From patchwork Tue May 10 18:20:36 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: =?utf-8?q?Christian_G=C3=B6ttsche?=
 <cgzones@googlemail.com>
X-Patchwork-Id: 12845414
Return-Path: <selinux-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by smtp.lore.kernel.org (Postfix) with ESMTP id D4B28C433F5
	for <selinux@archiver.kernel.org>; Tue, 10 May 2022 18:20:47 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S242339AbiEJSYo (ORCPT <rfc822;selinux@archiver.kernel.org>);
        Tue, 10 May 2022 14:24:44 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51238 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S239685AbiEJSYn (ORCPT
        <rfc822;selinux@vger.kernel.org>); Tue, 10 May 2022 14:24:43 -0400
Received: from mail-ej1-x634.google.com (mail-ej1-x634.google.com
 [IPv6:2a00:1450:4864:20::634])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1130A31908
        for <selinux@vger.kernel.org>; Tue, 10 May 2022 11:20:45 -0700 (PDT)
Received: by mail-ej1-x634.google.com with SMTP id bv19so34624197ejb.6
        for <selinux@vger.kernel.org>; Tue, 10 May 2022 11:20:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=googlemail.com; s=20210112;
        h=from:to:subject:date:message-id:mime-version
         :content-transfer-encoding;
        bh=jBxXl34mzFXGfnMPFXnHl1QU7nCzfGccSj3Qld+7yeg=;
        b=AzDClVB+YPXdrBtEKcrhPsDD1IT3jYT18cAdFUzWrCx1ICQoclaQQuFyQdEuHpsB0M
         3Y3/6YsMgMnK5aN6S8v6xZyivzgKjpUbchDQaV18tGuf9Jqxh8QD3wf4rNZTtP/FW9EE
         9j7iYCYTLlwYRY5UbDJTNul2XIML5xQoVFGR1GrdhGgOq1gmCAqKqafoCV1xyMAnEg5h
         NCZ5PeSEXl37IPTLl0e/MvK+mT0zyOxVnt8qKsJ7DPvqzYh7Q4b9PHtPQOyNr0Xr7gEg
         fDgjKWTTKxyDRbRpG9J28xwY98E2sO5rRLIpzeprtrcwBz6mk8YZB9i2azI5xJIKuDbb
         kRSw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:from:to:subject:date:message-id:mime-version
         :content-transfer-encoding;
        bh=jBxXl34mzFXGfnMPFXnHl1QU7nCzfGccSj3Qld+7yeg=;
        b=cMm/UroP8BYHy6mb8xN1GAf/TysOV5ZOHIMDlcSGj05r1Ma0LIJTrR7xJwnXEeYxH9
         VNqptuIwJ9HvqZQdXbL2PwE41zYGRhge0GsMYrDUuKRsTAP8hvx9CTmvGDul7+Tq8jnI
         B0rAujBCz+HKsK8g2EXzYrcq+SjzWvHnea2as8CJW0cJy8Y3RnPDeRMIj17EtcDXbfko
         ve79xpGP+r6cXSryvh6ruQrvBOa6qFRKixg8fo3ORHI8yAIMRbs0J441YdMflowQbMBQ
         5Hkegl2ZCaiPQR7NsvBNGDspFoN6K6j6P+ykao5mDSq9dpdnhWP/GVS/yFhTDUChbOsq
         T8iQ==
X-Gm-Message-State: AOAM5319ZvZ4JeY4crxkoFB13bz1aReW+mA/h7eIcRoPrTbGEX/Ff+jD
        joyMh6I+D1jAIFeKjP918ns9nS+C/Mw=
X-Google-Smtp-Source: 
 ABdhPJx2a6vkaGW40P8wwOhEgID6/WRJw8RsIfYXJvx4FhG6aJcyCb8Nht0HtBrg0YVKfpLYJUAXSQ==
X-Received: by 2002:a17:906:99c4:b0:6f4:56d2:4bbd with SMTP id
 s4-20020a17090699c400b006f456d24bbdmr21229365ejn.754.1652206843578;
        Tue, 10 May 2022 11:20:43 -0700 (PDT)
Received: from debianHome.localdomain
 (dynamic-078-050-241-079.78.50.pool.telefonica.de. [78.50.241.79])
        by smtp.gmail.com with ESMTPSA id
 p3-20020a056402154300b0042877d166fdsm5339947edx.38.2022.05.10.11.20.42
        for <selinux@vger.kernel.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 10 May 2022 11:20:43 -0700 (PDT)
From: =?utf-8?q?Christian_G=C3=B6ttsche?= <cgzones@googlemail.com>
To: selinux@vger.kernel.org
Subject: [RFC PATCH 1/4] libselinux: simplify policy path logic to avoid
 uninitialized read
Date: Tue, 10 May 2022 20:20:36 +0200
Message-Id: <20220510182039.28771-1-cgzones@googlemail.com>
X-Mailer: git-send-email 2.36.1
MIME-Version: 1.0
Precedence: bulk
List-ID: <selinux.vger.kernel.org>
X-Mailing-List: selinux@vger.kernel.org

