[10/15] libsepol: add copy member to level_datum

Message ID	20240122135507.63506-10-cgzones@googlemail.com (mailing list archive)
State	New
Delegated to:	Petr Lautrbach
Headers	show Received: from mail-ej1-f47.google.com (mail-ej1-f47.google.com [209.85.218.47]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C52BE3D0D2 for <selinux@vger.kernel.org>; Mon, 22 Jan 2024 13:55:20 +0000 (UTC) From: =?utf-8?q?Christian_G=C3=B6ttsche?= <cgzones@googlemail.com> To: selinux@vger.kernel.org Subject: [PATCH 10/15] libsepol: add copy member to level_datum Date: Mon, 22 Jan 2024 14:55:02 +0100 Message-ID: <20240122135507.63506-10-cgzones@googlemail.com> In-Reply-To: <20240122135507.63506-1-cgzones@googlemail.com> References: <20240122135507.63506-1-cgzones@googlemail.com> Precedence: bulk MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit
Series	[01/15] checkpolicy: add libfuzz based fuzzer \| expand [01/15] checkpolicy: add libfuzz based fuzzer [02/15] checkpolicy: cleanup resources on parse error [03/15] checkpolicy: cleanup identifiers on error [04/15] checkpolicy: free ebitmap on error [05/15] checkpolicy: check allocation and free memory on error at type definition [06/15] checkpolicy: clean expression on error [07/15] checkpolicy: call YYABORT on parse errors [08/15] checkpolicy: bail out on invalid role [09/15] libsepol: use typedef [10/15] libsepol: add copy member to level_datum [11/15] checkpolicy: fix use-after-free on invalid sens alias [12/15] checkpolicy: provide more descriptive error messages [13/15] checkpolicy: free temporary bounds type [14/15] checkpolicy: avoid assigning garbage values [15/15] checkpolicy: misc policy_define.c cleanup

Message ID

20240122135507.63506-10-cgzones@googlemail.com (mailing list archive)

State

New

Delegated to:

Petr Lautrbach

Headers

From: =?utf-8?q?Christian_G=C3=B6ttsche?= <cgzones@googlemail.com>
To: selinux@vger.kernel.org
Subject: [PATCH 10/15] libsepol: add copy member to level_datum
Date: Mon, 22 Jan 2024 14:55:02 +0100
Message-ID: <20240122135507.63506-10-cgzones@googlemail.com>
In-Reply-To: <20240122135507.63506-1-cgzones@googlemail.com>
References: <20240122135507.63506-1-cgzones@googlemail.com>
Precedence: bulk
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Series

[01/15] checkpolicy: add libfuzz based fuzzer | expand

Commit Message

Christian Göttsche Jan. 22, 2024, 1:55 p.m. UTC

Add a new member to the struct level_datum to indicate whether the
member `level` is owned by the current instance, and free it on cleanup
only then.

This helps to implement a fix for a use-after-free issue in the
checkpolicy(8) compiler.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
---
 libsepol/include/sepol/policydb/policydb.h | 1 +
 libsepol/src/policydb.c                    | 6 ++++--
 libsepol/src/policydb_validate.c           | 3 +++
 3 files changed, 8 insertions(+), 2 deletions(-)

Comments

James Carter Feb. 12, 2024, 10:30 p.m. UTC | #1

On Mon, Jan 22, 2024 at 9:02 AM Christian Göttsche
<cgzones@googlemail.com> wrote:
>
> Add a new member to the struct level_datum to indicate whether the
> member `level` is owned by the current instance, and free it on cleanup
> only then.
>
> This helps to implement a fix for a use-after-free issue in the
> checkpolicy(8) compiler.
>
> Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
> ---
>  libsepol/include/sepol/policydb/policydb.h | 1 +
>  libsepol/src/policydb.c                    | 6 ++++--
>  libsepol/src/policydb_validate.c           | 3 +++
>  3 files changed, 8 insertions(+), 2 deletions(-)
>
> diff --git a/libsepol/include/sepol/policydb/policydb.h b/libsepol/include/sepol/policydb/policydb.h
> index 6682069e..06231574 100644
> --- a/libsepol/include/sepol/policydb/policydb.h
> +++ b/libsepol/include/sepol/policydb/policydb.h
> @@ -218,6 +218,7 @@ typedef struct level_datum {
>         mls_level_t *level;     /* sensitivity and associated categories */
>         unsigned char isalias;  /* is this sensitivity an alias for another? */
>         unsigned char defined;
> +       unsigned char copy;     /* whether the level is a non-owned copy (compile time only) */
>  } level_datum_t;
>

I don't think this field needs to be added. See below.

