* [PATCH] libselinux: ignore invalid class name lookup
@ 2022-10-24 9:13 Thiébaud Weksteen
2022-10-24 9:17 ` Thiébaud Weksteen
` (2 more replies)
0 siblings, 3 replies; 8+ messages in thread
From: Thiébaud Weksteen @ 2022-10-24 9:13 UTC (permalink / raw)
To: selinux
Cc: James Carter, Paul Moore, Jeffrey Vander Stoep, Thiébaud Weksteen
selinux_check_access relies on string_to_security_class to resolve the
class index from its char* argument. There is no input validation done
on the string provided. It is possible to supply an argument containing
trailing backslashes (i.e., "sock_file//////") so that the paths built
in discover_class get truncated. The processing will then reference the
same permission file multiple time (e.g., perms/watch_reads will be
truncated to perms/watch). This will leak the memory allocated when
strdup'ing the permission name. The discover_class_cache will end up in
an invalid state (but not corrupted).
Ensure that the class provided does not contain any path separator.
Signed-off-by: Thiébaud Weksteen <tweek@google.com>
---
libselinux/src/stringrep.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/libselinux/src/stringrep.c b/libselinux/src/stringrep.c
index 2fe69f43..592410e5 100644
--- a/libselinux/src/stringrep.c
+++ b/libselinux/src/stringrep.c
@@ -63,6 +63,9 @@ static struct discover_class_node * discover_class(const char *s)
return NULL;
}
+ if (strchr(s, '/') != NULL)
+ return NULL;
+
/* allocate a node */
node = malloc(sizeof(struct discover_class_node));
if (node == NULL)
--
2.38.0.135.g90850a2211-goog
^ permalink raw reply related [flat|nested] 8+ messages in thread* Re: [PATCH] libselinux: ignore invalid class name lookup 2022-10-24 9:13 [PATCH] libselinux: ignore invalid class name lookup Thiébaud Weksteen @ 2022-10-24 9:17 ` Thiébaud Weksteen 2022-11-04 21:03 ` James Carter 2022-11-08 19:14 ` James Carter 2 siblings, 0 replies; 8+ messages in thread From: Thiébaud Weksteen @ 2022-10-24 9:17 UTC (permalink / raw) To: selinux; +Cc: James Carter, Paul Moore, Jeffrey Vander Stoep An alternative to this patch is to implement stricter input validation on the class name. I could not find any explicit restriction on the characters of a class. Empirically, it seems that [A-Za-z0-9_] would be sufficient to cover the refpolicy and Android classes. A regex matching would have a performance impact here, this is why the strchr solution was sent. Let me know if you’d prefer to explore the regex alternative. Thanks ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH] libselinux: ignore invalid class name lookup 2022-10-24 9:13 [PATCH] libselinux: ignore invalid class name lookup Thiébaud Weksteen 2022-10-24 9:17 ` Thiébaud Weksteen @ 2022-11-04 21:03 ` James Carter 2022-11-04 21:21 ` Christian Göttsche 2022-11-08 19:14 ` James Carter 2 siblings, 1 reply; 8+ messages in thread From: James Carter @ 2022-11-04 21:03 UTC (permalink / raw) To: Thiébaud Weksteen; +Cc: selinux, Paul Moore, Jeffrey Vander Stoep On Mon, Oct 24, 2022 at 5:14 AM Thiébaud Weksteen <tweek@google.com> wrote: > > selinux_check_access relies on string_to_security_class to resolve the > class index from its char* argument. There is no input validation done > on the string provided. It is possible to supply an argument containing > trailing backslashes (i.e., "sock_file//////") so that the paths built I am having trouble reproducing this. Using backslashes causes an error when looking up the "%s/class/%s/index" path. Using forward slashes just works. Valgrind does not report any memory leaks in either case and I don't see the same permission file being referenced multiple times. I don't think that we need the regex solution. Thanks, Jim > in discover_class get truncated. The processing will then reference the > same permission file multiple time (e.g., perms/watch_reads will be > truncated to perms/watch). This will leak the memory allocated when > strdup'ing the permission name. The discover_class_cache will end up in > an invalid state (but not corrupted). > > Ensure that the class provided does not contain any path separator. > > Signed-off-by: Thiébaud Weksteen <tweek@google.com> > --- > libselinux/src/stringrep.