From patchwork Thu Jul 13 18:08:12 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Christian_G=C3=B6ttsche?= X-Patchwork-Id: 13312569 X-Patchwork-Delegate: plautrba@redhat.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 319CAC001B0 for ; Thu, 13 Jul 2023 18:08:30 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231426AbjGMSI2 (ORCPT ); Thu, 13 Jul 2023 14:08:28 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37484 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229611AbjGMSI2 (ORCPT ); Thu, 13 Jul 2023 14:08:28 -0400 Received: from mail-ej1-x634.google.com (mail-ej1-x634.google.com [IPv6:2a00:1450:4864:20::634]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 5A8631BFB for ; Thu, 13 Jul 2023 11:08:27 -0700 (PDT) Received: by mail-ej1-x634.google.com with SMTP id a640c23a62f3a-992dcae74e0so139852766b.3 for ; Thu, 13 Jul 2023 11:08:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20221208; t=1689271706; x=1691863706; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:from:to:cc:subject:date:message-id:reply-to; bh=eeiHfqlDKwy7H9huqV10Cm7uj2ULWJI1opG70fx1IkY=; b=dh7MUCUwVXYJxJf0n2ahPf82nMhi/WbqsEaQIszwV3E8tjvXPCid7ui3hM3xTIobb4 SwC1vs7o34JMfIm5iz+sqI4BBUIEMZZY0tjLQZb5CpdyJONyRZ9Qa5T8TOFiL1OYsZma TuSybsowqR2l1iQgBvBow49QsUMNDS5agHBvzoujcIBgi7t03VLoezQIaRWDqx7JrkvY lT1LocAnohfUK2hFH+bJIAwUWVxB0oRsH2Wpj9u9WdMt2Qw2HdlDxCO21LTv7ub7s+Wt 47Po0r/oNL+BYTU0BJO69pPHFWKA34EMmtBU5zU/ZE0RDh6J21/xOgedfTjuEQyOagtz HHJQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1689271706; x=1691863706; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=eeiHfqlDKwy7H9huqV10Cm7uj2ULWJI1opG70fx1IkY=; b=OT2wDz0I9jUDzN83QEFpZ9IzWKdRyK2HKMDioYXj/gy757xO6k2rI2a8qHL57s/UHQ GDzwbOSF/obJf+dm69Bt/fyUcZeg8CmrY3qfnQJGe13b9PJ1uJD2lw7kLkP3jGqQQtoG 1XrhB+WGPyS0anUDJykzatGOP37msosZOXx4EoDPX0FukNrEhiy71UF5slFDSJFK4mG+ rUTtg1IqHUnCUtYBCr2Lw/G398l10sMyuBeot/5+Ns2lIDYmv88U7+whvpP8xFYfxXer F32Gh2LU5VslrhltM10dlYefwMCaroYGehRTbz1ZnsUMFxgxXznNgP6SHl0ezRTIZwbb Llfg== X-Gm-Message-State: ABy/qLa+v8XcaIGKm5H7xnwBUJdGIBvQfwGGYJ+Vba0ewHIrM/zxCUnn MV37rmyqOLTEutC3zzpWY+1ASC0/NuDTLzZL X-Google-Smtp-Source: APBJJlEtTSNO3qf7NZUTk8zQ6GpKIMODaOe8m6C2jhIgW4mpyj4HElyvFhZIPzi3knn2Fqo4vmO/GA== X-Received: by 2002:a17:907:75d7:b0:982:a454:6d20 with SMTP id jl23-20020a17090775d700b00982a4546d20mr1843976ejc.54.1689271705660; Thu, 13 Jul 2023 11:08:25 -0700 (PDT) Received: from debian_development.DebianHome (dynamic-077-010-190-210.77.10.pool.telefonica.de. [77.10.190.210]) by smtp.gmail.com with ESMTPSA id q11-20020a170906940b00b00992d70f8078sm4270014ejx.106.2023.07.13.11.08.25 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 13 Jul 2023 11:08:25 -0700 (PDT) From: =?utf-8?q?Christian_G=C3=B6ttsche?