* [meta-selinux][dunfell][PATCH 1/3] libsepol: Security fix CVE-2021-36084
@ 2021-09-16 23:57 Armin Kuster
2021-09-16 23:58 ` [meta-selinux][dunfell][PATCH 2/3] libsepol: Security fix CVE-2021-36085 Armin Kuster
2021-09-16 23:58 ` [meta-selinux][dunfell][PATCH 3/3] secilc: Security fix for CVE-2021-36087 Armin Kuster
0 siblings, 2 replies; 3+ messages in thread
From: Armin Kuster @ 2021-09-16 23:57 UTC (permalink / raw)
To: yocto; +Cc: Armin Kuster
From: Armin Kuster <akuster@mvista.com>
Source: https://github.com/SELinuxProject/selinux
MR: 111851
Type: Security Fix
Disposition: Backport from https://github.com/SELinuxProject/selinux/commit/f34d3d30c8325e4847a6b696fe7a3936a8a361f3
ChangeID: 7fae27568e26ccbb18be3d2a1ce7332d42706f18
Description:
Affects: libsepol < 3.2
Signed-off-by: Armin Kuster <akuster@mvista.com>
---
.../selinux/libsepol/CVE-2021-36084.patch | 99 +++++++++++++++++++
recipes-security/selinux/libsepol_3.0.bb | 1 +
2 files changed, 100 insertions(+)
create mode 100644 recipes-security/selinux/libsepol/CVE-2021-36084.patch
diff --git a/recipes-security/selinux/libsepol/CVE-2021-36084.patch b/recipes-security/selinux/libsepol/CVE-2021-36084.patch
new file mode 100644
index 0000000..1001563
--- /dev/null
+++ b/recipes-security/selinux/libsepol/CVE-2021-36084.patch
@@ -0,0 +1,99 @@
+From f34d3d30c8325e4847a6b696fe7a3936a8a361f3 Mon Sep 17 00:00:00 2001
+From: James Carter <jwcart2@gmail.com>
+Date: Thu, 8 Apr 2021 13:32:01 -0400
+Subject: [PATCH] libsepol/cil: Destroy classperms list when resetting
+ classpermission
+
+Nicolas Iooss reports:
+ A few months ago, OSS-Fuzz found a crash in the CIL compiler, which
+ got reported as
+ https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28648 (the title
+ is misleading, or is caused by another issue that conflicts with the
+ one I report in this message). Here is a minimized CIL policy which
+ reproduces the issue:
+
+ (class CLASS (PERM))
+ (classorder (CLASS))
+ (sid SID)
+ (sidorder (SID))
+ (user USER)
+ (role ROLE)
+ (type TYPE)
+ (category CAT)
+ (categoryorder (CAT))
+ (sensitivity SENS)
+ (sensitivityorder (SENS))
+ (sensitivitycategory SENS (CAT))
+ (allow TYPE self (CLASS (PERM)))
+ (roletype ROLE TYPE)
+ (userrole USER ROLE)
+ (userlevel USER (SENS))
+ (userrange USER ((SENS)(SENS (CAT))))
+ (sidcontext SID (USER ROLE TYPE ((SENS)(SENS))))
+
+ (classpermission CLAPERM)
+
+ (optional OPT
+ (roletype nonexistingrole nonexistingtype)
+ (classpermissionset CLAPERM (CLASS (PERM)))
+ )
+
+ The CIL policy fuzzer (which mimics secilc built with clang Address
+ Sanitizer) reports:
+
+ ==36541==ERROR: AddressSanitizer: heap-use-after-free on address
+ 0x603000004f98 at pc 0x56445134c842 bp 0x7ffe2a256590 sp
+ 0x7ffe2a256588
+ READ of size 8 at 0x603000004f98 thread T0
+ #0 0x56445134c841 in __cil_verify_classperms
+ /selinux/libsepol/src/../cil/src/cil_verify.c:1620:8
+ #1 0x56445134a43e in __cil_verify_classpermission
+ /selinux/libsepol/src/../cil/src/cil_verify.c:1650:9
+ #2 0x56445134a43e in __cil_pre_verify_helper
+ /selinux/libsepol/src/../cil/src/cil_verify.c:1715:8
