From: "Thiébaud Weksteen" <tweek@google.com>
To: selinux@vger.kernel.org
Cc: "James Carter" <jwcart2@gmail.com>,
"Paul Moore" <paul@paul-moore.com>,
"Jeffrey Vander Stoep" <jeffv@google.com>,
"Thiébaud Weksteen" <tweek@google.com>
Subject: [PATCH] libselinux: ignore invalid class name lookup
Date: Mon, 24 Oct 2022 20:13:54 +1100 [thread overview]
Message-ID: <20221024091354.2253669-1-tweek@google.com> (raw)
selinux_check_access relies on string_to_security_class to resolve the
class index from its char* argument. There is no input validation done
on the string provided. It is possible to supply an argument containing
trailing backslashes (i.e., "sock_file//////") so that the paths built
in discover_class get truncated. The processing will then reference the
same permission file multiple time (e.g., perms/watch_reads will be
truncated to perms/watch). This will leak the memory allocated when
strdup'ing the permission name. The discover_class_cache will end up in
an invalid state (but not corrupted).
Ensure that the class provided does not contain any path separator.
Signed-off-by: Thiébaud Weksteen <tweek@google.com>
---
libselinux/src/stringrep.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/libselinux/src/stringrep.c b/libselinux/src/stringrep.c
index 2fe69f43..592410e5 100644
--- a/libselinux/src/stringrep.c
+++ b/libselinux/src/stringrep.c
@@ -63,6 +63,9 @@ static struct discover_class_node * discover_class(const char *s)
return NULL;
}
+ if (strchr(s, '/') != NULL)
+ return NULL;
+
/* allocate a node */
node = malloc(sizeof(struct discover_class_node));
if (node == NULL)
--
2.38.0.135.g90850a2211-goog
next reply other threads:[~2022-10-24 9:14 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-10-24 9:13 Thiébaud Weksteen [this message]
2022-10-24 9:17 ` [PATCH] libselinux: ignore invalid class name lookup Thiébaud Weksteen
2022-11-04 21:03 ` James Carter
2022-11-04 21:21 ` Christian Göttsche
2022-11-08 3:56 ` Thiébaud Weksteen
2022-11-08 19:14 ` James Carter
2022-11-08 19:14 ` James Carter
2022-11-09 13:48 ` James Carter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20221024091354.2253669-1-tweek@google.com \
--to=tweek@google.com \
--cc=jeffv@google.com \
--cc=jwcart2@gmail.com \
--cc=paul@paul-moore.com \
--cc=selinux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.