= To: selinux@vger.kernel.org Subject: [PATCH 1/5] libsepol: free memory on str_read() failures Date: Thu, 13 Jul 2023 20:08:12 +0200 Message-Id: <20230713180816.101924-1-cgzones@googlemail.com> X-Mailer: git-send-email 2.40.1 MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org If str_read() fails to read the next entry it has already allocated memory for it. Free the passed pointer also in the error case. Reported-by: oss-fuzz (issue 60567) Signed-off-by: Christian Göttsche --- libsepol/src/avtab.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libsepol/src/avtab.c b/libsepol/src/avtab.c index 99fdaa87..5c76fe12 100644 --- a/libsepol/src/avtab.c +++ b/libsepol/src/avtab.c @@ -857,7 +857,7 @@ static int filename_trans_read_one(avtab_t *a, void *fp) len = le32_to_cpu(*buf); rc = str_read(&name, fp, len); if (rc < 0) - return SEPOL_ERR; + goto err; /* read stype, ttype, tclass and otype */ rc = next_entry(buf, fp, sizeof(uint32_t) * 4); @@ -898,7 +898,7 @@ static int filename_trans_comp_read_one(avtab_t *a, void *fp) len = le32_to_cpu(*buf); rc = str_read(&name, fp, len); if (rc < 0) - return SEPOL_ERR; + goto err; /* read ttype, tclass, ndatum */ rc = next_entry(buf, fp, sizeof(uint32_t) * 3); From patchwork Thu Jul 13 18:08:13 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Christian_G=C3=B6ttsche?= X-Patchwork-Id: 13312570 X-Patchwork-Delegate: plautrba@redhat.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7E995C001DD for ; Thu, 13 Jul 2023 18:08:31 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231559AbjGMSI3 (ORCPT ); Thu, 13 Jul 2023 14:08:29 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37486 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230337AbjGMSI2 (ORCPT ); Thu, 13 Jul 2023 14:08:28 -0400 Received: from mail-ej1-x629.google.com (mail-ej1-x629.google.com [IPv6:2a00:1450:4864:20::629]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B6EFF26AF for ; Thu, 13 Jul 2023 11:08:27 -0700 (PDT) Received: by mail-ej1-x629.google.com with SMTP id a640c23a62f3a-98e39784a85so486173366b.1 for ; Thu, 13 Jul 2023 11:08:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20221208; t=1689271706; x=1691863706; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=lchxOczmm5cZB2cVIOEYHs4c/47r6m/AH5EZQgn+3ps=; b=PKILVafPl39bDJMrafsdka23s5QWHPPCenGrqDy3KM4Rchmi8dzxYpQmtUbqkTb0/Z 1hHTVRSrtarRY0NclkxQnuaNJmid+ODL+KrK7/MZ03HQKgrMKhayjq82ZI9tFTX2jt0Y cvtV9x+7vc7JXRkdJQw92iRaHXfs9+IldmNBCbJtcWaCVlZwO/YNGtDCOZXKnLtZxcvR l/Xda6BS8w1R9MuLpuJUD4ky6U5/e9JrjkwPAfUWBDzvb7e3+NELNI4vqR41dK1VqkGz 5xQMtlfPqel7fyUsnMnZlntIS2go8HmW/sw79HpiTRbqLIg59/9ybvmEp5BqdpYkUZqP XgyQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1689271706; x=1691863706; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=lchxOczmm5cZB2cVIOEYHs4c/47r6m/AH5EZQgn+3ps=; b=ah2bmmk9dBRaqESOP4YZlSDESelIhugn9oYuezSg+FdJeKxXccNWPL1+9Zl+vTR1K4 AK7KX7osgpwoaWZf5XpNTZMHoXO/p/jVBB6HDyXv7N/JzWjr/iyWcQbgS9sdG5VGlrQC F3VP/wneTkG1OV6U1aAcl+0a1LPJfbq0YBWJUArSd8PwMm/IzO+dS0RJOl7w/RV7oJQ0 l1/IQPqlEB4k+A4mPFutf6FEOGkf+vdAAIUEJCDt2y3+4pvEFLjJVKU8C65RYYLRB1eM