| Message ID | 20211008144921.377072-1-jwcart2@gmail.com (mailing list archive) |
|---|---|
| State | Changes Requested |
| Headers | show |
| Series | libsepol/cil: Fix potential undefined shifts | expand |
On Fri, 8 Oct 2021 at 16:49, James Carter <jwcart2@gmail.com> wrote: > > The maximum number of permissions in a class is 32. This is so that > each permission can be represented by a bit in a uint32_t. In two > places while building the binary policy from CIL an expression of the > form "1 << x" is used to set the permission bit. Unfortunately, this > expression is undefined if x == 31 because the 1 is an int and cannot > be left shifted by 31. > > Instead, use 1U << x, because an unsigned can be shifted 31. > > This bug was found by the secilc-fuzzer. > > Signed-off-by: James Carter <jwcart2@gmail.com> > --- > libsepol/cil/src/cil_binary.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/libsepol/cil/src/cil_binary.c b/libsepol/cil/src/cil_binary.c > index ec5f01e5..90af430d 100644 > --- a/libsepol/cil/src/cil_binary.c > +++ b/libsepol/cil/src/cil_binary.c > @@ -1225,7 +1225,7 @@ int __perm_str_to_datum(char *perm_str, class_datum_t *sepol_class, uint32_t *da > goto exit; > } > } > - *datum |= 1 << (sepol_perm->s.value - 1); > + *datum |= 1U << (sepol_perm->s.value - 1); > > return SEPOL_OK; > > @@ -4760,7 +4760,7 @@ static struct cil_list *cil_classperms_from_sepol(policydb_t *pdb, uint16_t clas > cil_list_init(&cp->perms, CIL_PERM); > for (i = 0; i < sepol_class->permissions.nprim; i++) { > struct cil_perm *perm; > - if ((data & (1 << i)) == 0) continue; > + if ((data & (1U << i)) == 0) continue; > perm = perm_value_to_cil[class][i+1]; > if (!perm) goto exit; > cil_list_append(cp->perms, CIL_PERM, perm); > -- > 2.31.1 > There might be more instances (not in libsepol/cil though), as a simple `grep -REi "1\s*<<"` shows (false positives removed by hand): libselinux/src/stringrep.c: return map_perm(tclass, 1<<i); libselinux/src/stringrep.c: if ((1<<i) & av) libselinux/src/stringrep.c: str = security_av_perm_to_string(tclass, av & (1<<i)); libselinux/src/stringrep.c: str = security_av_perm_to_string(tclass, av & (1<<i)); libselinux/src/mapping.c: if (tperm & (1<<i)) { libselinux/src/mapping.c: tperm &= ~(1<<i); libselinux/src/mapping.c: tperm |= 1<<i; libselinux/src/mapping.c: result |= 1<<i; libselinux/src/mapping.c: result |= 1<<i; libselinux/src/mapping.c: result |= 1<<i; libselinux/src/mapping.c: result |= 1<<i; libselinux/src/mapping.c: result |= 1<<i; libselinux/src/mapping.c: result |= 1<<i; libselinux/src/mapping.c: result |= 1<<i; libselinux/src/mapping.c: result |= 1<<i; mcstrans/src/mcscolor.c: mask |= (1 << i); mcstrans/src/mcscolor.c: if (!(mask & (1 << i))) python/audit2allow/sepolgen-ifgen-attr-helper.c: if (av & (1 << i)) { checkpolicy/policy_define.c: node->permissions |= (1 << (perdatum->s.value - 1)); checkpolicy/checkpolicy.c: if (avd.allowed & (1 << (i - 1))) { libsepol/src/conditional.c: (test & (0x1 << j)) ? 1 : 0; libsepol/src/conditional.c: cn->expr_pre_comp |= 0x1 << test; libsepol/src/services.c: *av = 0x1 << (perm_datum->s.value - 1); libsepol/src/services.c: *av = 0x1 << (perm_datum->s.value - 1); libsepol/src/avtab.c: nslot = 1 << shift;
On Fri, Oct 8, 2021 at 12:06 PM Christian Göttsche <cgzones@googlemail.com> wrote: > > On Fri, 8 Oct 2021 at 16:49, James Carter <jwcart2@gmail.com> wrote: > > > > The maximum number of permissions in a class is 32. This is so that > > each permission can be represented by a bit in a uint32_t. In two > > places while building the binary policy from CIL an expression of the > > form "1 << x" is used to set the permission bit. Unfortunately, this > > expression is undefined if x == 31 because the 1 is an int and cannot > > be left shifted by 31. > > > > Instead, use 1U << x, because an unsigned can be shifted 31. > > > > This bug was found by the secilc-fuzzer. > > > > Signed-off-by: James Carter <jwcart2@gmail.com> > > --- > > libsepol/cil/src/cil_binary.c | 4 ++-- > > 