+ #3 0x5644513225ac in cil_tree_walk_core
+ /selinux/libsepol/src/../cil/src/cil_tree.c:272:9
+ #4 0x564451322ab1 in cil_tree_walk
+ /selinux/libsepol/src/../cil/src/cil_tree.c:316:7
+ #5 0x5644513226af in cil_tree_walk_core
+ /selinux/libsepol/src/../cil/src/cil_tree.c:284:9
+ #6 0x564451322ab1 in cil_tree_walk
+ /selinux/libsepol/src/../cil/src/cil_tree.c:316:7
+ #7 0x5644512b88fd in cil_pre_verify
+ /selinux/libsepol/src/../cil/src/cil_post.c:2510:7
+ #8 0x5644512b88fd in cil_post_process
+ /selinux/libsepol/src/../cil/src/cil_post.c:2524:7
+ #9 0x5644511856ff in cil_compile
+ /selinux/libsepol/src/../cil/src/cil.c:564:7
+
+The classperms list of a classpermission rule is created and filled
+in when classpermissionset rules are processed, so it doesn't own any
+part of the list and shouldn't retain any of it when it is reset.
+
+Destroy the classperms list (without destroying the data in it) when
+resetting a classpermission rule.
+
+Reported-by: Nicolas Iooss <nicolas.iooss@m4x.org>
+Signed-off-by: James Carter <jwcart2@gmail.com>
+
+Upstream-Status: Backport
+CVE: CVE-2021-36084
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ libsepol/cil/src/cil_reset_ast.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+Index: libsepol-3.0/cil/src/cil_reset_ast.c
+===================================================================
+--- libsepol-3.0.orig/cil/src/cil_reset_ast.c
++++ libsepol-3.0/cil/src/cil_reset_ast.c
+@@ -52,7 +52,7 @@ static void cil_reset_classpermission(st
+ return;
+ }
+
+- cil_reset_classperms_list(cp->classperms);
++ cil_list_destroy(&cp->classperms, CIL_FALSE);
+ }
+
+ static void cil_reset_classperms_set(struct cil_classperms_set *cp_set)
diff --git a/recipes-security/selinux/libsepol_3.0.bb b/recipes-security/selinux/libsepol_3.0.bb
index 58559d7..537377b 100644
--- a/recipes-security/selinux/libsepol_3.0.bb
+++ b/recipes-security/selinux/libsepol_3.0.bb
@@ -9,4 +9,5 @@ SRC_URI[sha256sum] = "5b7ae1881909f1048b06f7a0c364c5c8a86ec12e0ec76e740fe9595a60
SRC_URI += "\
file://0001-libsepol-fix-CIL_KEY_-build-errors-with-fno-common.patch \
file://0001-libsepol-remove-leftovers-of-cil_mem_error_handler.patch \
+ file://CVE-2021-36084.patch \
"
--
2.25.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
* [meta-selinux][dunfell][PATCH 2/3] libsepol: Security fix CVE-2021-36085
2021-09-16 23:57 [meta-selinux][dunfell][PATCH 1/3] libsepol: Security fix CVE-2021-36084 Armin Kuster
@ 2021-09-16 23:58 ` Armin Kuster
2021-09-16 23:58 ` [meta-selinux][dunfell][PATCH 3/3] secilc: Security fix for CVE-2021-36087 Armin Kuster
1 sibling, 0 replies; 3+ messages in thread
From: Armin Kuster @ 2021-09-16 23:58 UTC (permalink / raw)
To: yocto; +Cc: Armin Kuster
From: Armin Kuster <akuster@mvista.com>
Source: https://github.com/SELinuxProject/selinux/
MR: 111857
Type: Security Fix
Disposition: Backport from https://github.com/SELinuxProject/selinux/commit/2d35fcc7e9e976a2346b1de20e54f8663e8a6cba
ChangeID: e50ae65189351ee618db2b278ba7105a5728e4c4
Description:
Affects: libsepol <= 3.2
Signed-off-by: Armin Kuster <akuster@mvista.com>
---