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/libselinux/src/stringrep.c b/libselinux/src/stringrep.c > index 2fe69f43..592410e5 100644 > --- a/libselinux/src/stringrep.c > +++ b/libselinux/src/stringrep.c > @@ -63,6 +63,9 @@ static struct discover_class_node * discover_class(const char *s) > return NULL; > } > > + if (strchr(s, '/') != NULL) > + return NULL; > + > /* allocate a node */ > node = malloc(sizeof(struct discover_class_node)); > if (node == NULL) > -- > 2.38.0.135.g90850a2211-goog > ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH] libselinux: ignore invalid class name lookup 2022-11-04 21:03 ` James Carter @ 2022-11-04 21:21 ` Christian Göttsche 2022-11-08 3:56 ` Thiébaud Weksteen 0 siblings, 1 reply; 8+ messages in thread From: Christian Göttsche @ 2022-11-04 21:21 UTC (permalink / raw) To: James Carter Cc: Thiébaud Weksteen, selinux, Paul Moore, Jeffrey Vander Stoep On Fri, 4 Nov 2022 at 22:03, James Carter <jwcart2@gmail.com> wrote: > > On Mon, Oct 24, 2022 at 5:14 AM Thiébaud Weksteen <tweek@google.com> wrote: > > > > selinux_check_access relies on string_to_security_class to resolve the > > class index from its char* argument. There is no input validation done > > on the string provided. It is possible to supply an argument containing > > trailing backslashes (i.e., "sock_file//////") so that the paths built Two other interfaces might also be affected by path traversing inputs: - getseuser(3) via the username parameter - bool_open(), called by security_get_boolean_pending(3), security_get_boolean_active(3) and security_set_boolean(3) , via the name parameter > > I am having trouble reproducing this. Using backslashes causes an > error when looking up the "%s/class/%s/index" path. > Using forward slashes just works. Valgrind does not report any memory > leaks in either case and I don't see the same permission file being > referenced multiple times. > > I don't think that we need the regex solution. > > Thanks, > Jim > > > > in discover_class get truncated. The processing will then reference the > > same permission file multiple time (e.g., perms/watch_reads will be > > truncated to perms/watch). This will leak the memory allocated when > > strdup'ing the permission name. The discover_class_cache will end up in > > an invalid state (but not corrupted). > > > > Ensure that the class provided does not contain any path separator. > > > > Signed-off-by: Thiébaud Weksteen <tweek@google.com> > > --- > > libselinux/src/stringrep.c | 3 +++ > > 1 file changed, 3 insertions(+) > > > > diff --git a/libselinux/src/stringrep.c b/libselinux/src/stringrep.c > > index 2fe69f43..592410e5 100644 > > --- a/libselinux/src/stringrep.c > > +++ b/libselinux/src/stringrep.c > > @@ -63,6 +63,9 @@ static struct discover_class_node * discover_class(const char *s) > > return NULL; > > } > > > > + if (strchr(s, '/') != NULL) > > + return NULL; > > + > > /* allocate a node */ > > node = malloc(sizeof(struct discover_class_node)); > > if (node == NULL) > > -- > > 2.38.0.135.g90850a2211-goog > > ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH] libselinux: ignore invalid class name lookup 2022-11-04 21:21 ` Christian Göttsche @ 2022-11-08 3:56 ` Thiébaud Weksteen 2022-11-08 19:14 ` James Carter 0 siblings, 1 reply; 8+ messages