In case the function __policy_init() gets called with a NULL pointer,
the stack variable path remains uninitialized (except at its last
index).  If parsing the binary policy fails in sepol_policydb_read() the
error branch would access those uninitialized memory.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
---
 libselinux/src/audit2why.c | 34 +++++++++++++---------------------
 1 file changed, 13 insertions(+), 21 deletions(-)

diff --git a/libselinux/src/audit2why.c b/libselinux/src/audit2why.c
index ca38e13c..44a9a341 100644
--- a/libselinux/src/audit2why.c
+++ b/libselinux/src/audit2why.c
@@ -192,25 +192,16 @@ static PyObject *finish(PyObject *self __attribute__((unused)), PyObject *args)
 static int __policy_init(const char *init_path)
 {
 	FILE *fp;
-	char path[PATH_MAX];
+	const char *curpolicy;
 	char errormsg[PATH_MAX+1024+20];
 	struct sepol_policy_file *pf = NULL;
 	int rc;
 	unsigned int cnt;
 
-	path[PATH_MAX-1] = '\0';
 	if (init_path) {
-		strncpy(path, init_path, PATH_MAX-1);
-		fp = fopen(path, "re");
-		if (!fp) {
-			snprintf(errormsg, sizeof(errormsg), 
-				 "unable to open %s:  %m\n",
-				 path);
-			PyErr_SetString( PyExc_ValueError, errormsg);
-			return 1;
-		}
+		curpolicy = init_path;
 	} else {
-		const char *curpolicy = selinux_current_policy_path();
+		curpolicy = selinux_current_policy_path();
 		if (!curpolicy) {
 			/* SELinux disabled, must use -p option. */
 			snprintf(errormsg, sizeof(errormsg),
@@ -218,14 +209,15 @@ static int __policy_init(const char *init_path)
 			PyErr_SetString( PyExc_ValueError, errormsg);
 			return 1;
 		}
-		fp = fopen(curpolicy, "re");
-		if (!fp) {
-			snprintf(errormsg, sizeof(errormsg), 
-				 "unable to open %s:  %m\n",
-				 curpolicy);
-			PyErr_SetString( PyExc_ValueError, errormsg);
-			return 1;
-		}
+	}
+
+	fp = fopen(curpolicy, "re");
+	if (!fp) {
+		snprintf(errormsg, sizeof(errormsg),
+			 "unable to open %s:  %m\n",
+			 curpolicy);
+		PyErr_SetString( PyExc_ValueError, errormsg);
+		return 1;
 	}
 
 	avc = calloc(sizeof(struct avc_t), 1);
@@ -249,7 +241,7 @@ static int __policy_init(const char *init_path)
 	sepol_policy_file_set_fp(pf, fp);	
 	if (sepol_policydb_read(avc->policydb, pf)) {
 		snprintf(errormsg, sizeof(errormsg), 
-			 "invalid binary policy %s\n", path);
+			 "invalid binary policy %s\n", curpolicy);
 		PyErr_SetString( PyExc_ValueError, errormsg);
 		fclose(fp);
 		return 1;

