From patchwork Wed Dec 30 10:07:41 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Nicolas Iooss X-Patchwork-Id: 11993081 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.8 required=3.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id E0393C433DB for ; Wed, 30 Dec 2020 10:08:57 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id AC6AB21D94 for ; Wed, 30 Dec 2020 10:08:57 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726185AbgL3KIh (ORCPT ); Wed, 30 Dec 2020 05:08:37 -0500 Received: from mx1.polytechnique.org ([129.104.30.34]:33098 "EHLO mx1.polytechnique.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725814AbgL3KIg (ORCPT ); Wed, 30 Dec 2020 05:08:36 -0500 Received: from localhost.localdomain (174.17.206.77.rev.sfr.net [77.206.17.174]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ssl.polytechnique.org (Postfix) with ESMTPSA id 4B796565ABF for ; Wed, 30 Dec 2020 11:07:54 +0100 (CET) From: Nicolas Iooss To: selinux@vger.kernel.org Subject: [PATCH 1/6] libsepol: do not decode out-of-bound rolebounds Date: Wed, 30 Dec 2020 11:07:41 +0100 Message-Id: <20201230100746.2549568-1-nicolas.iooss@m4x.org> X-Mailer: git-send-email 2.29.2 MIME-Version: 1.0 X-AV-Checked: ClamAV using ClamSMTP at svoboda.polytechnique.org (Wed Dec 30 11:07:54 2020 +0100 (CET)) X-Org-Mail: nicolas.iooss.2010@polytechnique.org Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org While fuzzing /usr/libexec/hll/pp, a policy module was generated with a role->bounds larger that the number of roles in the policy. This issue has been found while fuzzing hll/pp with the American Fuzzy Lop. Signed-off-by: Nicolas Iooss --- libsepol/src/module_to_cil.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libsepol/src/module_to_cil.c b/libsepol/src/module_to_cil.c index a87bc15e7610..c99790eb76e7 100644 --- a/libsepol/src/module_to_cil.c +++ b/libsepol/src/module_to_cil.c @@ -2165,7 +2165,9 @@ static int role_to_cil(int indent, struct policydb *pdb, struct avrule_block *UN } } - if (role->bounds > 0) { + if (role->bounds >= pdb->p_roles.nprim) { + log_err("Warning: role %s defines an out-of-bound rolebounds", key); + } else if (role->bounds > 0) { cil_println(indent, "(rolebounds %s %s)", key, pdb->p_role_val_to_name[role->bounds - 1]); } break; From patchwork Wed Dec 30 10:07:42 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Nicolas Iooss X-Patchwork-Id: 11993085 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.8 required=3.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5EAF3C43381 for ; Wed, 30 Dec 2020 10:08:58 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 35901221F8 for ; Wed, 30 Dec 2020 10:08:58 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726261AbgL3KIj (ORCPT ); Wed, 30 Dec 2020 05:08:39 -0500 Received: from mx1.polytechnique.org ([129.104.30.34]:38266 "EHLO mx1.polytechnique.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725814AbgL3KIi (ORCPT ); Wed, 30 Dec 2020 05:08:38 -0500 Received: from localhost.localdomain (174.17.206.77.rev.sfr.net [77.206.17.174]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ssl.polytechnique.org (Postfix) with ESMTPSA id E6B68565ABF for ; Wed, 30 Dec 2020 11:07:56 +0100 (CET) From: Nicolas Iooss To: selinux@vger.kernel.org Subject: [PATCH 2/6] libsepol: ensure that hashtab_search is not called with a NULL key Date: Wed, 30 Dec 2020 11:07:42 +0100 Message-Id: <20201230100746.2549568-2-nicolas.iooss@m4x.org> X-Mailer: git-send-email 2.29.2 In-Reply-To: <20201230100746.2549568-1-nicolas.iooss@m4x.org> References: <20201230100746.2549568-1-nicolas.iooss@m4x.org> MIME-Version: 1.0 X-AV-Checked: ClamAV using ClamSMTP at svoboda.polytechnique.org (Wed Dec 30 11:07:57 2020 +0100 (CET)) X-Org-Mail: nicolas.iooss.2010@polytechnique.org Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org While fuzzing /usr/libexec/hll/pp, a policy module was generated which triggered a NULL result when doing: key = pdb->sym_val_to_name[sym][i]; Detect such unexpected behavior to exit with an error instead of crashing. This issue has been found while fuzzing hll/pp with the American Fuzzy Lop. Signed-off-by: Nicolas Iooss --- libsepol/src/module_to_cil.