zfHOeIaDKwPigKeSmTXweKBC5am+4iEK/O2CE19lQVx13+eFLGLHkpuMgY2hluiIAG6h AFng== X-Gm-Message-State: ABy/qLZqXVbPU58Ow9oOHMyQw0ZyEuuD2T8i5VgJ+ebifMsPceTs3L1e llvlmyW9u6puoya1uNVz/gabI3TS/eA14rQX X-Google-Smtp-Source: APBJJlFjF0X0mk9D5Xnmy+6+eYPHlAYX18yrfyuUvmkYPkMqjefxf+KtYF4JVGOA0ItWwpzYXzXQRA== X-Received: by 2002:a17:907:ea6:b0:96a:2dd7:2ee0 with SMTP id ho38-20020a1709070ea600b0096a2dd72ee0mr685004ejc.5.1689271706153; Thu, 13 Jul 2023 11:08:26 -0700 (PDT) Received: from debian_development.DebianHome (dynamic-077-010-190-210.77.10.pool.telefonica.de. [77.10.190.210]) by smtp.gmail.com with ESMTPSA id q11-20020a170906940b00b00992d70f8078sm4270014ejx.106.2023.07.13.11.08.25 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 13 Jul 2023 11:08:25 -0700 (PDT) From: =?utf-8?q?Christian_G=C3=B6ttsche?= To: selinux@vger.kernel.org Subject: [PATCH 2/5] libsepol: reject avtab entries with invalid specifier Date: Thu, 13 Jul 2023 20:08:13 +0200 Message-Id: <20230713180816.101924-2-cgzones@googlemail.com> X-Mailer: git-send-email 2.40.1 In-Reply-To: <20230713180816.101924-1-cgzones@googlemail.com> References: <20230713180816.101924-1-cgzones@googlemail.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org Neverallow avtab entries are not supported (normal and extended). Reject them to avoid lookup confusions via avtab_search(), e.g. when searching for a invalid key of AVTAB_TRANSITION|AVTAB_NEVERALLOW and the result of only AVTAB_NEVERALLOW has no transition value. Simplify the check for the number of specifiers by using the compiler popcount builtin (already used in libsepol). Reported-by: oss-fuzz (issue 60568) Signed-off-by: Christian Göttsche --- libsepol/src/avtab.c | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/libsepol/src/avtab.c b/libsepol/src/avtab.c index 5c76fe12..7b85519b 100644 --- a/libsepol/src/avtab.c +++ b/libsepol/src/avtab.c @@ -564,7 +564,6 @@ int avtab_read_item(struct policy_file *fp, uint32_t vers, avtab_t * a, avtab_datum_t datum; avtab_trans_t trans; avtab_extended_perms_t xperms; - unsigned set; unsigned int i; int rc; @@ -666,13 +665,13 @@ int avtab_read_item(struct policy_file *fp, uint32_t vers, avtab_t * a, key.target_class = le16_to_cpu(buf16[items++]); key.specified = le16_to_cpu(buf16[items++]); - set = 0; - for (i = 0; i < ARRAY_SIZE(spec_order); i++) { - if (key.specified & spec_order[i]) - set++; + if (key.specified & ~(AVTAB_AV | AVTAB_TYPE | AVTAB_XPERMS | AVTAB_ENABLED)) { + ERR(fp->handle, "invalid specifier"); + return -1; } - if (!set || set > 1) { - ERR(fp->handle, "more than one specifier"); + + if (__builtin_popcount(key.specified & ~AVTAB_ENABLED) != 1) { + ERR(fp->handle, "not exactly one specifier"); return -1; } From patchwork Thu Jul 13 18:08:14 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Christian_G=C3=B6ttsche?= X-Patchwork-Id: 13312571 X-Patchwork-Delegate: plautrba@redhat.