>  /* Category attributes */
> diff --git a/libsepol/src/policydb.c b/libsepol/src/policydb.c
> index f10a8a95..322ab745 100644
> --- a/libsepol/src/policydb.c
> +++ b/libsepol/src/policydb.c
> @@ -1390,8 +1390,10 @@ static int sens_destroy(hashtab_key_t key, hashtab_datum_t datum, void *p
>         if (key)
>                 free(key);
>         levdatum = (level_datum_t *) datum;
> -       mls_level_destroy(levdatum->level);
> -       free(levdatum->level);
> +       if (!levdatum->copy) {

I believe that the following can be made to work:
if (!levdatum->isalias || levdatum->defined) {

To work, clone_level() and define_level() will need to be modified, so
that defined is not set until right before finishing the call.

Jim


> +               mls_level_destroy(levdatum->level);
> +               free(levdatum->level);
> +       }
>         level_datum_destroy(levdatum);
>         free(levdatum);
>         return 0;
> diff --git a/libsepol/src/policydb_validate.c b/libsepol/src/policydb_validate.c
> index d86f885e..e3af7ccd 100644
> --- a/libsepol/src/policydb_validate.c
> +++ b/libsepol/src/policydb_validate.c
> @@ -623,6 +623,9 @@ static int validate_level_datum(__attribute__ ((unused)) hashtab_key_t k, hashta
>         level_datum_t *level = d;
>         validate_t *flavors = args;
>
> +       if (level->copy)
> +               return -1;
> +
>         return validate_mls_level(level->level, &flavors[SYM_LEVELS], &flavors[SYM_CATS]);
>  }
>
> --
> 2.43.0
>
>

diff --git a/libsepol/include/sepol/policydb/policydb.h b/libsepol/include/sepol/policydb/policydb.h
index 6682069e..06231574 100644
--- a/libsepol/include/sepol/policydb/policydb.h
+++ b/libsepol/include/sepol/policydb/policydb.h
@@ -218,6 +218,7 @@  typedef struct level_datum {
 	mls_level_t *level;	/* sensitivity and associated categories */
 	unsigned char isalias;	/* is this sensitivity an alias for another? */
 	unsigned char defined;
+	unsigned char copy;	/* whether the level is a non-owned copy (compile time only) */
 } level_datum_t;
 
 /* Category attributes */
diff --git a/libsepol/src/policydb.c b/libsepol/src/policydb.c
index f10a8a95..322ab745 100644
--- a/libsepol/src/policydb.c
+++ b/libsepol/src/policydb.c
@@ -1390,8 +1390,10 @@  static int sens_destroy(hashtab_key_t key, hashtab_datum_t datum, void *p
 	if (key)
 		free(key);
 	levdatum = (level_datum_t *) datum;
-	mls_level_destroy(levdatum->level);
-	free(levdatum->level);
+	if (!levdatum->copy) {
+		mls_level_destroy(levdatum->level);
+		free(levdatum->level);
+	}
 	level_datum_destroy(levdatum);
 	free(levdatum);
 	return 0;
diff --git a/libsepol/src/policydb_validate.c b/libsepol/src/policydb_validate.c
index d86f885e..e3af7ccd 100644
--- a/libsepol/src/policydb_validate.c
+++ b/libsepol/src/policydb_validate.c
@@ -623,6 +623,9 @@  static int validate_level_datum(__attribute__ ((unused)) hashtab_key_t k, hashta
 	level_datum_t *level = d;
 	validate_t *flavors = args;
 
+	if (level->copy)
+		return -1;
+
 	return validate_mls_level(level->level, &flavors[SYM_LEVELS], &flavors[SYM_CATS]);
 }

[10/15] libsepol: add copy member to level_datum

Commit Message

Comments

Patch