.../selinux/libsepol/CVE-2021-36085.patch | 38 +++++++++++++++++++
recipes-security/selinux/libsepol_3.0.bb | 1 +
2 files changed, 39 insertions(+)
create mode 100644 recipes-security/selinux/libsepol/CVE-2021-36085.patch
diff --git a/recipes-security/selinux/libsepol/CVE-2021-36085.patch b/recipes-security/selinux/libsepol/CVE-2021-36085.patch
new file mode 100644
index 0000000..4bd05eb
--- /dev/null
+++ b/recipes-security/selinux/libsepol/CVE-2021-36085.patch
@@ -0,0 +1,38 @@
+From 2d35fcc7e9e976a2346b1de20e54f8663e8a6cba Mon Sep 17 00:00:00 2001
+From: James Carter <jwcart2@gmail.com>
+Date: Thu, 8 Apr 2021 13:32:04 -0400
+Subject: [PATCH] libsepol/cil: Destroy classperm list when resetting map perms
+
+Map perms share the same struct as regular perms, but only the
+map perms use the classperms field. This field is a pointer to a
+list of classperms that is created and added to when resolving
+classmapping rules, so the map permission doesn't own any of the
+data in the list and this list should be destroyed when the AST is
+reset.
+
+When resetting a perm, destroy the classperms list without destroying
+the data in the list.
+
+Signed-off-by: James Carter <jwcart2@gmail.com>
+
+Upstream-Status: Backport
+CVE: CVE-2021-36085
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ libsepol/cil/src/cil_reset_ast.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+Index: libsepol-3.0/cil/src/cil_reset_ast.c
+===================================================================
+--- libsepol-3.0.orig/cil/src/cil_reset_ast.c
++++ libsepol-3.0/cil/src/cil_reset_ast.c
+@@ -34,7 +34,7 @@ static void cil_reset_class(struct cil_c
+
+ static void cil_reset_perm(struct cil_perm *perm)
+ {
+- cil_reset_classperms_list(perm->classperms);
++ cil_list_destroy(&perm->classperms, CIL_FALSE);
+ }
+
+ static inline void cil_reset_classperms(struct cil_classperms *cp)
diff --git a/recipes-security/selinux/libsepol_3.0.bb b/recipes-security/selinux/libsepol_3.0.bb
index 537377b..b7a7071 100644
--- a/recipes-security/selinux/libsepol_3.0.bb
+++ b/recipes-security/selinux/libsepol_3.0.bb
@@ -10,4 +10,5 @@ SRC_URI += "\
file://0001-libsepol-fix-CIL_KEY_-build-errors-with-fno-common.patch \
file://0001-libsepol-remove-leftovers-of-cil_mem_error_handler.patch \
file://CVE-2021-36084.patch \
+ file://CVE-2021-36085.patch \
"
--
2.25.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
* [meta-selinux][dunfell][PATCH 3/3] secilc: Security fix for CVE-2021-36087
2021-09-16 23:57 [meta-selinux][dunfell][PATCH 1/3] libsepol: Security fix CVE-2021-36084 Armin Kuster
2021-09-16 23:58 ` [meta-selinux][dunfell][PATCH 2/3] libsepol: Security fix CVE-2021-36085 Armin Kuster
@ 2021-09-16 23:58 ` Armin Kuster
1 sibling, 0 replies; 3+ messages in thread
From: Armin Kuster @ 2021-09-16 23:58 UTC (permalink / raw)
To: yocto; +Cc: Armin Kuster
From: Armin Kuster <akuster@mvista.com>
Source: https://github.com/SELinuxProject/selinux
MR: 111869
Type: Security Fix
Disposition: Backport from https://github.com/SELinuxProject/selinux/commit/bad0a746e9f4cf260dedba5828d9645d50176aac
ChangeID: b282a68f76e509f548fe6ce46349af56d09481c6
