[4/4] libselinux: limit fcontext regex path length

Message ID	20250131175556.21836-4-cgoettsche@seltendoof.de (mailing list archive)
State	New
Delegated to:	Petr Lautrbach
Headers	show Received: from server02.seltendoof.de (server02.seltendoof.de [168.119.48.163]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E1F3B42AA1 for <selinux@vger.kernel.org>; Fri, 31 Jan 2025 18:03:04 +0000 (UTC) From: =?utf-8?q?Christian_G=C3=B6ttsche?= <cgoettsche@seltendoof.de> To: selinux@vger.kernel.org Cc: =?utf-8?q?Christian_G=C3=B6ttsche?= <cgzones@googlemail.com> Subject: [PATCH 4/4] libselinux: limit fcontext regex path length Date: Fri, 31 Jan 2025 18:55:56 +0100 Message-ID: <20250131175556.21836-4-cgoettsche@seltendoof.de> In-Reply-To: <20250131175556.21836-1-cgoettsche@seltendoof.de> References: <20250131175556.21836-1-cgoettsche@seltendoof.de> Reply-To: cgzones@googlemail.com Precedence: bulk MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit
Series	[1/4] libselinux: constify global strings \| expand [1/4] libselinux: constify global strings [2/4] libselinux: use local instead of global error buffer [3/4] libselinux: initialize regex arch string in a thread safe way [4/4] libselinux: limit fcontext regex path length

Message ID

20250131175556.21836-4-cgoettsche@seltendoof.de (mailing list archive)

State

New

Delegated to:

Petr Lautrbach

Headers

From: =?utf-8?q?Christian_G=C3=B6ttsche?= <cgoettsche@seltendoof.de>
To: selinux@vger.kernel.org
Cc: =?utf-8?q?Christian_G=C3=B6ttsche?= <cgzones@googlemail.com>
Subject: [PATCH 4/4] libselinux: limit fcontext regex path length
Date: Fri, 31 Jan 2025 18:55:56 +0100
Message-ID: <20250131175556.21836-4-cgoettsche@seltendoof.de>
In-Reply-To: <20250131175556.21836-1-cgoettsche@seltendoof.de>
References: <20250131175556.21836-1-cgoettsche@seltendoof.de>
Reply-To: cgzones@googlemail.com
Precedence: bulk
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Series

[1/4] libselinux: constify global strings | expand

Commit Message

Christian Göttsche Jan. 31, 2025, 5:55 p.m. UTC

From: Christian Göttsche <cgzones@googlemail.com>

Limit the length of regular expression paths in fcontext source
definitions to reduce the worst case regex compilation time for abnormal
inputs.

Reported-by: oss-fuzz (issue 393203212)
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
---
 libselinux/src/label_file.h | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/libselinux/src/label_file.h b/libselinux/src/label_file.h
index ad7699e6..7a9834a0 100644
--- a/libselinux/src/label_file.h
+++ b/libselinux/src/label_file.h
@@ -434,6 +434,12 @@  static inline int compile_regex(struct regex_spec *spec, char *errbuf, size_t er
 	reg_buf = spec->regex_str;
 	/* Anchor the regular expression. */
 	len = strlen(reg_buf);
+	if (len >= 4096) {
+		__pthread_mutex_unlock(&spec->regex_lock);
+		snprintf(errbuf, errbuf_size, "regex of length %zu too long", len);
+		errno = EINVAL;
+		return -1;
+	}
 	cp = anchored_regex = malloc(len + 3);
 	if (!anchored_regex) {
 		__pthread_mutex_unlock(&spec->regex_lock);

[4/4] libselinux: limit fcontext regex path length

Commit Message

Patch