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 53A10C001E0 for ; Thu, 13 Jul 2023 18:08:32 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231539AbjGMSIb (ORCPT ); Thu, 13 Jul 2023 14:08:31 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37492 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229611AbjGMSI3 (ORCPT ); Thu, 13 Jul 2023 14:08:29 -0400 Received: from mail-ej1-x636.google.com (mail-ej1-x636.google.com [IPv6:2a00:1450:4864:20::636]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6A7DC26BB for ; Thu, 13 Jul 2023 11:08:28 -0700 (PDT) Received: by mail-ej1-x636.google.com with SMTP id a640c23a62f3a-98df3dea907so142374366b.3 for ; Thu, 13 Jul 2023 11:08:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20221208; t=1689271707; x=1691863707; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=4Fw3OZe8RoOkfuueRA81wHJGeRvTexpmEuFyXp4MHEA=; b=jADJuw9vwzhnvQzr18QvJTQ435elywDOwLxpbvJ546gr6bRD85APGhpf6vtWPL+/Hb Gw6tZba1GB5OJpHoDnF1FndS2uyzONbxx8nJrZyYy0UpYwfSzZzqasErdANWeLQxUe14 QECAO/qjdqzss96Itrs2ZdZPzrd2p5aVKA/Nmih2h6urFaizDl6ByQY0gt7u6cb8tne3 YpcY87gas9SzfwQ0WU4MXNJJBIyxabB+m33LHHk0/peElbR8j6moKqxLg89YsutkEpWG 5awnarmCLhHaEulJGcztepLE8YQSt9GM6RqjSWf8aLdfna2lZaXTfnfxJ5GFBrDPAddT oJUA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1689271707; x=1691863707; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=4Fw3OZe8RoOkfuueRA81wHJGeRvTexpmEuFyXp4MHEA=; b=Ov100TuCTgN0Mxhv8w6Y85GRm+k6sDulvOLEqLHlZjD3lKSL2rBRQedc2OkauQuucB QaAZsCA6ik87Jqj5j6b8IY2ddf9Tjv4XwQrAGv8sqOI5CuvKPO35r99+5mKn6c69YN6b SoqkdVUfCJzwmVVOYmC+ECw3WjdEVrwbXzNA7d+5q8MBR6rcIxYU1DB8A7spvKzGc6/R uQV3R0ux9Mw2klqJlAZ6lnyO4Ei4xbfHBDaieIOK03bDyEazo0LuA0O5ckJhb/C4gg25 j5OUZhapZtwG7naECpkU1ATC+ngN9I6xRij0A5udLvb+pxFAT2cPLiFnXBnpEbJ6dnah UT5w== X-Gm-Message-State: ABy/qLYKg/c06M6fGCIn+6qDMTNsv7tJu5r+g1rbEg3va7Ozlgqg85FI Ij8Lpc5+VPT6nxt1g1u8CnfbzJjCITk+gap4 X-Google-Smtp-Source: APBJJlGa3nx5Yqh8k2j4EgX1L9+DZ0ZB26rNGja326y7SzRz2a7I2/PFsR+nyz/dMZs7QKVUcJ7/ww== X-Received: by 2002:a17:906:28c:b0:991:e17c:f8fa with SMTP id 12-20020a170906028c00b00991e17cf8famr2260663ejf.61.1689271706732; Thu, 13 Jul 2023 11:08:26 -0700 (PDT) Received: from debian_development.DebianHome (dynamic-077-010-190-210.77.10.pool.telefonica.de. [77.10.190.210]) by smtp.gmail.com with ESMTPSA id q11-20020a170906940b00b00992d70f8078sm4270014ejx.106.2023.07.13.11.08.26 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 13 Jul 2023 11:08:26 -0700 (PDT) From: =?utf-8?q?Christian_G=C3=B6ttsche?= To: selinux@vger.kernel.org Subject: [PATCH 3/5] libsepol: free ebitmap in filename_trans_comp_read_one() Date: Thu, 13 Jul 2023 20:08:14 +0200 Message-Id: <20230713180816.101924-3-cgzones@googlemail.com> X-Mailer: git-send-email 2.40.1 In-Reply-To: <20230713180816.101924-1-cgzones@googlemail.com> References: <20230713180816.101924-1-cgzones@googlemail.