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libsepol/src/module_to_cil.c b/libsepol/src/module_to_cil.c index c99790eb76e7..99360a9afdd0 100644 --- a/libsepol/src/module_to_cil.c +++ b/libsepol/src/module_to_cil.c @@ -3459,6 +3459,10 @@ static int required_scopes_to_cil(int indent, struct policydb *pdb, struct avrul map = decl->required.scope[sym]; ebitmap_for_each_positive_bit(&map, node, i) { key = pdb->sym_val_to_name[sym][i]; + if (key == NULL) { + rc = -1; + goto exit; + } scope_datum = hashtab_search(pdb->scope[sym].table, key); if (scope_datum == NULL) { From patchwork Wed Dec 30 10:07:43 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Nicolas Iooss X-Patchwork-Id: 11993087 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.8 required=3.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 34ACBC433E0 for ; Wed, 30 Dec 2020 10:08:58 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id EC43B21D94 for ; Wed, 30 Dec 2020 10:08:57 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726276AbgL3KIm (ORCPT ); Wed, 30 Dec 2020 05:08:42 -0500 Received: from mx1.polytechnique.org ([129.104.30.34]:41254 "EHLO mx1.polytechnique.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726230AbgL3KIk (ORCPT ); Wed, 30 Dec 2020 05:08:40 -0500 Received: from localhost.localdomain (174.17.206.77.rev.sfr.net [77.206.17.174]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ssl.polytechnique.org (Postfix) with ESMTPSA id 9D99C565ABF for ; Wed, 30 Dec 2020 11:07:57 +0100 (CET) From: Nicolas Iooss To: selinux@vger.kernel.org Subject: [PATCH 3/6] libsepol/cil: constify some strings Date: Wed, 30 Dec 2020 11:07:43 +0100 Message-Id: <20201230100746.2549568-3-nicolas.iooss@m4x.org> X-Mailer: git-send-email 2.29.2 In-Reply-To: <20201230100746.2549568-1-nicolas.iooss@m4x.org> References: <20201230100746.2549568-1-nicolas.iooss@m4x.org> MIME-Version: 1.0 X-AV-Checked: ClamAV using ClamSMTP at svoboda.polytechnique.org (Wed Dec 30 11:07:57 2020 +0100 (CET)) X-Org-Mail: nicolas.iooss.2010@polytechnique.org Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org Function cil_add_file() copies its input into a newly-allocated buffer, and does not modify "name". State these properties in the types of parameters by adding "const" qualifiers. This enables using LibFuzzer directly on cil_add_file(), without a warning about discarding "const" qualifier: fuzz-secilc.c: In function ‘LLVMFuzzerTestOneInput’: fuzz-secilc.c:57:31: warning: passing argument 3 of ‘cil_add_file’ discards ‘const’ qualifier from pointer target type [-Wdiscarded-qualifiers] 57 | if (cil_add_file(db, "fuzz", data, size) != SEPOL_OK) | ^~~~ In file included from fuzz-secilc.c:26: /usr/include/sepol/cil/cil.h:45:57: note: expected ‘char *’ but argument is of type ‘const uint8_t *’ {aka ‘const unsigned char *’} 45 | extern int cil_add_file(cil_db_t *db, char *name, char *data, size_t size); | ~~~~~~^~~~ Signed-off-by: Nicolas Iooss Acked-by: James Carter --- libsepol/cil/include/cil/cil.h | 4 ++-- libsepol/cil/src/cil.c | 2 +- libsepol/cil/src/cil_log.c | 6 +++--- libsepol/cil/src/cil_parser.c | 2 +- libsepol/cil/src/cil_parser.h | 2 +- 5 files changed, 8 insertions(+), 8 deletions(-) diff --git a/libsepol/cil/include/cil/cil.h b/libsepol/cil/include/cil/cil.h index f8cfc3be5015..e6f4503eb33a 100644 --- a/libsepol/cil/include/cil/cil.h +++ b/libsepol/cil/include/cil/cil.h @@ -42,7 +42,7 @@ typedef struct cil_db cil_db_t; extern void cil_db_init(cil_db_t **db); extern void cil_db_destroy(cil_db_t **db); -extern int cil_add_file(cil_db_t *db, char *name, char *data, size_t size); +extern int cil_add_file(cil_db_t *db, const char *name, const char *data, size_t size); extern int