From patchwork Tue May 10 18:20:37 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: =?utf-8?q?Christian_G=C3=B6ttsche?=
 <cgzones@googlemail.com>
X-Patchwork-Id: 12845415
Return-Path: <selinux-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 351C2C433EF
	for <selinux@archiver.kernel.org>; Tue, 10 May 2022 18:20:48 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S239685AbiEJSYo (ORCPT <rfc822;selinux@archiver.kernel.org>);
        Tue, 10 May 2022 14:24:44 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51288 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S242059AbiEJSYn (ORCPT
        <rfc822;selinux@vger.kernel.org>); Tue, 10 May 2022 14:24:43 -0400
Received: from mail-ej1-x62e.google.com (mail-ej1-x62e.google.com
 [IPv6:2a00:1450:4864:20::62e])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B25FA33E18
        for <selinux@vger.kernel.org>; Tue, 10 May 2022 11:20:45 -0700 (PDT)
Received: by mail-ej1-x62e.google.com with SMTP id g6so34632297ejw.1
        for <selinux@vger.kernel.org>; Tue, 10 May 2022 11:20:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=googlemail.com; s=20210112;
        h=from:to:subject:date:message-id:in-reply-to:references:mime-version
         :content-transfer-encoding;
        bh=kVvpLcS3d99OpL262ctdqKvbJMGHTK6PLVCH1M59eI0=;
        b=XTyx49ErI6Wy6sQ3osgDZhAvSR/4+TNnMETZF+knENMROvHksIpinBfv+arOB9OiPt
         lhELRWYsuN7wgcE6aRDuJiqYczTLLwN1ATOOd3T7WHDSMYxBjS8AnBnVpJkqNwshRZpq
         iR4aDKnBgvpxRTTXJj9zeobWuxEJxi9MH8PFZhbmpnyPJ0oXPBFpA32kpIDVZ3pXw3cT
         TtIsj0ZGMhOlV6OaM3bK8plncJ53UMDVi9O36FUpX+2vyr2+FsHdtPvzaXEWyqXOibt+
         IlYn5t+5EDLtlBeu6mgx9dJ8CSNvMnThSh5GBL96caDfF1kFUXlRvRDOr/29f9Fnln47
         wUjQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to
         :references:mime-version:content-transfer-encoding;
        bh=kVvpLcS3d99OpL262ctdqKvbJMGHTK6PLVCH1M59eI0=;
        b=j58cYB76vZ1ybdC3ryYkING3J/L0te1eWKuzmb7GFi/QlQTTqf7GSyVWMPTZ21qWRk
         FR4WQMFSlXmZHWJTK0X/qOgGDRMXF2iXjO3mrJuixDrkyATSQuJBThm4cBIlINExnl2k
         R9HGrY1YYtz5zXqXruaOSOqOE050tNiikLz1DAWLYlEY3qknnoVlIKVOICJ6FuP0DdIA
         QpLDZFjXZvZrEN9uP/Ldefy5UhUyBsEWiaO9tYwQVB4XXftT1D00LMcDKe25QOLB2PD1
         CW8alBdohScR/UNBrCqQ2oHyGMNxwCAjNX8qpWHW1sy41kAxmfFYk8l7mpZZDrqL/LYP
         QsfA==
X-Gm-Message-State: AOAM531Bx1vHegeej0SyWGbKxQWrdf+8KSU8HOEQSPfYu/k9JILJ1Z4X
        dAv9zy0caWhoCDFz1RkADoloj++qUNo=
X-Google-Smtp-Source: 
 ABdhPJxbEjNmwqC4pTrXNZyFYyVGbfzDK4GMeEeSdXJv2Zg3nClFwZ0IsYBbE1DczZ2kQdO/ppS4AQ==
X-Received: by 2002:a17:907:94cf:b0:6f5:942:5db7 with SMTP id
 dn15-20020a17090794cf00b006f509425db7mr21391991ejc.625.1652206844272;
        Tue, 10 May 2022 11:20:44 -0700 (PDT)
Received: from debianHome.localdomain
 (dynamic-078-050-241-079.78.50.pool.telefonica.de. [78.50.241.79])
        by smtp.gmail.com with ESMTPSA id
 p3-20020a056402154300b0042877d166fdsm5339947edx.38.2022.05.10.11.20.43
        for <selinux@vger.kernel.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 10 May 2022 11:20:43 -0700 (PDT)
From: =?utf-8?q?Christian_G=C3=B6ttsche?= <cgzones@googlemail.com>
To: selinux@vger.kernel.org
Subject: [RFC PATCH 2/4] libselinux: add header guard for internal header
Date: Tue, 10 May 2022 20:20:37 +0200
Message-Id: <20220510182039.28771-2-cgzones@googlemail.com>
X-Mailer: git-send-email 2.36.1
In-Reply-To: <20220510182039.28771-1-cgzones@googlemail.com>
References: <20220510182039.28771-1-cgzones@googlemail.com>
MIME-Version: 1.0
Precedence: bulk
List-ID: <selinux.vger.kernel.org>
X-Mailing-List: selinux@vger.kernel.org