in thread From: Thiébaud Weksteen @ 2022-11-08 3:56 UTC (permalink / raw) To: Christian Göttsche Cc: James Carter, selinux, Paul Moore, Jeffrey Vander Stoep On Sat, Nov 5, 2022 at 8:21 AM Christian Göttsche <cgzones@googlemail.com> wrote: > > On Fri, 4 Nov 2022 at 22:03, James Carter <jwcart2@gmail.com> wrote: > > > > On Mon, Oct 24, 2022 at 5:14 AM Thiébaud Weksteen <tweek@google.com> wrote: > > > > > > selinux_check_access relies on string_to_security_class to resolve the > > > class index from its char* argument. There is no input validation done > > > on the string provided. It is possible to supply an argument containing > > > trailing backslashes (i.e., "sock_file//////") so that the paths built > > Two other interfaces might also be affected by path traversing inputs: > > - getseuser(3) via the username parameter > - bool_open(), called by security_get_boolean_pending(3), > security_get_boolean_active(3) and security_set_boolean(3) , via the > name parameter > > > > > I am having trouble reproducing this. Using backslashes causes an > > error when looking up the "%s/class/%s/index" path. > > Using forward slashes just works. Valgrind does not report any memory > > leaks in either case and I don't see the same permission file being > > referenced multiple times. Apologies, it should read "forward slashes" and not "backward slashes". The exact argument is "sock_file" followed by 4051 forward slashes. With that length, the index file and perms directory will open successfully (both paths are 4089 bytes long, assuming /sys/fs/selinux for selinuxfs). When reading the watch_with_perm entry, the "_with_perm" will be dropped and the "watch" permission will be read instead (the "_" character is the 4096th byte). On Android, PATH_MAX is 4096. This was found by our fuzzer for the selinux_check_access function [1]. Thanks [1] https://cs.android.com/android/platform/superproject/+/master:external/selinux/libselinux/fuzzers/selinux_check_access_fuzzer.cpp > > > > I don't think that we need the regex solution. > > > > Thanks, > > Jim > > > > > > > in discover_class get truncated. The processing will then reference the > > > same permission file multiple time (e.g., perms/watch_reads will be > > > truncated to perms/watch). This will leak the memory allocated when > > > strdup'ing the permission name. The discover_class_cache will end up in > > > an invalid state (but not corrupted). > > > > > > Ensure that the class provided does not contain any path separator. > > > > > > Signed-off-by: Thiébaud Weksteen <tweek@google.com> > > > --- > > > libselinux/src/stringrep.c | 3 +++ > > > 1 file changed, 3 insertions(+) > > > > > > diff --git a/libselinux/src/stringrep.c b/libselinux/src/stringrep.c > > > index 2fe69f43..592410e5 100644 > > > --- a/libselinux/src/stringrep.c > > > +++ b/libselinux/src/stringrep.c > > > @@ -63,6 +63,9 @@ static struct discover_class_node * discover_class(const char *s) > > > return NULL; > > > } > > > > > > + if (strchr(s, '/') != NULL) > > > + return NULL; > > > + > > > /* allocate a node */ > > > node = malloc(sizeof(struct discover_class_node)); > > > if (node == NULL) > > > -- > > > 2.38.0.135.g90850a2211-goog > > > ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH] libselinux: ignore invalid class name lookup 2022-11-08 3:56 ` Thiébaud Weksteen @ 2022-11-08 19:14 ` James Carter 0 siblings, 0 replies; 8+ messages in thread From: James Carter @ 2022-11-08 19:14 UTC (permalink / raw) To: Thiébaud Weksteen Cc: Christian Göttsche, selinux, Paul Moore, Jeffrey Vander Stoep On Mon, Nov 7, 2022 at 10:56 PM Thiébaud Weksteen <tweek@google.com> wrote: > > On Sat, Nov 5, 2022 at 8:21 AM Christian Göttsche > <cgzones@googlemail.com> wrote: > > > > On Fri, 