diff mbox series

[v2] libselinux: limit node depth while parsing compiled fcontexts

Message ID 20250116105427.22307-1-cgoettsche@seltendoof.de (mailing list archive)
State New
Headers show
Series [v2] libselinux: limit node depth while parsing compiled fcontexts | expand

Commit Message

Christian Göttsche Jan. 16, 2025, 10:54 a.m. UTC 
From: Christian Göttsche <cgzones@googlemail.com>

Limit the node depth while parsing a pre-compiled fcontext definition to
avoid unlimited recursions causing stack overflows.

Use a sufficiently high value of 32, instead of the node depth of
currently 3 for generating a database, to not unnecessarily limit
custom changes.

Fixes: 92306daf ("libselinux: rework selabel_file(5) database")
Reported-by: oss-fuzz (issues 388615595 and 388592303)
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
---
v2: add code comment
---
 libselinux/src/label_file.c | 16 +++++++++++++---
 1 file changed, 13 insertions(+), 3 deletions(-)
diff mbox series

Patch

diff --git a/libselinux/src/label_file.c b/libselinux/src/label_file.c
index 56e20949..507ce0d3 100644
--- a/libselinux/src/label_file.c
+++ b/libselinux/src/label_file.c
@@ -674,12 +674,22 @@  static int load_mmap_regex_spec(struct mmap_area *mmap_area, bool validating, bo
 }
 
 static int load_mmap_spec_node(struct mmap_area *mmap_area, const char *path, bool validating, bool do_load_precompregex,
-			       struct spec_node *node, bool is_root, uint8_t inputno, const struct context_array *ctx_array)
+			       struct spec_node *node, const unsigned depth, uint8_t inputno, const struct context_array *ctx_array)
 {
 	uint32_t data_u32, lspec_num, rspec_num, children_num;
 	uint16_t data_u16, stem_len;
+	const bool is_root = (depth == 0);
 	int rc;
 
+	/*
+	 * Guard against deep recursion by malicious pre-compiled fcontext
+	 * definitions. The limit of 32 is chosen intuitively and should
+	 * suffice for any real world scenario. See the macro
+	 * SPEC_NODE_MAX_DEPTH for the current value used for tree building.
+	 */
+	if (depth >= 32)
+		return -1;
+
 	node->from_mmap = true;
 
 
@@ -794,7 +804,7 @@  static int load_mmap_spec_node(struct mmap_area *mmap_area, const char *path, bo
 		node->children_alloc = children_num;
 
 		for (uint32_t i = 0; i < children_num; i++) {
-			rc = load_mmap_spec_node(mmap_area, path, validating, do_load_precompregex, &node->children[i], false, inputno, ctx_array);
+			rc = load_mmap_spec_node(mmap_area, path, validating, do_load_precompregex, &node->children[i], depth + 1, inputno, ctx_array);
 			if (rc)
 				return -1;
 
@@ -969,7 +979,7 @@  end_arch_check:
 
 	rc = load_mmap_spec_node(mmap_area, path, rec->validating,
 				 reg_version_matches && reg_arch_matches,
-				 root, true,
+				 root, 0,
 				 inputno,
 				 &ctx_array);
 	if (rc)