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
---
 libselinux/src/selinux_internal.h | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/libselinux/src/selinux_internal.h b/libselinux/src/selinux_internal.h
index 297dcf26..9f4c9073 100644
--- a/libselinux/src/selinux_internal.h
+++ b/libselinux/src/selinux_internal.h
@@ -1,3 +1,6 @@
+#ifndef SELINUX_INTERNAL_H_
+#define SELINUX_INTERNAL_H_
+
 #include <selinux/selinux.h>
 #include <pthread.h>
 
@@ -90,3 +93,5 @@ extern int selinux_page_size ;
 #define SELINUXCONFIG SELINUXDIR "config"
 
 extern int has_selinux_config ;
+
+#endif /* SELINUX_INTERNAL_H_ */

From patchwork Tue May 10 18:20:38 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: =?utf-8?q?Christian_G=C3=B6ttsche?=
 <cgzones@googlemail.com>
X-Patchwork-Id: 12845416
Return-Path: <selinux-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 0D259C433EF
	for <selinux@archiver.kernel.org>; Tue, 10 May 2022 18:20:52 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S242421AbiEJSYr (ORCPT <rfc822;selinux@archiver.kernel.org>);
        Tue, 10 May 2022 14:24:47 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51616 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S242059AbiEJSYq (ORCPT
        <rfc822;selinux@vger.kernel.org>); Tue, 10 May 2022 14:24:46 -0400
Received: from mail-ej1-x633.google.com (mail-ej1-x633.google.com
 [IPv6:2a00:1450:4864:20::633])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7611035860
        for <selinux@vger.kernel.org>; Tue, 10 May 2022 11:20:46 -0700 (PDT)
Received: by mail-ej1-x633.google.com with SMTP id i27so34590419ejd.9
        for <selinux@vger.kernel.org>; Tue, 10 May 2022 11:20:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=googlemail.com; s=20210112;
        h=from:to:subject:date:message-id:in-reply-to:references:mime-version
         :content-transfer-encoding;
        bh=C+mwM3ujfpjc0+acHLGDniw9/hhwIyhdGzExpNHmTww=;
        b=Gfml8NYEGbNHBdBKbhRAz8kDzakAmKzg1+i0Ylus7ZsuZcDZ3SyNftF/TaCYuJK5uk
         JjoVscS8qhM8E9RC1vbKkekYaCujnL7RpbwZXxjf5+5N8DO29wKbvDboZIKYLTxA2cAA
         7AR36OZUqhT1Ro5msPLpSC72fpUwHkAduJ7FLJS1I37I2XN0Z7VVAiDqNdVL2toTleWx
         sTTwoQxLcS7d9LvJ/e7u0ZGkwin3/6KgQ9GyXlTPogO7M1jvGzkAM7aXAL3M5iDnq86/
         h4A6YRFZUNLOBuR2+3+v0FQUiR6kLcqSgsWZGZNcJ18ZaXsYpEIeosWqKzxrnmMdBjF8
         btbw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to
         :references:mime-version:content-transfer-encoding;
        bh=C+mwM3ujfpjc0+acHLGDniw9/hhwIyhdGzExpNHmTww=;
        b=yv7bZDUSH8k4bDsG3VTh416MQoCuW2abaD+9j80LmVCTeZ4uzEaQlZcRvhpl1QTTPz
         86ZJhkl6daZzUTkBwQgwzuMAG2L9G69hxXdP7kGJaZCsaxgZ5iVdpMADoUlrnlZR3IvL
         TridmfoJSCdlLxjMLmNHPmDHKoWhfDLCAN99PbZU02WttGPM9yCHBns73HEuddNITkJp
         xTxu+eTW+tBE/9cbg3vk3gHu7NAzx884YU9gTFZSjfjJMPlZRuPD62pQxxz+ekda/4om
         x94UaGk1CsR9SAHgyXRYeIsABTUg5Yi6D3jS7RS1bynJXZYZRvtoWRvKIFqIAhxcgjZu
         LIdw==
X-Gm-Message-State: AOAM530tSxf8mJCIs/nO9JFZ7ZAgkWWVUfOeIF6WyeqCXYl+5fYrOGoA
        60BIiZ81GIJfcmfudjer8Hmi3aRpy1U=
X-Google-Smtp-Source: 
 ABdhPJxrK+zAs5DhEa1Gb7PvJ+oGxJJ3rWjKWV/ZTtj0oUKVhpsVFHcbKu2NPgTlk0OeQREso5comg==
X-Received: by 2002:a17:907:7810:b0:6e7:ef73:8326 with SMTP id
 la16-20020a170907781000b006e7ef738326mr20382521ejc.429.1652206844934;
        Tue, 10 May 2022 11:20:44 -0700 (PDT)
Received: from debianHome.localdomain
 (dynamic-078-050-241-079.78.50.pool.telefonica.de. [78.50.241.79])
        by smtp.gmail.com with ESMTPSA id
 p3-20020a056402154300b0042877d166fdsm5339947edx.38.2022.05.10.11.20.44
        for <selinux@vger.kernel.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 10 May 2022 11:20:44 -0700 (PDT)
From: =?utf-8?q?Christian_G=C3=B6ttsche?= <cgzones@googlemail.com>
To: selinux@vger.kernel.org
Subject: [RFC PATCH 3/4] libselinux: introduce strlcpy
Date: Tue, 10 May 2022 20:20:38 +0200
Message-Id: <20220510182039.28771-3-cgzones@googlemail.com>
X-Mailer: git-send-email 2.36.1
In-Reply-To: <20220510182039.28771-1-cgzones@googlemail.com>
References: <20220510182039.28771-1-cgzones@googlemail.com>
MIME-Version: 1.0
Precedence: bulk
List-ID: <selinux.vger.kernel.org>
X-Mailing-List: selinux@vger.kernel.org

