From patchwork Sat Oct 3 19:39:56 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Nicolas Iooss X-Patchwork-Id: 11815365 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id B3A77112C for ; Sat, 3 Oct 2020 19:40:07 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id A4CEC206DD for ; Sat, 3 Oct 2020 19:40:07 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1725913AbgJCTkH (ORCPT ); Sat, 3 Oct 2020 15:40:07 -0400 Received: from mx1.polytechnique.org ([129.104.30.34]:43413 "EHLO mx1.polytechnique.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725831AbgJCTkG (ORCPT ); Sat, 3 Oct 2020 15:40:06 -0400 Received: from localhost.localdomain (85-168-38-217.rev.numericable.fr [85.168.38.217]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ssl.polytechnique.org (Postfix) with ESMTPSA id EF6015600AD for ; Sat, 3 Oct 2020 21:40:03 +0200 (CEST) From: Nicolas Iooss To: selinux@vger.kernel.org Subject: [PATCH 1/2] libsepol: drop confusing BUG_ON macro Date: Sat, 3 Oct 2020 21:39:56 +0200 Message-Id: <20201003193957.1876526-1-nicolas.iooss@m4x.org> X-Mailer: git-send-email 2.28.0 MIME-Version: 1.0 X-AV-Checked: ClamAV using ClamSMTP at svoboda.polytechnique.org (Sat Oct 3 21:40:04 2020 +0200 (CEST)) X-Spam-Flag: No, tests=bogofilter, spamicity=0.000183, queueID=4C0A95600B6 X-Org-Mail: nicolas.iooss.2010@polytechnique.org Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org Contrary to Linux kernel, BUG_ON() does not halt the execution, in libsepol/src/services.c. Instead it displays an error message and continues the execution. This means that this code does not prevent an out-of-bound write from happening: case CEXPR_AND: BUG_ON(sp < 1); sp--; s[sp] &= s[sp + 1]; Use if(...){BUG();rc=-EINVAL;goto out;} constructions instead, to make sure that the array access is always in-bound. This issue has been found using clang's static analyzer: https://558-118970575-gh.circle-artifacts.com/0/output-scan-build/2020-10-02-065849-6375-1/report-50a861.html#EndPath Signed-off-by: Nicolas Iooss Acked-by: James Carter --- libsepol/src/services.c | 19 +++++++++++++++---- 1 file changed, 15 insertions(+), 4 deletions(-) diff --git a/libsepol/src/services.c b/libsepol/src/services.c index 90da1f4efef3..beb0711f6680 100644 --- a/libsepol/src/services.c +++ b/libsepol/src/services.c @@ -67,7 +67,6 @@ #include "flask.h" #define BUG() do { ERR(NULL, "Badness at %s:%d", __FILE__, __LINE__); } while (0) -#define BUG_ON(x) do { if (x) ERR(NULL, "Badness at %s:%d", __FILE__, __LINE__); } while (0) static int selinux_enforcing = 1; @@ -469,18 +468,30 @@ static int constraint_expr_eval_reason(context_struct_t *scontext, /* Now process each expression of the constraint */ switch (e->expr_type) { case CEXPR_NOT: - BUG_ON(sp < 0); + if (sp < 0) { + BUG(); + rc = -EINVAL; + goto out; + } s[sp] = !s[sp]; cat_expr_buf(expr_list[expr_counter], "not"); break; case CEXPR_AND: - BUG_ON(sp < 1); + if (sp < 1) { + BUG(); + rc = -EINVAL; + goto out; + } sp--; s[sp] &= s[sp + 1]; cat_expr_buf(expr_list[expr_counter], "and"); break; case CEXPR_OR: - BUG_ON(sp < 1); + if (sp < 1) { + BUG(); + rc = -EINVAL; + goto out; + } sp--; s[sp] |= s[sp + 1]; cat_expr_buf(expr_list[expr_counter], "or"); From patchwork Sat Oct 3 19:39:57 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Nicolas Iooss X-Patchwork-Id: 11815367 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 00B0F6CB for ; Sat, 3 Oct 2020 19:40:08 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id DC100206C1 for ; Sat, 3 Oct 2020 19:40:07 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1725831AbgJCTkH (ORCPT ); Sat, 3 Oct 2020 15:40:07 -0400 Received: from mx1.polytechnique.org ([129.104.30.34]:46320 "EHLO mx1.polytechnique.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725897AbgJCTkH (ORCPT ); Sat, 3 Oct 2020 15:40:07 -0400 Received: from localhost.localdomain (85-168-38-217.rev.numericable.fr [85.168.38.217]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ssl.polytechnique.org (Postfix) with ESMTPSA id AD5B55600AD for ; Sat, 3 Oct 2020 21:40:05 +0200 (CEST) From: Nicolas Iooss To: selinux@vger.kernel.org Subject: [PATCH 2/2] libsepol: silence potential NULL pointer dereference warning Date: Sat, 3 Oct 2020 21:39:57 +0200 Message-Id: <20201003193957.1876526-2-nicolas.iooss@m4x.org> X-Mailer: git-send-email 2.28.0 In-Reply-To: <20201003193957.1876526-1-nicolas.iooss@m4x.org> References: <20201003193957.1876526-1-nicolas.iooss@m4x.org> MIME-Version: 1.0 X-AV-Checked: ClamAV using ClamSMTP at svoboda.polytechnique.org (Sat Oct 3 21:40:05 2020 +0200 (CEST)) X-Spam-Flag: No, tests=bogofilter, spamicity=0.063363, queueID=DD03C5605E4 X-Org-Mail: nicolas.iooss.2010@polytechnique.org Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org When find_avtab_node() is called with key->specified & AVTAB_XPERMS and xperms=NULL, xperms is being dereferenced. This is detected as a "NULL pointer dereference issue" by static analyzers. Even though it does not make much sense to call find_avtab_node() in a way which triggers the NULL pointer dereference issue, static analyzers have a hard time with calls such as: node = find_avtab_node(handle, avtab, &avkey, cond, NULL); ... where xperms=NULL. So, make the function report an error instead of crashing. Here is an example of report from clang's static analyzer: https://558-118970575-gh.circle-artifacts.com/0/output-scan-build/2020-10-02-065849-6375-1/report-d86a57.html#EndPath Signed-off-by: Nicolas Iooss Acked-by: James Carter --- libsepol/src/expand.c | 23 ++++++++++++++--------- 1 file changed, 14 insertions(+), 9 deletions(-) diff --git a/libsepol/src/expand.c b/libsepol/src/expand.c index 19e48c507236..eac7e4507d02 100644 --- a/libsepol/src/expand.c +++ b/libsepol/src/expand.c @@ -1570,17 +1570,22 @@ static avtab_ptr_t find_avtab_node(sepol_handle_t * handle, /* AVTAB_XPERMS entries are not necessarily unique */ if (key->specified & AVTAB_XPERMS) { - node = avtab_search_node(avtab, key); - while (node) { - if ((node->datum.xperms->specified == xperms->specified) && - (node->datum.xperms->driver == xperms->driver)) { - match = 1; - break; + if (xperms == NULL) { + ERR(handle, "searching xperms NULL"); + node = NULL; + } else { + node = avtab_search_node(avtab, key); + while (node) { + if ((node->datum.xperms->specified == xperms->specified) && + (node->datum.xperms->driver == xperms->driver)) { + match = 1; + break; + } + node = avtab_search_node_next(node, key->specified); } - node = avtab_search_node_next(node, key->specified); + if (!match) + node = NULL; } - if (!match) - node = NULL; } else { node = avtab_search_node(avtab, key); }