cil_compile(cil_db_t *db); extern int cil_build_policydb(cil_db_t *db, sepol_policydb_t **sepol_db); @@ -67,7 +67,7 @@ enum cil_log_level { CIL_INFO }; extern void cil_set_log_level(enum cil_log_level lvl); -extern void cil_set_log_handler(void (*handler)(int lvl, char *msg)); +extern void cil_set_log_handler(void (*handler)(int lvl, const char *msg)); #ifdef __GNUC__ __attribute__ ((format(printf, 2, 3))) diff --git a/libsepol/cil/src/cil.c b/libsepol/cil/src/cil.c index bb7f06d5c4b3..99c8e288912c 100644 --- a/libsepol/cil/src/cil.c +++ b/libsepol/cil/src/cil.c @@ -500,7 +500,7 @@ void cil_root_destroy(struct cil_root *root) free(root); } -int cil_add_file(cil_db_t *db, char *name, char *data, size_t size) +int cil_add_file(cil_db_t *db, const char *name, const char *data, size_t size) { char *buffer = NULL; int rc; diff --git a/libsepol/cil/src/cil_log.c b/libsepol/cil/src/cil_log.c index b222b155120a..a8e4d2e94a78 100644 --- a/libsepol/cil/src/cil_log.c +++ b/libsepol/cil/src/cil_log.c @@ -37,14 +37,14 @@ static enum cil_log_level cil_log_level = CIL_ERR; -void cil_default_log_handler(__attribute__((unused)) int lvl, char *msg) +void cil_default_log_handler(__attribute__((unused)) int lvl, const char *msg) { fprintf(stderr, "%s", msg); } -void (*cil_log_handler)(int lvl, char *msg) = &cil_default_log_handler; +void (*cil_log_handler)(int lvl, const char *msg) = &cil_default_log_handler; -void cil_set_log_handler(void (*handler)(int lvl, char *msg)) +void cil_set_log_handler(void (*handler)(int lvl, const char *msg)) { cil_log_handler = handler; } diff --git a/libsepol/cil/src/cil_parser.c b/libsepol/cil/src/cil_parser.c index a8af1dce2c4b..b62043b95806 100644 --- a/libsepol/cil/src/cil_parser.c +++ b/libsepol/cil/src/cil_parser.c @@ -196,7 +196,7 @@ static void add_cil_path(struct cil_tree_node **current, char *path) insert_node(node, *current); } -int cil_parser(char *_path, char *buffer, uint32_t size, struct cil_tree **parse_tree) +int cil_parser(const char *_path, char *buffer, uint32_t size, struct cil_tree **parse_tree) { int paren_count = 0; diff --git a/libsepol/cil/src/cil_parser.h b/libsepol/cil/src/cil_parser.h index 02ecb784e95c..1cec63944fdf 100644 --- a/libsepol/cil/src/cil_parser.h +++ b/libsepol/cil/src/cil_parser.h @@ -32,6 +32,6 @@ #include "cil_tree.h" -int cil_parser(char *path, char *buffer, uint32_t size, struct cil_tree **parse_tree); +int cil_parser(const char *path, char *buffer, uint32_t size, struct cil_tree **parse_tree); #endif /* CIL_PARSER_H_ */ From patchwork Wed Dec 30 10:07:44 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Nicolas Iooss X-Patchwork-Id: 11993089 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.0 required=3.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,UNWANTED_LANGUAGE_BODY, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 48BD9C433E9 for ; Wed, 30 Dec 2020 10:08:58 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 12048221FA for ; Wed, 30 Dec 2020 10:08:58 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726230AbgL3KIm (ORCPT ); Wed, 30 Dec 2020 05:08:42 -0500 Received: from mx1.polytechnique.org ([129.104.30.34]:44150 "EHLO mx1.polytechnique.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725814AbgL3KIk (ORCPT ); Wed, 30 Dec 2020 05:08:40 -0500 Received: from localhost.localdomain (174.17.206.77.rev.sfr.net [77.206.17.174]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ssl.polytechnique.org (Postfix) with ESMTPSA id 47000565ABF for ; Wed, 30 Dec 2020 11:07:58 +0100 (CET) From: Nicolas Iooss To: selinux@vger.kernel.org Subject: [PATCH 4/6] libsepol/cil: fix NULL pointer dereference when parsing an improper integer Date: Wed, 30 Dec 2020 11:07:44 +0100 Message-Id: <20201230100746.2549568-4-nicolas.iooss@m4x.org> X-Mailer: git-send-email 2.29.2 In-Reply-To: <20201230100746.2549568-1-nicolas.iooss@m4x.org> References: <20201230100746.2549568-1-nicolas.iooss@m4x.org> MIME-Version: 1.0 