To copy string safely, by always NULL-terminating them, and provide an
easy way to check for truncation introduce the nonstandard function
strlcpy(3).  Use the system implementation if available.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
---
 libselinux/src/Makefile           |  6 ++++++
 libselinux/src/selinux_internal.c | 18 ++++++++++++++++++
 libselinux/src/selinux_internal.h |  4 ++++
 3 files changed, 28 insertions(+)
 create mode 100644 libselinux/src/selinux_internal.c

diff --git a/libselinux/src/Makefile b/libselinux/src/Makefile
index 04bf4f24..88aa32f8 100644
--- a/libselinux/src/Makefile
+++ b/libselinux/src/Makefile
@@ -103,6 +103,12 @@ FTS_LDLIBS ?=
 
 override CFLAGS += -I../include -D_GNU_SOURCE $(DISABLE_FLAGS) $(PCRE_CFLAGS)
 
+# check for strlcpy(3) availability
+H := \#
+ifeq (yes,$(shell printf '${H}include <string.h>\nint main(void){char*d,*s;strlcpy(d, s, 0);return 0;}' | $(CC) -x c -o /dev/null - >/dev/null 2>&1 && echo yes))
+override CFLAGS += -DHAVE_STRLCPY
+endif
+
 SWIG_CFLAGS += -Wno-error -Wno-unused-variable -Wno-unused-but-set-variable -Wno-unused-parameter \
 		-Wno-shadow -Wno-uninitialized -Wno-missing-prototypes -Wno-missing-declarations \
 		-Wno-deprecated-declarations
diff --git a/libselinux/src/selinux_internal.c b/libselinux/src/selinux_internal.c
new file mode 100644
index 00000000..c2be7c0a
--- /dev/null
+++ b/libselinux/src/selinux_internal.c
@@ -0,0 +1,18 @@
+#include "selinux_internal.h"
+
+#include <string.h>
+
+
+#ifndef HAVE_STRLCPY
+size_t strlcpy(char *dest, const char *src, size_t size)
+{
+	size_t ret = strlen(src);
+
+	if (size) {
+		size_t len = (ret >= size) ? size - 1 : ret;
+		memcpy(dest, src, len);
+		dest[len] = '\0';
+	}
+	return ret;
+}
+#endif /* HAVE_STRLCPY */
diff --git a/libselinux/src/selinux_internal.h b/libselinux/src/selinux_internal.h
index 9f4c9073..06f2c038 100644
--- a/libselinux/src/selinux_internal.h
+++ b/libselinux/src/selinux_internal.h
@@ -94,4 +94,8 @@ extern int selinux_page_size ;
 
 extern int has_selinux_config ;
 