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org ebitmap_read() might fail in between, but always calls ebitmap_init(), so ebitmap_destopy() is safe to call. Signed-off-by: Christian Göttsche --- libsepol/src/avtab.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libsepol/src/avtab.c b/libsepol/src/avtab.c index 7b85519b..9c7daf8e 100644 --- a/libsepol/src/avtab.c +++ b/libsepol/src/avtab.c @@ -912,7 +912,7 @@ static int filename_trans_comp_read_one(avtab_t *a, void *fp) for (i = 0; i < ndatum; i++) { rc = ebitmap_read(&stypes, fp); if (rc < 0) - goto err; + goto err_ebitmap; rc = next_entry(buf, fp, sizeof(uint32_t)); if (rc < 0) @@ -928,6 +928,8 @@ static int filename_trans_comp_read_one(avtab_t *a, void *fp) if (rc < 0) goto err_ebitmap; } + + ebitmap_destroy(&stypes); } free(name); From patchwork Thu Jul 13 18:08:15 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Christian_G=C3=B6ttsche?= X-Patchwork-Id: 13312573 X-Patchwork-Delegate: plautrba@redhat.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id CA787C001B0 for ; Thu, 13 Jul 2023 18:08:32 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229611AbjGMSIb (ORCPT ); Thu, 13 Jul 2023 14:08:31 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37506 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231561AbjGMSIa (ORCPT ); Thu, 13 Jul 2023 14:08:30 -0400 Received: from mail-ej1-x630.google.com (mail-ej1-x630.google.com [IPv6:2a00:1450:4864:20::630]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 13C281BFB for ; Thu, 13 Jul 2023 11:08:29 -0700 (PDT) Received: by mail-ej1-x630.google.com with SMTP id a640c23a62f3a-9926623e367so144768266b.0 for ; Thu, 13 Jul 2023 11:08:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20221208; t=1689271707; x=1691863707; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=Qf+ep2AGieWfF/6F4u3rk63REkDECe/z7Ykuugp3gNM=; b=mtxj0XOsU38fcn3YrvDPDLlqiy755guqcUY6WQWhM1Mxp6MLrqBy2QsItvc4ozMBVg n+10Jqycub7UJ6IeUYNr7GncO2PguDl1KaBCodyEZSZw/Rc135DLXz/kaXopgFLD9VRC tmbfZJQ52+x9hWCBjpEIhPLlp7AEflUgd36pYg3xiL9v01YWfux1efDYCYSKVhnlHRNu bcBsN6ZlPBteM4ycptiR71v23XjlYcubH2fBnFvneQxQPwW71LMEHhDY/UOpQMNosY/A mH9CBZo5mUfokCjD9zxklRL2F+GfCq5ZpMcP+Zxc+Sdp/l/+uie10Sf+pcV0oiZzlYdu O+nw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1689271707; x=1691863707; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Qf+ep2AGieWfF/6F4u3rk63REkDECe/z7Ykuugp3gNM=; b=bUZWDvIEMu4eHnklYV7nxANE2+3nrdIwWg2EmeX/1AmXjg84Tu35AMaNSTom2H4H+2 p0yumncYosZxB/AL0SSLAXj0QUdQ1CcItqlpaDUvVy0dr7wUGCREQoW2JuTn6Zo3Bfn6 rYIpdKZWrReY3ZPG3pS5vPoGzACmkiJ58wTC0lb8Qa2s9eO50hNPJfqKbXK/tgfK+G+3 4PXV89HADIfkRUiAdJOVVaQ/PSkVwiheciWz89qEj5/NDhcD1u+6nITtsqJIlH6e53sR y6TapEgKfKr05gKKvSJY2TYbrzqf18HqQ/XXgqiJgrjlt81GU9AQoaq9ZSkIzooce7iA wDKw== X-Gm-Message-State: ABy/qLZdSjcXAGEO5SBzVR85TyJ1WKJnT2wBAtBKvLWYB83Il6y5rkbk oUq++Hv5XXNBOW7DbESpq/C3YKKEarq1b3ZE X-Google-Smtp-Source: APBJJlGxIANS6sizvtjX3zHjQrm+YpenC3s0tnUgxRFNT5MbDY86xh/6eBMjMjwVA0KWoxhhxGTulg== X-Received: by 2002:a17:906:6bc6:b0:988:c3f9:3ad6 