diff mbox series

[RFC,17/35] libsepol: validate types

Message ID 20211011162533.53404-18-cgzones@googlemail.com (mailing list archive)
State Changes Requested
Headers show
Series libsepol: add fuzzer for reading binary policies | expand

Commit Message

Christian Göttsche Oct. 11, 2021, 4:25 p.m. UTC 
Check all types are valid values, especially important for aliases.

    ==9702==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000af8 at pc 0x000000560698 bp 0x7ffcca93b9f0 sp 0x7ffcca93b9e8
    READ of size 8 at 0x602000000af8 thread T0
        #0 0x560697 in write_type_alias_rules_to_conf ./libsepol/src/kernel_to_conf.c:1424:10
        #1 0x55af16 in sepol_kernel_policydb_to_conf ./libsepol/src/kernel_to_conf.c:3131:7
        #2 0x55a34f in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:38:9
        #3 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o
        #4 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o
        #5 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o
        #6 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2)
        #7 0x7f518b1d57ec in __libc_start_main csu/../csu/libc-start.c:332:16
        #8 0x423689 in _start (./out/binpolicy-fuzzer+0x423689)

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
---
 libsepol/src/policydb_validate.c | 19 +++++++++++--------
 1 file changed, 11 insertions(+), 8 deletions(-)

Comments

James Carter Oct. 13, 2021, 3:39 p.m. UTC | #1 
On Mon, Oct 11, 2021 at 12:41 PM Christian Göttsche
<cgzones@googlemail.com> wrote:
>
> Check all types are valid values, especially important for aliases.
>
>     ==9702==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000af8 at pc 0x000000560698 bp 0x7ffcca93b9f0 sp 0x7ffcca93b9e8
>     READ of size 8 at 0x602000000af8 thread T0
>         #0 0x560697 in write_type_alias_rules_to_conf ./libsepol/src/kernel_to_conf.c:1424:10
>         #1 0x55af16 in sepol_kernel_policydb_to_conf ./libsepol/src/kernel_to_conf.c:3131:7
>         #2 0x55a34f in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:38:9
>         #3 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o
>         #4 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o
>         #5 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o
>         #6 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2)
>         #7 0x7f518b1d57ec in __libc_start_main csu/../csu/libc-start.c:332:16
>         #8 0x423689 in _start (./out/binpolicy-fuzzer+0x423689)
>
> Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
> ---
>  libsepol/src/policydb_validate.c | 19 +++++++++++--------
>  1 file changed, 11 insertions(+), 8 deletions(-)
>
> diff --git a/libsepol/src/policydb_validate.c b/libsepol/src/policydb_validate.c
> index a6ae728a..c9700399 100644
> --- a/libsepol/src/policydb_validate.c
> +++ b/libsepol/src/policydb_validate.c
> @@ -348,6 +348,14 @@ static int validate_level(__attribute__ ((unused))hashtab_key_t k, hashtab_datum
>         return validate_mls_level(level->level, &flavors[SYM_LEVELS], &flavors[SYM_CATS]);
>  }
>
> +static int validate_datum(__attribute__ ((unused))hashtab_key_t k, hashtab_datum_t d, void *args)
> +{
> +       symtab_datum_t *s = d;
> +       uint32_t *nprim = (uint32_t *)args;
> +
> +       return !value_isvalid(s->value, *nprim);
> +}
> +
>  static int validate_datum_arrays(sepol_handle_t *handle, policydb_t *p, validate_t flavors[])
>  {
>         unsigned int i;
> @@ -406,6 +414,9 @@ static int validate_datum_arrays(sepol_handle_t *handle, policydb_t *p, validate
>                 }
>         }
>
> +       if (hashtab_map(p->p_types.table, validate_datum, &flavors[SYM_TYPES]))
> +               goto bad;
> +
>         if (hashtab_map(p->p_levels.table, validate_level, flavors))
>                 goto bad;
>

This should not be in this function. See the comments for patch 13.

Thanks,
Jim


> @@ -707,14 +718,6 @@ bad:
>         return -1;
>  }
>
> -static int validate_datum(__attribute__ ((unused))hashtab_key_t k, hashtab_datum_t d, void *args)
> -{
> -       symtab_datum_t *s = d;
> -       uint32_t *nprim = (uint32_t *)args;
> -
> -       return !value_isvalid(s->value, *nprim);
> -}
> -
>  static int validate_symtabs(sepol_handle_t *handle, symtab_t symtabs[], validate_t flavors[])
>  {
>         unsigned int i;
> --
> 2.33.0
>
diff mbox series

Patch

diff --git a/libsepol/src/policydb_validate.c b/libsepol/src/policydb_validate.c
index a6ae728a..c9700399 100644
--- a/libsepol/src/policydb_validate.c
+++ b/libsepol/src/policydb_validate.c
@@ -348,6 +348,14 @@  static int validate_level(__attribute__ ((unused))hashtab_key_t k, hashtab_datum
 	return validate_mls_level(level->level, &flavors[SYM_LEVELS], &flavors[SYM_CATS]);
 }
 
+static int validate_datum(__attribute__ ((unused))hashtab_key_t k, hashtab_datum_t d, void *args)
+{
+	symtab_datum_t *s = d;
+	uint32_t *nprim = (uint32_t *)args;
+
+	return !value_isvalid(s->value, *nprim);
+}
+
 static int validate_datum_arrays(sepol_handle_t *handle, policydb_t *p, validate_t flavors[])
 {
 	unsigned int i;
@@ -406,6 +414,9 @@  static int validate_datum_arrays(sepol_handle_t *handle, policydb_t *p, validate
 		}
 	}
 
+	if (hashtab_map(p->p_types.table, validate_datum, &flavors[SYM_TYPES]))
+		goto bad;
+
 	if (hashtab_map(p->p_levels.table, validate_level, flavors))
 		goto bad;
 
@@ -707,14 +718,6 @@  bad:
 	return -1;
 }
 
-static int validate_datum(__attribute__ ((unused))hashtab_key_t k, hashtab_datum_t d, void *args)
-{
-	symtab_datum_t *s = d;
-	uint32_t *nprim = (uint32_t *)args;
-
-	return !value_isvalid(s->value, *nprim);
-}
-
 static int validate_symtabs(sepol_handle_t *handle, symtab_t symtabs[], validate_t flavors[])
 {
 	unsigned int i;