[RFC,22/35] libsepol: validate permission count of classes

Message ID	20211011162533.53404-23-cgzones@googlemail.com (mailing list archive)
State	Changes Requested
Headers	show Return-Path: <selinux-owner@kernel.org> From: =?utf-8?q?Christian_G=C3=B6ttsche?= <cgzones@googlemail.com> To: selinux@vger.kernel.org Subject: [RFC PATCH 22/35] libsepol: validate permission count of classes Date: Mon, 11 Oct 2021 18:25:20 +0200 Message-Id: <20211011162533.53404-23-cgzones@googlemail.com> In-Reply-To: <20211011162533.53404-1-cgzones@googlemail.com> References: <20211011162533.53404-1-cgzones@googlemail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk
Series	libsepol: add fuzzer for reading binary policies \| expand [RFC,00/35] libsepol: add fuzzer for reading binary policies [RFC,01/35] cifuzz: enable report-unreproducible-crashes [RFC,02/35] cifuzz: use the default runtime of 600 seconds [RFC,03/35] libsepol/fuzz: silence secilc-fuzzer [RFC,04/35] libsepol: add libfuzz based fuzzer for reading binary policies [RFC,05/35] libsepol/fuzz: limit element sizes for fuzzing [RFC,06/35] libsepol: use logging framework in conditional.c [RFC,07/35] libsepol: use logging framework in ebitmap.c [RFC,08/35] libsepol: use mallocarray wrapper to avoid overflows [RFC,09/35] libsepol: use reallocarray wrapper to avoid overflows [RFC,10/35] libsepol: add checks for read sizes [RFC,11/35] libsepol: enforce avtab item limit [RFC,12/35] libsepol: clean memory on conditional read failure [RFC,13/35] libsepol: validate MLS levels [RFC,14/35] libsepol: reject invalid fsuse types [RFC,15/35] libsepol: reject invalid default targets [RFC,16/35] libsepol: validate expanded user range and level [RFC,17/35] libsepol: validate types [RFC,18/35] libsepol: use size_t for indexes in strs helpers [RFC,19/35] libsepol: reject abnormal huge sid ids [RFC,20/35] libsepol: do not crash on class gaps [RFC,21/35] libsepol: do not crash on user gaps [RFC,22/35] libsepol: validate permission count of classes [RFC,23/35] libsepol: resolve log message mismatch [RFC,24/35] libsepol: zero member before potential dereference [RFC,25/35] libsepol: validate avtab types [RFC,26/35] libsepol: validate constraint expression operators and attributes [RFC,27/35] libsepol: validate type of avtab type rules [RFC,28/35] libsepol: validate ocontexts [RFC,29/35] libsepol: validate genfs contexts [RFC,30/35] libsepol: validate permissive types [RFC,31/35] libsepol: validate policy properties [RFC,32/35] libsepol: do not underflow on short format arguments [RFC,33/35] libsepol: validate categories [RFC,34/35] libsepol: use correct size for initial string list [RFC,35/35] libsepol: do not create a string list with initial size zero

Message ID

20211011162533.53404-23-cgzones@googlemail.com (mailing list archive)

State

Changes Requested

Headers

From: =?utf-8?q?Christian_G=C3=B6ttsche?= <cgzones@googlemail.com>
To: selinux@vger.kernel.org
Subject: [RFC PATCH 22/35] libsepol: validate permission count of classes
Date: Mon, 11 Oct 2021 18:25:20 +0200
Message-Id: <20211011162533.53404-23-cgzones@googlemail.com>
In-Reply-To: <20211011162533.53404-1-cgzones@googlemail.com>
References: <20211011162533.53404-1-cgzones@googlemail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Precedence: bulk

Series

libsepol: add fuzzer for reading binary policies | expand

Commit Message

Christian Göttsche Oct. 11, 2021, 4:25 p.m. UTC

Check a class has not more than the supported 32 permissions.

