From: James Carter <jwcart2@gmail.com>
To: selinux@vger.kernel.org
Cc: nicolas.iooss@m4x.org, James Carter <jwcart2@gmail.com>
Subject: [PATCH 01/11 v2] libsepol/cil: Fix out-of-bound read of file context pattern ending with "\"
Date: Mon, 19 Apr 2021 11:15:47 -0400 [thread overview]
Message-ID: <20210419151557.87561-2-jwcart2@gmail.com> (raw)
In-Reply-To: <20210419151557.87561-1-jwcart2@gmail.com>
Based on patch by Nicolas Iooss, who writes:
OSS-Fuzz found a Heap-buffer-overflow in the CIL compiler when trying
to compile the following policy:
(sid SID)
(sidorder(SID))
(filecon "\" any ())
(filecon "" any ())
When cil_post_fc_fill_data() processes "\", it goes beyond the NUL
terminator of the string. Fix this by returning when '\0' is read
after a backslash.
To be consistent with the function compute_diffdata() in
refpolicy/support/fc_sort.py, also increment str_len in this case.
Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28484
Reported-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Signed-off-by: James Carter <jwcart2@gmail.com>
---
libsepol/cil/src/cil_post.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/libsepol/cil/src/cil_post.c b/libsepol/cil/src/cil_post.c
index d2ecbd43..fd4758dc 100644
--- a/libsepol/cil/src/cil_post.c
+++ b/libsepol/cil/src/cil_post.c
@@ -186,6 +186,13 @@ static void cil_post_fc_fill_data(struct fc_data *fc, const char *path)
break;
case '\\':
c++;
+ if (path[c] == '\0') {
+ if (!fc->meta) {
+ fc->stem_len++;
+ }
+ fc->str_len++;
+ return;
+ }
/* FALLTHRU */
default:
if (!fc->meta) {
--
2.26.3
next prev parent reply other threads:[~2021-04-19 15:16 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-04-19 15:15 [PATCH 00/11 v2] Various CIL patches James Carter
2021-04-19 15:15 ` James Carter [this message]
2021-04-19 15:15 ` [PATCH 02/11 v2] libsepol/cil: Destroy classperms list when resetting classpermission James Carter
2021-04-19 15:15 ` [PATCH 03/11 v2] libsepol/cil: Destroy classperm list when resetting map perms James Carter
2021-04-19 15:15 ` [PATCH 04/11 v2] libsepol/cil: cil_reset_classperms_set() should not reset classpermission James Carter
2021-04-19 15:15 ` [PATCH 05/11 v2] libsepol/cil: Set class field to NULL when resetting struct cil_classperms James Carter
2021-04-19 15:15 ` [PATCH 06/11 v2] libsepol/cil: More strict verification of constraint leaf expressions James Carter
2021-04-19 15:15 ` [PATCH 07/11 v2] libsepol/cil: Exit with an error if declaration name is a reserved word James Carter
2021-04-19 15:15 ` [PATCH 08/11 v2] libsepol/cil: Allow permission expressions when using map classes James Carter
2021-04-19 15:15 ` [PATCH 09/11 v2] libsepol/cil: Refactor helper function for cil_gen_node() James Carter
2021-04-19 15:15 ` [PATCH 10/11 v2] libsepol/cil: Create function cil_add_decl_to_symtab() and refactor James Carter
2021-04-19 15:15 ` [PATCH 11/11 v2] libsepol/cil: Move check for the shadowing of macro parameters James Carter
2021-04-19 18:24 ` [PATCH 00/11 v2] Various CIL patches James Carter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210419151557.87561-2-jwcart2@gmail.com \
--to=jwcart2@gmail.com \
--cc=nicolas.iooss@m4x.org \
--cc=selinux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.