Message ID | 20211011162533.53404-18-cgzones@googlemail.com (mailing list archive) |
---|---|
State | Changes Requested |
Headers | show |
Series | libsepol: add fuzzer for reading binary policies | expand |
On Mon, Oct 11, 2021 at 12:41 PM Christian Göttsche <cgzones@googlemail.com> wrote: > > Check all types are valid values, especially important for aliases. > > ==9702==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000af8 at pc 0x000000560698 bp 0x7ffcca93b9f0 sp 0x7ffcca93b9e8 > READ of size 8 at 0x602000000af8 thread T0 > #0 0x560697 in write_type_alias_rules_to_conf ./libsepol/src/kernel_to_conf.c:1424:10 > #1 0x55af16 in sepol_kernel_policydb_to_conf ./libsepol/src/kernel_to_conf.c:3131:7 > #2 0x55a34f in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:38:9 > #3 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o > #4 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o > #5 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o > #6 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2) > #7 0x7f518b1d57ec in __libc_start_main csu/../csu/libc-start.c:332:16 > #8 0x423689 in _start (./out/binpolicy-fuzzer+0x423689) > > Signed-off-by: Christian Göttsche <cgzones@googlemail.com> > --- > libsepol/src/policydb_validate.c | 19 +++++++++++-------- > 1 file changed, 11 insertions(+), 8 deletions(-) > > diff --git a/libsepol/src/policydb_validate.c b/libsepol/src/policydb_validate.c > index a6ae728a..c9700399 100644 > --- a/libsepol/src/policydb_validate.c > +++ b/libsepol/src/policydb_validate.c > @@ -348,6 +348,14 @@ static int validate_level(__attribute__ ((unused))hashtab_key_t k, hashtab_datum > return validate_mls_level(level->level, &flavors[SYM_LEVELS], &flavors[SYM_CATS]); > } > > +static int validate_datum(__attribute__ ((unused))hashtab_key_t k, hashtab_datum_t d, void *args) > +{ > + symtab_datum_t *s = d; > + uint32_t *nprim = (uint32_t *)args; > + > + return !value_isvalid(s->value, *nprim); > +} > + > static int validate_datum_arrays(sepol_handle_t *handle, policydb_t *p, validate_t flavors[]) > { > unsigned int i; > @@ -406,6 +414,9 @@ static int validate_datum_arrays(sepol_handle_t *handle, policydb_t *p, validate > } > } > > + if (hashtab_map(p->p_types.table, validate_datum, &flavors[SYM_TYPES])) > + goto bad; > + > if (hashtab_map(p->p_levels.table, validate_level, flavors)) > goto bad; > This should not be in this function. See the comments for patch 13. Thanks, Jim > @@ -707,14 +718,6 @@ bad: > return -1; > } > > -static int validate_datum(__attribute__ ((unused))hashtab_key_t k, hashtab_datum_t d, void *args) > -{ > - symtab_datum_t *s = d; > - uint32_t *nprim = (uint32_t *)args; > - > - return !value_isvalid(s->value, *nprim); > -} > - > static int validate_symtabs(sepol_handle_t *handle, symtab_t symtabs[], validate_t flavors[]) > { > unsigned int i; > -- > 2.33.0 >
diff --git a/libsepol/src/policydb_validate.c b/libsepol/src/policydb_validate.c index a6ae728a..c9700399 100644 --- a/libsepol/src/policydb_validate.c +++ b/libsepol/src/policydb_validate.c @@ -348,6 +348,14 @@ static int validate_level(__attribute__ ((unused))hashtab_key_t k, hashtab_datum return validate_mls_level(level->level, &flavors[SYM_LEVELS], &flavors[SYM_CATS]); } +static int validate_datum(__attribute__ ((unused))hashtab_key_t k, hashtab_datum_t d, void *args) +{ + symtab_datum_t *s = d; + uint32_t *nprim = (uint32_t *)args; + + return !value_isvalid(s->value, *nprim); +} + static int validate_datum_arrays(sepol_handle_t *handle, policydb_t *p, validate_t flavors[]) { unsigned int i; @@ -406,6 +414,9 @@ static int validate_datum_arrays(sepol_handle_t *handle, policydb_t *p, validate } } + if (hashtab_map(p->p_types.table, validate_datum, &flavors[SYM_TYPES])) + goto bad; + if (hashtab_map(p->p_levels.table, validate_level, flavors)) goto bad; @@ -707,14 +718,6 @@ bad: return -1; } -static int validate_datum(__attribute__ ((unused))hashtab_key_t k, hashtab_datum_t d, void *args) -{ - symtab_datum_t *s = d; - uint32_t *nprim = (uint32_t *)args; - - return !value_isvalid(s->value, *nprim); -} - static int validate_symtabs(sepol_handle_t *handle, symtab_t symtabs[], validate_t flavors[]) { unsigned int i;
Check all types are valid values, especially important for aliases. ==9702==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000af8 at pc 0x000000560698 bp 0x7ffcca93b9f0 sp 0x7ffcca93b9e8 READ of size 8 at 0x602000000af8 thread T0 #0 0x560697 in write_type_alias_rules_to_conf ./libsepol/src/kernel_to_conf.c:1424:10 #1 0x55af16 in sepol_kernel_policydb_to_conf ./libsepol/src/kernel_to_conf.c:3131:7 #2 0x55a34f in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:38:9 #3 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o #4 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o #5 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o #6 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2) #7 0x7f518b1d57ec in __libc_start_main csu/../csu/libc-start.c:332:16 #8 0x423689 in _start (./out/binpolicy-fuzzer+0x423689) Signed-off-by: Christian Göttsche <cgzones@googlemail.com> --- libsepol/src/policydb_validate.c | 19 +++++++++++-------- 1 file changed, 11 insertions(+), 8 deletions(-)