    ==28413==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f74ec3341a3 bp 0x7ffd0b7e5030 sp 0x7ffd0b7e47e8 T0)
    ==28413==The signal is caused by a READ memory access.
    ==28413==Hint: address points to the zero page.
        #0 0x7f74ec3341a3  string/../sysdeps/x86_64/multiarch/../strchr.S:32
        #1 0x4bfc78 in strchr (./out/binpolicy-fuzzer+0x4bfc78)
        #2 0x55b7f2 in class_constraint_rules_to_strs ./libsepol/src/kernel_to_conf.c:288:7
        #3 0x55b7f2 in constraint_rules_to_strs ./libsepol/src/kernel_to_conf.c:364:9
        #4 0x55ac80 in sepol_kernel_policydb_to_conf ./libsepol/src/kernel_to_conf.c:3071:7
        #5 0x55a34f in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:38:9
        #6 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o
        #7 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o
        #8 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o
        #9 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2)
        #10 0x7f74ec2be7ec in __libc_start_main csu/../csu/libc-start.c:332:16
        #11 0x423689 in _start (./out/binpolicy-fuzzer+0x423689)

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
---
 libsepol/src/policydb_validate.c | 2 ++
 1 file changed, 2 insertions(+)

Comments

James Carter Oct. 13, 2021, 3:41 p.m. UTC | #1

On Mon, Oct 11, 2021 at 12:41 PM Christian Göttsche
<cgzones@googlemail.com> wrote:
>
> Check a class has not more than the supported 32 permissions.
>
>     ==28413==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f74ec3341a3 bp 0x7ffd0b7e5030 sp 0x7ffd0b7e47e8 T0)
>     ==28413==The signal is caused by a READ memory access.
>     ==28413==Hint: address points to the zero page.
>         #0 0x7f74ec3341a3  string/../sysdeps/x86_64/multiarch/../strchr.S:32
>         #1 0x4bfc78 in strchr (./out/binpolicy-fuzzer+0x4bfc78)
>         #2 0x55b7f2 in class_constraint_rules_to_strs ./libsepol/src/kernel_to_conf.c:288:7
>         #3 0x55b7f2 in constraint_rules_to_strs ./libsepol/src/kernel_to_conf.c:364:9
>         #4 0x55ac80 in sepol_kernel_policydb_to_conf ./libsepol/src/kernel_to_conf.c:3071:7
>         #5 0x55a34f in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:38:9
>         #6 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o
>         #7 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o
>         #8 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o
>         #9 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2)
>         #10 0x7f74ec2be7ec in __libc_start_main csu/../csu/libc-start.c:332:16
>         #11 0x423689 in _start (./out/binpolicy-fuzzer+0x423689)
>
> Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
> ---
>  libsepol/src/policydb_validate.c | 2 ++
>  1 file changed, 2 insertions(+)
>
> diff --git a/libsepol/src/policydb_validate.c b/libsepol/src/policydb_validate.c
> index c9700399..7ec0675c 100644
> --- a/libsepol/src/policydb_validate.c
> +++ b/libsepol/src/policydb_validate.c
> @@ -203,6 +203,8 @@ static int validate_class_datum(sepol_handle_t *handle, class_datum_t *class, va
>                 goto bad;
>         if (validate_constraint_nodes(handle, class->validatetrans, flavors))
>                 goto bad;
> +       if (class->permissions.nprim > PERM_SYMTAB_SIZE)
> +               goto bad;
>

This is good, but it also needs to be done for commons. See comments
for patch 13.

Thanks,
Jim


>         return 0;
>
> --
> 2.33.0
>

diff --git a/libsepol/src/policydb_validate.c b/libsepol/src/policydb_validate.c
index c9700399..7ec0675c 100644
--- a/libsepol/src/policydb_validate.c
+++ b/libsepol/src/policydb_validate.c
@@ -203,6 +203,8 @@  static int validate_class_datum(sepol_handle_t *handle, class_datum_t *class, va
 		goto bad;
 	if (validate_constraint_nodes(handle, class->validatetrans, flavors))
 		goto bad;
+	if (class->permissions.nprim > PERM_SYMTAB_SIZE)
+		goto bad;
 
 	return 0;

[RFC,22/35] libsepol: validate permission count of classes

Commit Message

Comments

Patch