1 file changed, 2 insertions(+), 2 deletions(-) > > > > diff --git a/libsepol/cil/src/cil_binary.c b/libsepol/cil/src/cil_binary.c > > index ec5f01e5..90af430d 100644 > > --- a/libsepol/cil/src/cil_binary.c > > +++ b/libsepol/cil/src/cil_binary.c > > @@ -1225,7 +1225,7 @@ int __perm_str_to_datum(char *perm_str, class_datum_t *sepol_class, uint32_t *da > > goto exit; > > } > > } > > - *datum |= 1 << (sepol_perm->s.value - 1); > > + *datum |= 1U << (sepol_perm->s.value - 1); > > > > return SEPOL_OK; > > > > @@ -4760,7 +4760,7 @@ static struct cil_list *cil_classperms_from_sepol(policydb_t *pdb, uint16_t clas > > cil_list_init(&cp->perms, CIL_PERM); > > for (i = 0; i < sepol_class->permissions.nprim; i++) { > > struct cil_perm *perm; > > - if ((data & (1 << i)) == 0) continue; > > + if ((data & (1U << i)) == 0) continue; > > perm = perm_value_to_cil[class][i+1]; > > if (!perm) goto exit; > > cil_list_append(cp->perms, CIL_PERM, perm); > > -- > > 2.31.1 > > > > There might be more instances (not in libsepol/cil though), as a > simple `grep -REi "1\s*<<"` shows (false positives removed by hand): > > libselinux/src/stringrep.c: return > map_perm(tclass, 1<<i); > libselinux/src/stringrep.c: if ((1<<i) & av) > libselinux/src/stringrep.c: str = > security_av_perm_to_string(tclass, av & (1<<i)); > libselinux/src/stringrep.c: str = > security_av_perm_to_string(tclass, av & (1<<i)); > libselinux/src/mapping.c: if (tperm & (1<<i)) { > libselinux/src/mapping.c: tperm &= ~(1<<i); > libselinux/src/mapping.c: tperm |= 1<<i; > libselinux/src/mapping.c: result |= 1<<i; > libselinux/src/mapping.c: result |= 1<<i; > libselinux/src/mapping.c: result |= 1<<i; > libselinux/src/mapping.c: result |= 1<<i; > libselinux/src/mapping.c: result |= 1<<i; > libselinux/src/mapping.c: result |= 1<<i; > libselinux/src/mapping.c: result |= 1<<i; > libselinux/src/mapping.c: result |= 1<<i; > mcstrans/src/mcscolor.c: mask |= (1 << i); > mcstrans/src/mcscolor.c: if (!(mask & (1 << i))) > python/audit2allow/sepolgen-ifgen-attr-helper.c: if (av > & (1 << i)) { > checkpolicy/policy_define.c: node->permissions |= > (1 << (perdatum->s.value - 1)); > checkpolicy/checkpolicy.c: if > (avd.allowed & (1 << (i - 1))) { > libsepol/src/conditional.c: (test & > (0x1 << j)) ? 1 : 0; > libsepol/src/conditional.c: > cn->expr_pre_comp |= 0x1 << test; > libsepol/src/services.c: *av = 0x1 << (perm_datum->s.value - 1); > libsepol/src/services.c: *av = 0x1 << (perm_datum->s.value - 1); > libsepol/src/avtab.c: nslot = 1 << shift; Thanks, I just searched for them in the CIL code. I will take a look at these. Jim
diff --git a/libsepol/cil/src/cil_binary.c b/libsepol/cil/src/cil_binary.c index ec5f01e5..90af430d 100644 --- a/libsepol/cil/src/cil_binary.c +++ b/libsepol/cil/src/cil_binary.c @@ -1225,7 +1225,7 @@ int __perm_str_to_datum(char *perm_str, class_datum_t *sepol_class, uint32_t *da goto exit; } } - *datum |= 1 << (sepol_perm->s.value - 1); + *datum |= 1U << (sepol_perm->s.value - 1); return SEPOL_OK; @@ -4760,7 +4760,7 @@ static struct cil_list *cil_classperms_from_sepol(policydb_t *pdb, uint16_t clas cil_list_init(&cp->perms, CIL_PERM); for (i = 0; i < sepol_class->permissions.nprim; i++) { struct cil_perm *perm; - if ((data & (1 << i)) == 0) continue; + if ((data & (1U << i)) == 0) continue; perm = perm_value_to_cil[class][i+1]; if (!perm) goto exit; cil_list_append(cp->perms, CIL_PERM, perm);
The maximum number of permissions in a class is 32. This is so that each permission can be represented by a bit in a uint32_t. In two places while building the binary policy from CIL an expression of the form "1 << x" is used to set the permission bit. Unfortunately, this expression is undefined if x == 31 because the 1 is an int and cannot be left shifted by 31. Instead, use 1U << x, because an unsigned can be shifted 31. This bug was found by the secilc-fuzzer. Signed-off-by: James Carter <jwcart2@gmail.com> --- libsepol/cil/src/cil_binary.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)