr); } } cil_list_prepend(trace, CIL_NODE, terminating_node); @@ -2356,8 +2358,12 @@ void cil_print_recursive_blockinherit(struct cil_tree_node *bi_node, struct cil_ curr = item->data; if (curr->flavor == CIL_BLOCK) { cil_tree_log(curr, CIL_ERR, "block %s", DATUM(curr->data)->name); - } else { + } else if (curr->flavor == CIL_BLOCKINHERIT) { cil_tree_log(curr, CIL_ERR, "blockinherit %s", ((struct cil_blockinherit *)curr->data)->block_str); + } else if (curr->flavor == CIL_OPTIONAL) { + cil_tree_log(curr, CIL_ERR, "optional %s", DATUM(curr->data)->name); + } else { + cil_tree_log(curr, CIL_ERR, "%s", cil_node_to_string(curr)); } }