| Message ID | 20230713180816.101924-5-cgzones@googlemail.com (mailing list archive) |
|---|---|
| State | Not Applicable |
| Delegated to: | Petr Lautrbach |
| Headers | show |
| Series | [1/5] libsepol: free memory on str_read() failures | expand |
On Thu, Jul 13, 2023 at 2:49 PM Christian Göttsche <cgzones@googlemail.com> wrote: > > Ensure counts are not set to the maximum value of their type. > Also limit their size during fuzzing to prevent OOM reports. > > Reported-by: oss-fuzz (issue 60572) > Signed-off-by: Christian Göttsche <cgzones@googlemail.com> > --- > libsepol/src/avtab.c | 9 ++++++++- > 1 file changed, 8 insertions(+), 1 deletion(-) > > diff --git a/libsepol/src/avtab.c b/libsepol/src/avtab.c > index 9c7daf8e..cb2ca06a 100644 > --- a/libsepol/src/avtab.c > +++ b/libsepol/src/avtab.c > @@ -461,6 +461,8 @@ static int avtab_read_name_trans(policy_file_t *fp, symtab_t *target) > if (rc < 0) > return rc; > nel = le32_to_cpu(buf32[0]); > + if (is_saturated(nel)) > + return -1; > > rc = symtab_init(target, nel); > if (rc < 0) > @@ -736,7 +738,7 @@ int avtab_read(avtab_t * a, struct policy_file *fp, uint32_t vers) > goto bad; > } > nel = le32_to_cpu(buf[0]); > - if (!nel) { > + if (zero_or_saturated(nel)) { > ERR(fp->handle, "table is empty"); > goto bad; > } The other three hunks depended on the prefix/suffix patches, but I think that this hunk might still be applicable. Jim > @@ -909,6 +911,9 @@ static int filename_trans_comp_read_one(avtab_t *a, void *fp) > key.target_class = le32_to_cpu(buf[1]); > > ndatum = le32_to_cpu(buf[2]); > + if (is_saturated(ndatum)) > + goto err; > + > for (i = 0; i < ndatum; i++) { > rc = ebitmap_read(&stypes, fp); > if (rc < 0) > @@ -951,6 +956,8 @@ int avtab_filename_trans_read(void *fp, uint32_t vers, avtab_t *a) > if (rc < 0) > return rc; > nel = le32_to_cpu(*buf); > + if (is_saturated(nel)) > + return -1; > > if (vers < POLICYDB_VERSION_COMP_FTRANS) { > for (i = 0; i < nel; i++) { > -- > 2.40.1 >
diff --git a/libsepol/src/avtab.c b/libsepol/src/avtab.c index 9c7daf8e..cb2ca06a 100644 --- a/libsepol/src/avtab.c +++ b/libsepol/src/avtab.c @@ -461,6 +461,8 @@ static int avtab_read_name_trans(policy_file_t *fp, symtab_t *target) if (rc < 0) return rc; nel = le32_to_cpu(buf32[0]); + if (is_saturated(nel)) + return -1; rc = symtab_init(target, nel); if (rc < 0) @@ -736,7 +738,7 @@ int avtab_read(avtab_t * a, struct policy_file *fp, uint32_t vers) goto bad; } nel = le32_to_cpu(buf[0]); - if (!nel) { + if (zero_or_saturated(nel)) { ERR(fp->handle, "table is empty"); goto bad; } @@ -909,6 +911,9 @@ static int filename_trans_comp_read_one(avtab_t *a, void *fp) key.target_class = le32_to_cpu(buf[1]); ndatum = le32_to_cpu(buf[2]); + if (is_saturated(ndatum)) + goto err; + for (i = 0; i < ndatum; i++) { rc = ebitmap_read(&stypes, fp); if (rc < 0) @@ -951,6 +956,8 @@ int avtab_filename_trans_read(void *fp, uint32_t vers, avtab_t *a) if (rc < 0) return rc; nel = le32_to_cpu(*buf); + if (is_saturated(nel)) + return -1; if (vers < POLICYDB_VERSION_COMP_FTRANS) { for (i = 0; i < nel; i++) {
Ensure counts are not set to the maximum value of their type. Also limit their size during fuzzing to prevent OOM reports. Reported-by: oss-fuzz (issue 60572) Signed-off-by: Christian Göttsche <cgzones@googlemail.com> --- libsepol/src/avtab.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-)