+#ifndef HAVE_STRLCPY
+size_t strlcpy(char *dest, const char *src, size_t size);
+#endif
+
 #endif /* SELINUX_INTERNAL_H_ */

From patchwork Tue May 10 18:20:39 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: =?utf-8?q?Christian_G=C3=B6ttsche?=
 <cgzones@googlemail.com>
X-Patchwork-Id: 12845417
Return-Path: <selinux-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 9EBCEC433EF
	for <selinux@archiver.kernel.org>; Tue, 10 May 2022 18:20:54 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1345384AbiEJSYt (ORCPT <rfc822;selinux@archiver.kernel.org>);
        Tue, 10 May 2022 14:24:49 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51692 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S242650AbiEJSYr (ORCPT
        <rfc822;selinux@vger.kernel.org>); Tue, 10 May 2022 14:24:47 -0400
Received: from mail-ej1-x62b.google.com (mail-ej1-x62b.google.com
 [IPv6:2a00:1450:4864:20::62b])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 655EE33E18
        for <selinux@vger.kernel.org>; Tue, 10 May 2022 11:20:47 -0700 (PDT)
Received: by mail-ej1-x62b.google.com with SMTP id ks9so28190395ejb.2
        for <selinux@vger.kernel.org>; Tue, 10 May 2022 11:20:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=googlemail.com; s=20210112;
        h=from:to:subject:date:message-id:in-reply-to:references:mime-version
         :content-transfer-encoding;
        bh=m0ZZIM1jYTPOi/+Cnxi42QrrjY8MArH1CZ7vK8K+Q2U=;
        b=LVdTaSgL+A+vKqE81u/p5mHGL9qxeD5uP7winkhlndnfzPy+SOeIFzbCYcHAEHCPp2
         3bVOl0zQebkojEC6Uo4SjXjkaphYCNASziWpcMo0FNjktAFqnhAtG8w8i/pzCS97DIa+
         47jHi4hfp9CT6bVtGl2jtvUiokPbeo8n9kGqA2jM6HLzfSykYjfmRMmOze0tK3xmCWog
         Kh1DZpW6ibswF7LOXdV/bbb+4QafP9VkltZvpg7ibixpDvMPAwGYTI4A9IGPqqmwbkq4
         3QbcuP7EzYXP++GBNMpK2Zt/H7qWxMZEnpOQC0nZOoK+IYBbfr66oRnZSl8yqFnSkxZr
         eLyA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to
         :references:mime-version:content-transfer-encoding;
        bh=m0ZZIM1jYTPOi/+Cnxi42QrrjY8MArH1CZ7vK8K+Q2U=;
        b=kzSsEumBSvdnO7POCebt4jd8OaOS3zKATFvxCkeLKn2CWkx/84h0Ek1vmBWkyeUDN+
         3leLknYzThJLnVlpYtA9QNLl8X1PHJ2GdJ6blsySuBWHUrqsF7iaI1EnpJvjMZlFou9V
         8rkK2s9AMI7ZkFQwUSd6ZgkFYZlP2s6bSbuQY+U85bexDyjN1WgQ8cbpuLnCQa66S90N
         A1IIX8hmJgycG6T5SCubt/vwqEmbDLS3VOwMuoKMAKbSlGGJr+XiGZVeik6tnA+9Oisx
         l5bpNfoAtbNKUGMoSXgI8Vi3DkgYsnhe7eZtnZrdOLEfUggHFynzdO3qt3uXxKGnI2Fu
         DBCw==
X-Gm-Message-State: AOAM532og3ThY9YefaDcpTuHbc6tG9P1hWGsgcT+eb5MnP70Gws4ZJK+
        2oBFieceUrwpigk1SAWrAMhc/1Fj8ls=
X-Google-Smtp-Source: 
 ABdhPJzwWpDkZEHIQiupEfJrgJ7cc/m10mCl1cKQP5CNGYbewLcNz17fxHXcIs6vk6LRrGLioUDFrA==
X-Received: by 2002:a17:906:6a10:b0:6f5:5e4:9d5 with SMTP id
 qw16-20020a1709066a1000b006f505e409d5mr20482202ejc.122.1652206845838;
        Tue, 10 May 2022 11:20:45 -0700 (PDT)
Received: from debianHome.localdomain
 (dynamic-078-050-241-079.78.50.pool.telefonica.de. [78.50.241.79])
        by smtp.gmail.com with ESMTPSA id
 p3-20020a056402154300b0042877d166fdsm5339947edx.38.2022.05.10.11.20.45
        for <selinux@vger.kernel.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 10 May 2022 11:20:45 -0700 (PDT)
From: =?utf-8?q?Christian_G=C3=B6ttsche?= <cgzones@googlemail.com>
To: selinux@vger.kernel.org
Subject: [RFC PATCH 4/4] libselinux: check for truncations
Date: Tue, 10 May 2022 20:20:39 +0200
Message-Id: <20220510182039.28771-4-cgzones@googlemail.com>
X-Mailer: git-send-email 2.36.1
In-Reply-To: <20220510182039.28771-1-cgzones@googlemail.com>
References: <20220510182039.28771-1-cgzones@googlemail.com>
MIME-Version: 1.0
Precedence: bulk
List-ID: <selinux.vger.kernel.org>
X-Mailing-List: selinux@vger.kernel.org