X-AV-Checked: ClamAV using ClamSMTP at svoboda.polytechnique.org (Wed Dec 30 11:07:58 2020 +0100 (CET)) X-Org-Mail: nicolas.iooss.2010@polytechnique.org Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org OSS-Fuzz found a NULL pointer dereference when the CIL compiler tries to compile a policy with an invalid integer: $ echo '(ioportcon(2())n)' > tmp.cil $ secilc tmp.cil Segmentation fault (core dumped) This is because strtol() is called with a NULL pointer, in cil_fill_integer(). Fix this by checking that int_node->data is not NULL. While at it, use strtoul() instead of strtol() to parse an unsigned integer. Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28456 Signed-off-by: Nicolas Iooss Acked-by: James Carter --- libsepol/cil/src/cil_build_ast.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/libsepol/cil/src/cil_build_ast.c b/libsepol/cil/src/cil_build_ast.c index 67801def0dc0..0c9015cef578 100644 --- a/libsepol/cil/src/cil_build_ast.c +++ b/libsepol/cil/src/cil_build_ast.c @@ -5566,15 +5566,15 @@ int cil_fill_integer(struct cil_tree_node *int_node, uint32_t *integer, int base { int rc = SEPOL_ERR; char *endptr = NULL; - int val; + unsigned long val; - if (int_node == NULL || integer == NULL) { + if (int_node == NULL || int_node->data == NULL || integer == NULL) { goto exit; } errno = 0; - val = strtol(int_node->data, &endptr, base); - if (errno != 0 || endptr == int_node->data || *endptr != '\0') { + val = strtoul(int_node->data, &endptr, base); + if (errno != 0 || endptr == int_node->data || *endptr != '\0' || val > UINT32_MAX) { rc = SEPOL_ERR; goto exit; } @@ -5594,7 +5594,7 @@ int cil_fill_integer64(struct cil_tree_node *int_node, uint64_t *integer, int ba char *endptr = NULL; uint64_t val; - if (int_node == NULL || integer == NULL) { + if (int_node == NULL || int_node->data == NULL || integer == NULL) { goto exit; } From patchwork Wed Dec 30 10:07:45 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Nicolas Iooss X-Patchwork-Id: 11993083 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.0 required=3.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,UNWANTED_LANGUAGE_BODY, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 15973C433E6 for ; Wed, 30 Dec 2020 10:08:58 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id C82A4221F8 for ; Wed, 30 Dec 2020 10:08:57 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726285AbgL3KIm (ORCPT ); Wed, 30 Dec 2020 05:08:42 -0500 Received: from mx1.polytechnique.org ([129.104.30.34]:60812 "EHLO mx1.polytechnique.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726276AbgL3KIl (ORCPT ); Wed, 30 Dec 2020 05:08:41 -0500 Received: from localhost.localdomain (174.17.206.77.rev.sfr.net [77.206.17.174]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ssl.polytechnique.org (Postfix) with ESMTPSA id DB365565ABF for ; Wed, 30 Dec 2020 11:07:58 +0100 (CET) From: Nicolas Iooss To: selinux@vger.kernel.org Subject: [PATCH 5/6] libsepol/cil: fix out-of-bound read in cil_print_recursive_blockinherit Date: Wed, 30 Dec 2020 11:07:45 +0100 Message-Id: <20201230100746.2549568-5-nicolas.iooss@m4x.org> X-Mailer: git-send-email 2.29.2 In-Reply-To: <20201230100746.2549568-1-nicolas.iooss@m4x.org> References: <20201230100746.2549568-1-nicolas.iooss@m4x.org> MIME-Version: 1.0 X-AV-Checked: ClamAV using ClamSMTP at svoboda.polytechnique.org (Wed Dec 30 11:07:59 2020 +0100 (CET)) X-Org-Mail: nicolas.iooss.2010@polytechnique.org Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org OSS-Fuzz found a heap buffer overflow (out-of-bound reads) when the CIL compiler tries to report a recursive blockinherit with an optional block: $ echo '(block b (optional o (blockinherit b)))' > tmp.cil $ secilc tmp.cil Segmentation fault (core dumped) This is because cil_print_recursive_blockinherit() assumes that all nodes are either CIL_BLOCK or CIL_BLOCKINHERIT. Add support for other block kinds, using cil_node_to_string() to show them. Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28462 Signed-off-by: Nicolas Iooss Acked-by: James Carter --- libsepol/cil/src/cil_resolve_ast.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/libsepol/cil/src/cil_resolve_ast.c b/libsepol/cil/src/cil_resolve_ast.c index f6deb1002fbd..ecd05dfa5dab 100644 --- a/libsepol/cil/src/cil_resolve_ast.c +++ b/libsepol/cil/src/cil_resolve_ast.c @@ -2343,11 +2343,13 @@ void cil_print_recursive_blockinherit(struct cil_tree_node *bi_node, struct cil_ for (curr = bi_node; curr != terminating_node; curr = curr->parent) { if (curr->flavor == CIL_BLOCK) { cil_list_prepend(trace, CIL_NODE, curr); - } else { + } else if (curr->flavor == CIL_BLOCKINHERIT) { if (curr != bi_node) { cil_list_prepend(trace, CIL_NODE, NODE(((struct cil_blockinherit *)curr->data)->block)); } cil_list_prepend(trace, CIL_NODE, curr); + } else { + cil_list_prepend(trace, CIL_NODE, curr); } } cil_list_prepend(trace, CIL_NODE, terminating_node); @@ -2356,8 +2358,12 @@ void cil_print_recursive_blockinherit(struct cil_tree_node *bi_node, struct cil_ curr = item->data; if (curr->flavor == CIL_BLOCK) { cil_tree_log(curr, CIL_ERR, "block %s", DATUM(curr->data)->name); - } else { + } else if (curr->flavor == CIL_BLOCKINHERIT) { cil_tree_log(curr, CIL_ERR, "blockinherit %s", ((struct cil_blockinherit *)curr->data)->block_str); + } else if (curr->flavor == CIL_OPTIONAL) { + cil_tree_log(curr, CIL_ERR, "optional %s", DATUM(curr->data)->name); + } else { + cil_tree_log(curr, CIL_ERR, "%s", cil_node_to_string(curr)); } } From patchwork Wed Dec 30 10:07:46 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Nicolas Iooss X-Patchwork-Id: 11993091 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.8 required=3.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 90603C433DB for ; Wed, 30 Dec 2020 10:09:18 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 5730721D94 for ; Wed, 30 Dec 2020 10:09:18 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726305AbgL3KJS (ORCPT ); Wed, 30 Dec 2020 05:09:18 -0500 Received: from mx1.polytechnique.org ([129.104.30.34]:40532 "EHLO mx1.polytechnique.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726292AbgL3KJR (ORCPT ); Wed, 30 Dec 2020 05:09:17 -0500 Received: from localhost.localdomain (174.17.206.77.rev.sfr.net [77.206.17.174]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ssl.polytechnique.org (Postfix) with ESMTPSA id 3269C565A70 for ; Wed, 30 Dec 2020 11:08:00 +0100 (CET) From: Nicolas Iooss To: selinux@vger.kernel.org Subject: [PATCH 6/6] libsepol/cil: destroy perm_datums when __cil_resolve_perms fails Date: Wed, 30 Dec 2020 11:07:46 +0100 Message-Id: <20201230100746.2549568-6-nicolas.iooss@m4x.org> X-Mailer: git-send-email 2.29.2 In-Reply-To: <20201230100746.2549568-1-nicolas.iooss@m4x.org> References: <20201230100746.2549568-1-nicolas.iooss@m4x.org> MIME-Version: 1.0 X-AV-Checked: ClamAV using ClamSMTP at svoboda.polytechnique.org (Wed Dec 30 11:08:00 2020 +0100 (CET)) X-Org-Mail: nicolas.iooss.2010@polytechnique.org Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org When __cil_resolve_perms fails, it does not destroy perm_datums, which leads to a memory leak reported by OSS-Fuzz with the following CIL policy: (class cl01()) (classorder(cl01)) (type at02) (type tpr3) (allow at02 tpr3(cl01((s)))) Calling cil_list_destroy() fixes the issue. Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28466 Signed-off-by: Nicolas Iooss Acked-by: James Carter --- libsepol/cil/src/cil_resolve_ast.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libsepol/cil/src/cil_resolve_ast.c b/libsepol/cil/src/cil_resolve_ast.c index ecd05dfa5dab..255f17ae7e30 100644 --- a/libsepol/cil/src/cil_resolve_ast.c +++ b/libsepol/cil/src/cil_resolve_ast.c @@ -146,6 +146,7 @@ static int __cil_resolve_perms(symtab_t *class_symtab, symtab_t *common_symtab, return SEPOL_OK; exit: + cil_list_destroy(perm_datums, CIL_FALSE); return rc; }