4 Nov 2022 at 22:03, James Carter <jwcart2@gmail.com> wrote: > > > > > > On Mon, Oct 24, 2022 at 5:14 AM Thiébaud Weksteen <tweek@google.com> wrote: > > > > > > > > selinux_check_access relies on string_to_security_class to resolve the > > > > class index from its char* argument. There is no input validation done > > > > on the string provided. It is possible to supply an argument containing > > > > trailing backslashes (i.e., "sock_file//////") so that the paths built > > > > Two other interfaces might also be affected by path traversing inputs: > > > > - getseuser(3) via the username parameter > > - bool_open(), called by security_get_boolean_pending(3), > > security_get_boolean_active(3) and security_set_boolean(3) , via the > > name parameter > > > > > > > > I am having trouble reproducing this. Using backslashes causes an > > > error when looking up the "%s/class/%s/index" path. > > > Using forward slashes just works. Valgrind does not report any memory > > > leaks in either case and I don't see the same permission file being > > > referenced multiple times. > > Apologies, it should read "forward slashes" and not "backward > slashes". The exact argument is "sock_file" followed by 4051 forward > slashes. With that length, the index file and perms directory will > open successfully (both paths are 4089 bytes long, assuming > /sys/fs/selinux for selinuxfs). When reading the watch_with_perm > entry, the "_with_perm" will be dropped and the "watch" permission > will be read instead (the "_" character is the 4096th byte). On > Android, PATH_MAX is 4096. > > This was found by our fuzzer for the selinux_check_access function [1]. > > Thanks > > [1] https://cs.android.com/android/platform/superproject/+/master:external/selinux/libselinux/fuzzers/selinux_check_access_fuzzer.cpp > Thanks for the clarification. Jim > > > > > > I don't think that we need the regex solution. > > > > > > Thanks, > > > Jim > > > > > > > > > > in discover_class get truncated. The processing will then reference the > > > > same permission file multiple time (e.g., perms/watch_reads will be > > > > truncated to perms/watch). This will leak the memory allocated when > > > > strdup'ing the permission name. The discover_class_cache will end up in > > > > an invalid state (but not corrupted). > > > > > > > > Ensure that the class provided does not contain any path separator. > > > > > > > > Signed-off-by: Thiébaud Weksteen <tweek@google.com> > > > > --- > > > > libselinux/src/stringrep.c | 3 +++ > > > > 1 file changed, 3 insertions(+) > > > > > > > > diff --git a/libselinux/src/stringrep.c b/libselinux/src/stringrep.c > > > > index 2fe69f43..592410e5 100644 > > > > --- a/libselinux/src/stringrep.c > > > > +++ b/libselinux/src/stringrep.c > > > > @@ -63,6 +63,9 @@ static struct discover_class_node * discover_class(const char *s) > > > > return NULL; > > > > } > > > > > > > > + if (strchr(s, '/') != NULL) > > > > + return NULL; > > > > + > > > > /* allocate a node */ > > > > node = malloc(sizeof(struct discover_class_node)); > > > > if (node == NULL) > > > > -- > > > > 2.38.0.135.g90850a2211-goog > > > > ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH] libselinux: ignore invalid class name lookup 2022-10-24 9:13 [PATCH] libselinux: ignore invalid class name lookup Thiébaud Weksteen 2022-10-24 9:17 ` Thiébaud Weksteen 2022-11-04 21:03 ` James Carter @ 2022-11-08 19:14 ` James Carter 2022-11-09 13:48 ` James Carter 2 siblings, 1 reply; 8+ messages in thread From: James Carter @ 2022-11-08 19:14 UTC (permalink / raw) To: Thiébaud Weksteen; +Cc: selinux, Paul Moore, Jeffrey Vander Stoep On Mon, Oct 24, 2022 at 5:14 AM Thiébaud Weksteen <tweek@google.com> wrote: > > selinux_check_access relies on