Check for truncations when building or copying strings involving user
input.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
---
 libselinux/src/canonicalize_context.c |  6 +++++-
 libselinux/src/compute_av.c           |  7 ++++++-
 libselinux/src/compute_create.c       |  6 ++++++
 libselinux/src/compute_member.c       |  7 ++++++-
 libselinux/src/compute_relabel.c      |  7 ++++++-
 libselinux/src/compute_user.c         |  7 ++++++-
 libselinux/src/selinux_restorecon.c   | 11 ++++++++++-
 libselinux/src/setrans_client.c       |  8 +++++++-
 8 files changed, 52 insertions(+), 7 deletions(-)

diff --git a/libselinux/src/canonicalize_context.c b/libselinux/src/canonicalize_context.c
index faab7305..8a22a4cd 100644
--- a/libselinux/src/canonicalize_context.c
+++ b/libselinux/src/canonicalize_context.c
@@ -33,7 +33,11 @@ int security_canonicalize_context_raw(const char * con,
 		ret = -1;
 		goto out;
 	}
-	strncpy(buf, con, size);
+	if (strlcpy(buf, con, size) >= size) {
+		errno = EOVERFLOW;
+		ret = -1;
+		goto out;
+	}
 
 	ret = write(fd, buf, strlen(buf) + 1);
 	if (ret < 0)
diff --git a/libselinux/src/compute_av.c b/libselinux/src/compute_av.c
index 9d17339d..e513be6a 100644
--- a/libselinux/src/compute_av.c
+++ b/libselinux/src/compute_av.c
@@ -40,8 +40,13 @@ int security_compute_av_flags_raw(const char * scon,
 	}
 
 	kclass = unmap_class(tclass);
-	snprintf(buf, len, "%s %s %hu %x", scon, tcon,
+
+	ret = snprintf(buf, len, "%s %s %hu %x", scon, tcon,
 		 kclass, unmap_perm(tclass, requested));
+	if (ret < 0 || ret >= len) {
+		errno = EOVERFLOW;
+		goto out2;
+	}
 