Description:
Affects: secilc <= 3.2
Signed-off-by: Armin Kuster <akuster@mvista.com>
---
.../selinux/secilc/CVE-2021-36087.patch | 134 ++++++++++++++++++
recipes-security/selinux/secilc_3.0.bb | 2 +
2 files changed, 136 insertions(+)
create mode 100644 recipes-security/selinux/secilc/CVE-2021-36087.patch
diff --git a/recipes-security/selinux/secilc/CVE-2021-36087.patch b/recipes-security/selinux/secilc/CVE-2021-36087.patch
new file mode 100644
index 0000000..ad7bf9b
--- /dev/null
+++ b/recipes-security/selinux/secilc/CVE-2021-36087.patch
@@ -0,0 +1,134 @@
+From bad0a746e9f4cf260dedba5828d9645d50176aac Mon Sep 17 00:00:00 2001
+From: James Carter <jwcart2@gmail.com>
+Date: Mon, 19 Apr 2021 09:06:15 -0400
+Subject: [PATCH] secilc/docs: Update the CIL documentation for various blocks
+
+Update the documentation for macros, booleans, booleanifs, tunables,
+tunableifs, blocks, blockabstracts, blockinherits, and optionals to
+tell where these statements can be used and, for those that have
+blocks, what statements are not allowed in them.
+
+Signed-off-by: James Carter <jwcart2@gmail.com>
+
+Upstream-Status: Backport
+CVE: CVE-2021-36087
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ docs/cil_call_macro_statements.md | 2 ++
+ docs/cil_conditional_statements.md | 6 +++++
+ docs/cil_container_statements.md | 28 +++++++++++++++--------
+ 3 files changed, 26 insertions(+), 10 deletions(-)
+
+Index: secilc-3.0/docs/cil_call_macro_statements.md
+===================================================================
+--- secilc-3.0.orig/docs/cil_call_macro_statements.md
++++ secilc-3.0/docs/cil_call_macro_statements.md
+@@ -54,6 +54,8 @@ Note that when resolving macros the call
+
+ - Items defined in the global namespace
+
++[`tunable`](cil_conditional_statements.md#tunable), [`in`](cil_container_statements.md#in), [`block`](cil_container_statements.md#block), [`blockinherit`](cil_container_statements.md#blockinherit), [`blockabstract`](cil_container_statements.md#blockabstract), and other [`macro`](cil_call_macro_statements.md#macro) statements are not allowed in [`macro`](cil_call_macro_statements.md#macro) blocks.
++
+ **Statement definition:**
+
+ (macro macro_id ([(param_type param_id) ...])
+Index: secilc-3.0/docs/cil_conditional_statements.md
+===================================================================
+--- secilc-3.0.orig/docs/cil_conditional_statements.md
++++ secilc-3.0/docs/cil_conditional_statements.md
+@@ -6,6 +6,8 @@ boolean
+
+ Declares a run time boolean as true or false in the current namespace. The [`booleanif`](cil_conditional_statements.md#booleanif) statement contains the CIL code that will be in the binary policy file.
+
++[`boolean`](cil_conditional_statements.md#boolean) are not allowed in [`booleanif`](cil_conditional_statements.md#booleanif) blocks.
++
+ **Statement definition:**
+
+ (boolean boolean_id true|false)
+@@ -120,6 +122,8 @@ Tunables are similar to booleans, howeve
+
+ Note that tunables can be treated as booleans by the CIL compiler command line parameter `-P` or `--preserve-tunables` flags.
