* [PATCH] libsepol/cil: do not override previous results of __cil_verify_classperms
@ 2021-07-02 11:07 Nicolas Iooss
2021-07-06 14:58 ` James Carter
0 siblings, 1 reply; 3+ messages in thread
From: Nicolas Iooss @ 2021-07-02 11:07 UTC (permalink / raw)
To: selinux
When __cil_verify_map_class() verifies a classpermission, it calls
__verify_map_perm_classperms() on each item. If the first item reports a
failure and the next one succeeds, the failure is overwritten in
map_args->rc. This is a bug which causes a NULL pointer dereference in
the CIL compiler when compiling the following policy:
(sid SID)
(sidorder (SID))
(class CLASS (PERM1))
(classorder (CLASS))
(classpermission CLSPERM)
(classpermissionset CLSPERM (CLASS (PERM1)))
(classmap files (CLAMAPxx x))
(classmapping files CLAMAPxx CLSPERM)
Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=30286
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
---
libsepol/cil/src/cil_verify.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/libsepol/cil/src/cil_verify.c b/libsepol/cil/src/cil_verify.c
index 59397f70f2ea..8ad3dc9e114a 100644
--- a/libsepol/cil/src/cil_verify.c
+++ b/libsepol/cil/src/cil_verify.c
@@ -1786,8 +1786,12 @@ static int __verify_map_perm_classperms(__attribute__((unused)) hashtab_key_t k,
{
struct cil_verify_map_args *map_args = args;
struct cil_perm *cmp = (struct cil_perm *)d;
+ int rc;
- map_args->rc = __cil_verify_classperms(cmp->classperms, &cmp->datum, &map_args->class->datum, &cmp->datum, CIL_MAP_PERM, 0, 2);
+ rc = __cil_verify_classperms(cmp->classperms, &cmp->datum, &map_args->class->datum, &cmp->datum, CIL_MAP_PERM, 0, 2);
+ if (rc != SEPOL_OK) {
+ map_args->rc = rc;
+ }
return SEPOL_OK;
}
--
2.32.0
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH] libsepol/cil: do not override previous results of __cil_verify_classperms
2021-07-02 11:07 [PATCH] libsepol/cil: do not override previous results of __cil_verify_classperms Nicolas Iooss
@ 2021-07-06 14:58 ` James Carter
2021-07-07 16:35 ` James Carter
0 siblings, 1 reply; 3+ messages in thread
From: James Carter @ 2021-07-06 14:58 UTC (permalink / raw)
To: Nicolas Iooss; +Cc: SElinux list
On Fri, Jul 2, 2021 at 7:15 AM Nicolas Iooss <nicolas.iooss@m4x.org> wrote:
>
> When __cil_verify_map_class() verifies a classpermission, it calls
> __verify_map_perm_classperms() on each item. If the first item reports a
> failure and the next one succeeds, the failure is overwritten in
> map_args->rc. This is a bug which causes a NULL pointer dereference in
> the CIL compiler when compiling the following policy:
>
> (sid SID)
> (sidorder (SID))
>
> (class CLASS (PERM1))
> (classorder (CLASS))
>
> (classpermission CLSPERM)
> (classpermissionset CLSPERM (CLASS (PERM1)))
> (classmap files (CLAMAPxx x))
> (classmapping files CLAMAPxx CLSPERM)
>
> Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=30286
>
> Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Acked-by: James Carter <jwcart2@gmail.com>
> ---
> libsepol/cil/src/cil_verify.c | 6 +++++-
> 1 file changed, 5 insertions(+), 1 deletion(-)
>
> diff --git a/libsepol/cil/src/cil_verify.c b/libsepol/cil/src/cil_verify.c
> index 59397f70f2ea..8ad3dc9e114a 100644
> --- a/libsepol/cil/src/cil_verify.c
> +++ b/libsepol/cil/src/cil_verify.c
> @@ -1786,8 +1786,12 @@ static int __verify_map_perm_classperms(__attribute__((unused)) hashtab_key_t k,
> {
> struct cil_verify_map_args *map_args = args;
> struct cil_perm *cmp = (struct cil_perm *)d;
> + int rc;
>
> - map_args->rc = __cil_verify_classperms(cmp->classperms, &cmp->datum, &map_args->class->datum, &cmp->datum, CIL_MAP_PERM, 0, 2);
> + rc = __cil_verify_classperms(cmp->classperms, &cmp->datum, &map_args->class->datum, &cmp->datum, CIL_MAP_PERM, 0, 2);
> + if (rc != SEPOL_OK) {
> + map_args->rc = rc;
> + }
>
> return SEPOL_OK;
> }
> --
> 2.32.0
>
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] libsepol/cil: do not override previous results of __cil_verify_classperms
2021-07-06 14:58 ` James Carter
@ 2021-07-07 16:35 ` James Carter
0 siblings, 0 replies; 3+ messages in thread
From: James Carter @ 2021-07-07 16:35 UTC (permalink / raw)
To: Nicolas Iooss; +Cc: SElinux list
On Tue, Jul 6, 2021 at 10:58 AM James Carter <jwcart2@gmail.com> wrote:
>
> On Fri, Jul 2, 2021 at 7:15 AM Nicolas Iooss <nicolas.iooss@m4x.org> wrote:
> >
> > When __cil_verify_map_class() verifies a classpermission, it calls
> > __verify_map_perm_classperms() on each item. If the first item reports a
> > failure and the next one succeeds, the failure is overwritten in
> > map_args->rc. This is a bug which causes a NULL pointer dereference in
> > the CIL compiler when compiling the following policy:
> >
> > (sid SID)
> > (sidorder (SID))
> >
> > (class CLASS (PERM1))
> > (classorder (CLASS))
> >
> > (classpermission CLSPERM)
> > (classpermissionset CLSPERM (CLASS (PERM1)))
> > (classmap files (CLAMAPxx x))
> > (classmapping files CLAMAPxx CLSPERM)
> >
> > Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=30286
> >
> > Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
>
> Acked-by: James Carter <jwcart2@gmail.com>
>
Merged.
Thanks,
Jim
> > ---
> > libsepol/cil/src/cil_verify.c | 6 +++++-
> > 1 file changed, 5 insertions(+), 1 deletion(-)
> >
> > diff --git a/libsepol/cil/src/cil_verify.c b/libsepol/cil/src/cil_verify.c
> > index 59397f70f2ea..8ad3dc9e114a 100644
> > --- a/libsepol/cil/src/cil_verify.c
> > +++ b/libsepol/cil/src/cil_verify.c
> > @@ -1786,8 +1786,12 @@ static int __verify_map_perm_classperms(__attribute__((unused)) hashtab_key_t k,
> > {
> > struct cil_verify_map_args *map_args = args;
> > struct cil_perm *cmp = (struct cil_perm *)d;
> > + int rc;
> >
> > - map_args->rc = __cil_verify_classperms(cmp->classperms, &cmp->datum, &map_args->class->datum, &cmp->datum, CIL_MAP_PERM, 0, 2);
> > + rc = __cil_verify_classperms(cmp->classperms, &cmp->datum, &map_args->class->datum, &cmp->datum, CIL_MAP_PERM, 0, 2);
> > + if (rc != SEPOL_OK) {
> > + map_args->rc = rc;
> > + }
> >
> > return SEPOL_OK;
> > }
> > --
> > 2.32.0
> >
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-07-07 16:35 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-07-02 11:07 [PATCH] libsepol/cil: do not override previous results of __cil_verify_classperms Nicolas Iooss
2021-07-06 14:58 ` James Carter
2021-07-07 16:35 ` James Carter
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.