 	ret = write(fd, buf, strlen(buf));
 	if (ret < 0)
diff --git a/libselinux/src/compute_create.c b/libselinux/src/compute_create.c
index 1d75714d..4cba2d2f 100644
--- a/libselinux/src/compute_create.c
+++ b/libselinux/src/compute_create.c
@@ -75,8 +75,14 @@ int security_compute_create_name_raw(const char * scon,
 		ret = -1;
 		goto out;
 	}
+
 	len = snprintf(buf, size, "%s %s %hu",
 		       scon, tcon, unmap_class(tclass));
+	if (len < 0 || len >= size) {
+		errno = EOVERFLOW;
+		goto out2;
+	}
+
 	if (objname &&
 	    object_name_encode(objname, buf + len, size - len) < 0) {
 		errno = ENAMETOOLONG;
diff --git a/libselinux/src/compute_member.c b/libselinux/src/compute_member.c
index 16234b79..82d76080 100644
--- a/libselinux/src/compute_member.c
+++ b/libselinux/src/compute_member.c
@@ -36,7 +36,12 @@ int security_compute_member_raw(const char * scon,
 		ret = -1;
 		goto out;
 	}
-	snprintf(buf, size, "%s %s %hu", scon, tcon, unmap_class(tclass));
+
+	ret = snprintf(buf, size, "%s %s %hu", scon, tcon, unmap_class(tclass));
+	if (ret < 0 || ret >= size) {
+		errno = EOVERFLOW;
+		goto out2;
+	}
 
 	ret = write(fd, buf, strlen(buf));
 	if (ret < 0)
diff --git a/libselinux/src/compute_relabel.c b/libselinux/src/compute_relabel.c
index dd20d652..96259bac 100644
--- a/libselinux/src/compute_relabel.c
+++ b/libselinux/src/compute_relabel.c
@@ -36,7 +36,12 @@ int security_compute_relabel_raw(const char * scon,
 		ret = -1;
 		goto out;
 	}
-	snprintf(buf, size, "%s %s %hu", scon, tcon, unmap_class(tclass));
+
+	ret = snprintf(buf, size, "%s %s %hu", scon, tcon, unmap_class(tclass));
+	if (ret < 0 || ret >= size) {
+		errno = EOVERFLOW;
+		goto out2;
+	}
 
 	ret = write(fd, buf, strlen(buf));
 	if (ret < 0)
diff --git a/libselinux/src/compute_user.c b/libselinux/src/compute_user.c
index ae5e7b4a..23a551e4 100644
--- a/libselinux/src/compute_user.c
+++ b/libselinux/src/compute_user.c
@@ -38,7 +38,12 @@ int security_compute_user_raw(const char * scon,
 		ret = -1;
 		goto out;
 	}
-	snprintf(buf, size, "%s %s", scon, user);
+
+	ret = snprintf(buf, size, "%s %s", scon, user);
+	if (ret < 0 || ret >= size) {
+		errno = EOVERFLOW;
+		goto out2;
+	}
 
 	ret = write(fd, buf, strlen(buf));
 	if (ret < 0)
diff --git a/libselinux/src/selinux_restorecon.c b/libselinux/src/selinux_restorecon.c
index e6192912..7436dab5 100644
--- a/libselinux/src/selinux_restorecon.c
+++ b/libselinux/src/selinux_restorecon.c
@@ -940,7 +940,16 @@ loop_body:
 			}
 			/* fall through */
 		default:
-			strcpy(ent_path, ftsent->fts_path);
+			if (strlcpy(ent_path, ftsent->fts_path, sizeof(ent_path)) >= sizeof(ent_path)) {
+				selinux_log(SELINUX_ERROR,
+					    "Path name too long on %s.\n",
+					    ftsent->fts_path);
+				errno = ENAMETOOLONG;
+				state->error = -1;
+				state->abort = true;
+				goto finish;
+			}
+
 			ent_st = *ftsent->fts_statp;
 			if (state->parallel)
 				pthread_mutex_unlock(&state->mutex);
diff --git a/libselinux/src/setrans_client.c b/libselinux/src/setrans_client.c
index faa12681..920f9032 100644
--- a/libselinux/src/setrans_client.c
+++ b/libselinux/src/setrans_client.c
@@ -66,7 +66,13 @@ static int setransd_open(void)
 
 	memset(&addr, 0, sizeof(addr));
 	addr.sun_family = AF_UNIX;
-	strncpy(addr.sun_path, SETRANS_UNIX_SOCKET, sizeof(addr.sun_path));
+
+	if (strlcpy(addr.sun_path, SETRANS_UNIX_SOCKET, sizeof(addr.sun_path)) >= sizeof(addr.sun_path)) {
+		close(fd);
+		errno = EOVERFLOW;
+		return -1;
+	}
+
 	if (connect(fd, (struct sockaddr *)&addr, sizeof(addr)) < 0) {
 		close(fd);
 		return -1;