+
++Since [`tunableif`](cil_conditional_statements.md#tunableif) statements are resolved first, [`tunable`](cil_conditional_statements.md#tunable) statements are not allowed in [`in`](cil_container_statements.md#in), [`macro`](cil_call_macro_statements.md#macro), [`optional`](cil_container_statements.md#optional), and [`booleanif`](cil_conditional_statements.md#booleanif) blocks. To simplify processing, they are also not allowed in [`tunableif`](cil_conditional_statements.md#tunableif) blocks.
++
+ **Statement definition:**
+
+ (tunable tunable_id true|false)
+@@ -156,6 +160,8 @@ tunableif
+
+ Compile time conditional statement that may or may not add CIL statements to be compiled.
+
++If tunables are being treated as booleans (by using the CIL compiler command line parameter `-P` or `--preserve-tunables` flag), then only the statements allowed in a [`booleanif`](cil_conditional_statements.md#booleanif) block are allowed in a [`tunableif`](cil_conditional_statements.md#tunableif) block. Otherwise, [`tunable`](cil_conditional_statements.md#tunable) statements are not allowed in a [`tunableif`](cil_conditional_statements.md#tunableif) block.
++
+ **Statement definition:**
+
+ (tunableif tunable_id | expr ...)
+Index: secilc-3.0/docs/cil_container_statements.md
+===================================================================
+--- secilc-3.0.orig/docs/cil_container_statements.md
++++ secilc-3.0/docs/cil_container_statements.md
+@@ -4,7 +4,11 @@ Container Statements
+ block
+ -----
+
+-Start a new namespace where any CIL statement is valid.
++Start a new namespace.
++
++Not allowed in [`macro`](cil_call_macro_statements.md#macro) and [`optional`](cil_container_statements.md#optional) blocks.
++
++[`sensitivity`](cil_mls_labeling_statements.md#sensitivity) and [`category`](cil_mls_labeling_statements.md#category) statements are not allowed in [`block`](cil_container_statements.md#block) blocks.
+
+ **Statement definition:**
+
+@@ -45,6 +49,8 @@ blockabstract
+
+ Declares the namespace as a 'template' and does not generate code until instantiated by another namespace that has a [`blockinherit`](cil_container_statements.md#blockinherit) statement.
+
++Not allowed in [`macro`](cil_call_macro_statements.md#macro) and [`optional`](cil_container_statements.md#optional) blocks.
++
+ **Statement definition:**
+
+ (block block_id
+@@ -93,6 +99,8 @@ blockinherit
+
+ Used to add common policy rules to the current namespace via a template that has been defined with the [`blockabstract`](cil_container_statements.md#blockabstract) statement. All [`blockinherit`](cil_container_statements.md#blockinherit) statements are resolved first and then the contents of the block are copied. This is so that inherited blocks will not be inherited. For a concrete example, please see the examples section.
+
++Not allowed in [`macro`](cil_call_macro_statements.md#macro) blocks.
++
+ **Statement definition:**
+
+ (block block_id
+@@ -191,15 +199,11 @@ This example contains a template `client
+ optional
+ --------
+
+-Declare an [`optional`](cil_container_statements.md#optional) namespace. All CIL statements in the optional block must be satisfied before instantiation in the binary policy. [`tunableif`](cil_conditional_statements.md#tunableif) and [`macro`](cil_call_macro_statements.md#macro) statements are not allowed in optional containers. The same restrictions apply to CIL policy statements within [`optional`](cil_container_statements.md#optional)'s that apply to kernel policy statements, i.e. only the policy statements shown in the following table are valid:
++Declare an [`optional`](cil_container_statements.md#optional) namespace. All CIL statements in the optional block must be satisfied before instantiation in the binary policy.