string_to_security_class to resolve the > class index from its char* argument. There is no input validation done > on the string provided. It is possible to supply an argument containing > trailing backslashes (i.e., "sock_file//////") so that the paths built > in discover_class get truncated. The processing will then reference the > same permission file multiple time (e.g., perms/watch_reads will be > truncated to perms/watch). This will leak the memory allocated when > strdup'ing the permission name. The discover_class_cache will end up in > an invalid state (but not corrupted). > > Ensure that the class provided does not contain any path separator. > > Signed-off-by: Thiébaud Weksteen <tweek@google.com> Acked-by: James Carter <jwcart2@gmail.com> > --- > libselinux/src/stringrep.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/libselinux/src/stringrep.c b/libselinux/src/stringrep.c > index 2fe69f43..592410e5 100644 > --- a/libselinux/src/stringrep.c > +++ b/libselinux/src/stringrep.c > @@ -63,6 +63,9 @@ static struct discover_class_node * discover_class(const char *s) > return NULL; > } > > + if (strchr(s, '/') != NULL) > + return NULL; > + > /* allocate a node */ > node = malloc(sizeof(struct discover_class_node)); > if (node == NULL) > -- > 2.38.0.135.g90850a2211-goog > ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH] libselinux: ignore invalid class name lookup 2022-11-08 19:14 ` James Carter @ 2022-11-09 13:48 ` James Carter 0 siblings, 0 replies; 8+ messages in thread From: James Carter @ 2022-11-09 13:48 UTC (permalink / raw) To: Thiébaud Weksteen; +Cc: selinux, Paul Moore, Jeffrey Vander Stoep On Tue, Nov 8, 2022 at 2:14 PM James Carter <jwcart2@gmail.com> wrote: > > On Mon, Oct 24, 2022 at 5:14 AM Thiébaud Weksteen <tweek@google.com> wrote: > > > > selinux_check_access relies on string_to_security_class to resolve the > > class index from its char* argument. There is no input validation done > > on the string provided. It is possible to supply an argument containing > > trailing backslashes (i.e., "sock_file//////") so that the paths built > > in discover_class get truncated. The processing will then reference the > > same permission file multiple time (e.g., perms/watch_reads will be > > truncated to perms/watch). This will leak the memory allocated when > > strdup'ing the permission name. The discover_class_cache will end up in > > an invalid state (but not corrupted). > > > > Ensure that the class provided does not contain any path separator. > > > > Signed-off-by: Thiébaud Weksteen <tweek@google.com> > > Acked-by: James Carter <jwcart2@gmail.com> > Merged. Thanks, Jim > > --- > > libselinux/src/stringrep.c | 3 +++ > > 1 file changed, 3 insertions(+) > > > > diff --git a/libselinux/src/stringrep.c b/libselinux/src/stringrep.c > > index 2fe69f43..592410e5 100644 > > --- a/libselinux/src/stringrep.c > > +++ b/libselinux/src/stringrep.c > > @@ -63,6 +63,9 @@ static struct discover_class_node * discover_class(const char *s) > > return NULL; > > } > > > > + if (strchr(s, '/') != NULL) > > + return NULL; > > + > > /* allocate a node */ > > node = malloc(sizeof(struct discover_class_node)); > > if (node == NULL) > > -- > > 2.38.0.135.g90850a2211-goog > > ^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2022-11-09 13:48 UTC | newest] Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2022-10-24 9:13 [PATCH] libselinux: ignore invalid class name lookup Thiébaud Weksteen 2022-10-24 9:17 ` Thiébaud Weksteen 2022-11-04 21:03 ` James Carter 2022-11-04 21:21 ` Christian Göttsche 2022-11-08 3:56 ` Thiébaud Weksteen 2022-11-08 19:14 ` James Carter 2022-11-08 19:14 ` James Carter 2022-11-09 13:48 ` James Carter
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.