with SMTP id t6-20020a1709066bc600b00988c3f93ad6mr1772406ejs.42.1689271707454; Thu, 13 Jul 2023 11:08:27 -0700 (PDT) Received: from debian_development.DebianHome (dynamic-077-010-190-210.77.10.pool.telefonica.de. [77.10.190.210]) by smtp.gmail.com with ESMTPSA id q11-20020a170906940b00b00992d70f8078sm4270014ejx.106.2023.07.13.11.08.26 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 13 Jul 2023 11:08:27 -0700 (PDT) From: =?utf-8?q?Christian_G=C3=B6ttsche?= To: selinux@vger.kernel.org Subject: [PATCH 4/5] libsepol: drop superfluous check Date: Thu, 13 Jul 2023 20:08:15 +0200 Message-Id: <20230713180816.101924-4-cgzones@googlemail.com> X-Mailer: git-send-email 2.40.1 In-Reply-To: <20230713180816.101924-1-cgzones@googlemail.com> References: <20230713180816.101924-1-cgzones@googlemail.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org str_read() internally performs a sanity length check. Signed-off-by: Christian Göttsche --- libsepol/src/policydb.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/libsepol/src/policydb.c b/libsepol/src/policydb.c index 552eb77a..e1f8bb06 100644 --- a/libsepol/src/policydb.c +++ b/libsepol/src/policydb.c @@ -3560,8 +3560,6 @@ static int filename_trans_rule_read(policydb_t *p, avrule_t **r, return -1; len = le32_to_cpu(buf[0]); - if (zero_or_saturated(len)) - return -1; rc = str_read(&cur->object_name, fp, len); if (rc) From patchwork Thu Jul 13 18:08:16 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Christian_G=C3=B6ttsche?= X-Patchwork-Id: 13312572 X-Patchwork-Delegate: plautrba@redhat.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7501CC00528 for ; Thu, 13 Jul 2023 18:08:33 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231561AbjGMSIc (ORCPT ); Thu, 13 Jul 2023 14:08:32 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37508 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230337AbjGMSIa (ORCPT ); Thu, 13 Jul 2023 14:08:30 -0400 Received: from mail-ej1-x62e.google.com (mail-ej1-x62e.google.com [IPv6:2a00:1450:4864:20::62e]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7DCC826AF for ; Thu, 13 Jul 2023 11:08:29 -0700 (PDT) Received: by mail-ej1-x62e.google.com with SMTP id a640c23a62f3a-9928abc11deso142924366b.1 for ; Thu, 13 Jul 2023 11:08:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20221208; t=1689271708; x=1691863708; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=8hxyjIN5Hv7j9NYO3maV/9uRAjdEBeMg6Fe34AL4IiU=; b=Rsr4pDZbL4EHf/TT5JS4mRvY48FZPNs57Gg7lODNlGlKZjvXTFvuK9tKRa7y41zmP8 xjmlxYfDjJQABA5PNpgcpLSE0NmKhayQti1yfk1Tgj8Oyhl9t2gpN4X7WTTgVYZUkBIT QOm/CYY1dUu+do23dd4w1xIKmIF20PQjfaxzs8XAgVV99dRhHDj/euNkEFw/e4h2GMFJ mHPdVVBVNQH72wYGP1xx7m8i89QbQ5akHBqs+ZrhXwse9mz7+ZlT6BIx2xRjgeGoHjY6 XOI+nHZiX/EsMMqiQO9aa01Xh4KXUMPAwneP8EPR+RqFF2XeFfWASELYMWPeHa9rKtPQ vCtA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1689271708; x=1691863708; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=8hxyjIN5Hv7j9NYO3maV/9uRAjdEBeMg6Fe34AL4IiU=; b=hSdPYv7U3WggncLkDpfD81/sUj0GCpSirREiZp9oSJRTdfoQp5QRfhn4s9HACETZtT sPFrtw7BGWqjzJrB3R7TeH3Scb4vr8/47NhnT/gcMitCxHthvqKASBE+IaNRt0YK7A3B mPK4FRm2azl2vlczNoH0nhjuXK+6yF7ljRyafGs2bdtoPr5gTa21gnvIQUeaGh9hQopr Fxg+jppZ7LwlolaWc63yj4pLglb9ukbteYFCYrQPmk2jjvXs+B0UqG2l2tQVykuDwVgu xl0RmzfQA8rtr3+4Ye2dK9Oo8rW54QWvemS5Urf5wajgVMsleRuBifsW4Og7rbdrqulk LJxQ== X-Gm-Message-State: ABy/qLbYNV1UQUsdWhQnB5Np1aAWuuvIyrjc6mmT1DkZv3tsUv0LwKf0 Di+9VBpwJ3QI4AYnvecZhhPsoSC7yvVxtCXY X-Google-Smtp-Source: APBJJlFufJUwgpgkAgnhWrOiGNiGHU0YVI40xehMete+AipaQwS7Lq3ovlme+l9Oql+w/aiNygla6Q== X-Received: by 2002:a17:907:3fa9:b0:96f:d780:5734 with SMTP id hr41-20020a1709073fa900b0096fd7805734mr2480937ejc.65.1689271707986; Thu, 13 Jul 2023 11:08:27 -0700 (PDT) Received: from debian_development.DebianHome (dynamic-077-010-190-210.77.10.pool.telefonica.de. [77.10.190.210]) by smtp.gmail.com with ESMTPSA id q11-20020a170906940b00b00992d70f8078sm4270014ejx.106.2023.07.13.11.08.27 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 13 Jul 2023 11:08:27 -0700 (PDT) From: =?utf-8?q?Christian_G=C3=B6ttsche?= To: selinux@vger.kernel.org Subject: [PATCH 5/5] libsepol: avtab: check read counts for saturation Date: Thu, 13 Jul 2023 20:08:16 +0200 Message-Id: <20230713180816.101924-5-cgzones@googlemail.com> X-Mailer: git-send-email 2.40.1 In-Reply-To: <20230713180816.101924-1-cgzones@googlemail.com> References: <20230713180816.101924-1-cgzones@googlemail.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org Ensure counts are not set to the maximum value of their type. Also limit their size during fuzzing to prevent OOM reports. Reported-by: oss-fuzz (issue 60572) Signed-off-by: Christian Göttsche --- libsepol/src/avtab.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/libsepol/src/avtab.c b/libsepol/src/avtab.c index 9c7daf8e..cb2ca06a 100644 --- a/libsepol/src/avtab.c +++ b/libsepol/src/avtab.c @@ -461,6 +461,8 @@ static int avtab_read_name_trans(policy_file_t *fp, symtab_t *target) if (rc < 0) return rc; nel = le32_to_cpu(buf32[0]); + if (is_saturated(nel)) + return -1; rc = symtab_init(target, nel); if (rc < 0) @@ -736,7 +738,7 @@ int avtab_read(avtab_t * a, struct policy_file *fp, uint32_t vers) goto bad; } nel = le32_to_cpu(buf[0]); - if (!nel) { + if (zero_or_saturated(nel)) { ERR(fp->handle, "table is empty"); goto bad; } @@ -909,6 +911,9 @@ static int filename_trans_comp_read_one(avtab_t *a, void *fp) key.target_class = le32_to_cpu(buf[1]); ndatum = le32_to_cpu(buf[2]); + if (is_saturated(ndatum)) + goto err; + for (i = 0; i < ndatum; i++) { rc = ebitmap_read(&stypes, fp); if (rc < 0) @@ -951,6 +956,8 @@ int avtab_filename_trans_read(void *fp, uint32_t vers, avtab_t *a) if (rc < 0) return rc; nel = le32_to_cpu(*buf); + if (is_saturated(nel)) + return -1; if (vers < POLICYDB_VERSION_COMP_FTRANS) { for (i = 0; i < nel; i++) {