+
+-| | | | |
+-| ------------------- | -------------- | ------------------ | ------------------ |
+-| [`allow`](cil_access_vector_rules.md#allow) | [`allowx`](cil_access_vector_rules.md#allowx) | [`auditallow`](cil_access_vector_rules.md#auditallow) | [`auditallowx`](cil_access_vector_rules.md#auditallowx) |
+-| [`booleanif`](cil_conditional_statements.md#booleanif) | [`dontaudit`](cil_access_vector_rules.md#dontaudit) | [`dontauditx`](cil_access_vector_rules.md#dontauditx) | [`typepermissive`](cil_type_statements.md#typepermissive) |
+-| [`rangetransition`](cil_mls_labeling_statements.md#rangetransition) | [`role`](cil_role_statements.md#role) | [`roleallow`](cil_role_statements.md#roleallow) | [`roleattribute`](cil_role_statements.md#roleattribute) |
+-| [`roletransition`](cil_role_statements.md#roletransition) | [`type`](cil_type_statements.md#type) | [`typealias`](cil_type_statements.md#typealias) | [`typeattribute`](cil_type_statements.md#typeattribute) |
+-| [`typechange`](cil_type_statements.md#typechange) | [`typemember`](cil_type_statements.md#typemember) | [`typetransition`](cil_type_statements.md#typetransition) | |
++Not allowed in [`booleanif`](cil_conditional_statements.md#booleanif) blocks.
++
++[`tunable`](cil_conditional_statements.md#tunable), [`in`](cil_container_statements.md#in), [`block`](cil_container_statements.md#block), [`blockabstract`](cil_container_statements.md#blockabstract), and [`macro`](cil_call_macro_statements.md#macro) statements are not allowed in [`optional`](cil_container_statements.md#optional) blocks.
+
+ **Statement definition:**
+
+@@ -254,7 +258,11 @@ This example will instantiate the option
+ in
+ --
+
+-Allows the insertion of CIL statements into a named container ([`block`](cil_container_statements.md#block), [`optional`](cil_container_statements.md#optional) or [`macro`](cil_call_macro_statements.md#macro)). This statement is not allowed in [`booleanif`](cil_conditional_statements.md#booleanif) or [`tunableif`](cil_conditional_statements.md#tunableif) statements.
++Allows the insertion of CIL statements into a named container ([`block`](cil_container_statements.md#block), [`optional`](cil_container_statements.md#optional) or [`macro`](cil_call_macro_statements.md#macro)).
++
++Not allowed in [`macro`](cil_call_macro_statements.md#macro), [`booleanif`](cil_conditional_statements.md#booleanif), and other [`in`](cil_container_statements.md#in) blocks.
++
++[`tunable`](cil_conditional_statements.md#tunable) and [`in`](cil_container_statements.md#in) statements are not allowed in [`in`](cil_container_statements.md#in) blocks.
+
+ **Statement definition:**
+
diff --git a/recipes-security/selinux/secilc_3.0.bb b/recipes-security/selinux/secilc_3.0.bb
index 71b6cff..aa7d897 100644
--- a/recipes-security/selinux/secilc_3.0.bb
+++ b/recipes-security/selinux/secilc_3.0.bb
@@ -1,6 +1,8 @@
require selinux_20191204.inc
require ${BPN}.inc
+SRC_URI += "file://CVE-2021-36087.patch"
+
LIC_FILES_CHKSUM = "file://COPYING;md5=c7e802b9a3b0c2c852669864c08b9138"
SRC_URI[md5sum] = "be7ec221b874053a843ef90e49daa5cf"
--
2.25.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-09-16 23:58 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-09-16 23:57 [meta-selinux][dunfell][PATCH 1/3] libsepol: Security fix CVE-2021-36084 Armin Kuster
2021-09-16 23:58 ` [meta-selinux][dunfell][PATCH 2/3] libsepol: Security fix CVE-2021-36085 Armin Kuster
2021-09-16 23:58 ` [meta-selinux][dunfell][PATCH 3/3] secilc: Security fix for CVE-2021-36087 Armin Kuster
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.