All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH] libsepol/cil: bail out on snprintf failure
@ 2021-12-20 18:03 Christian Göttsche
  2022-01-03 17:45 ` James Carter
  0 siblings, 1 reply; 3+ messages in thread
From: Christian Göttsche @ 2021-12-20 18:03 UTC (permalink / raw)
  To: selinux

Do not continue with a negative return value once a string append
operation fails to avoid increasing the buffer length variable
`str_len`, potentially leading to an out-of-bounds write.

Found by GitHub CodeQL.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
---
 libsepol/cil/src/cil.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/libsepol/cil/src/cil.c b/libsepol/cil/src/cil.c
index 9916cbee..38edcf8e 100644
--- a/libsepol/cil/src/cil.c
+++ b/libsepol/cil/src/cil.c
@@ -1456,6 +1456,12 @@ int cil_userprefixes_to_string(struct cil_db *db, char **out, size_t *size)
 
 		buf_pos = snprintf(str_tmp, str_len, "user %s prefix %s;\n", user->datum.fqn,
 									userprefix->prefix_str);
+		if (buf_pos < 0) {
+			free(str_tmp);
+			*size = 0;
+			*out = NULL;
+			goto exit;
+		}
 		str_len -= buf_pos;
 		str_tmp += buf_pos;
 	}
-- 
2.34.1


^ permalink raw reply related	[flat|nested] 3+ messages in thread
* Re: [PATCH] libsepol/cil: bail out on snprintf failure
  2021-12-20 18:03 [PATCH] libsepol/cil: bail out on snprintf failure Christian Göttsche
@ 2022-01-03 17:45 ` James Carter
  2022-01-05 18:24   ` James Carter
  0 siblings, 1 reply; 3+ messages in thread
From: James Carter @ 2022-01-03 17:45 UTC (permalink / raw)
  To: Christian Göttsche; +Cc: SElinux list

On Mon, Dec 20, 2021 at 3:16 PM Christian Göttsche
<cgzones@googlemail.com> wrote:
>
> Do not continue with a negative return value once a string append
> operation fails to avoid increasing the buffer length variable
> `str_len`, potentially leading to an out-of-bounds write.
>
> Found by GitHub CodeQL.
>
> Signed-off-by: Christian Göttsche <cgzones@googlemail.com>

Acked-by: James Carter <jwcart2@gmail.com>

> ---
>  libsepol/cil/src/cil.c | 6 ++++++
>  1 file changed, 6 insertions(+)
>
> diff --git a/libsepol/cil/src/cil.c b/libsepol/cil/src/cil.c
> index 9916cbee..38edcf8e 100644
> --- a/libsepol/cil/src/cil.c
> +++ b/libsepol/cil/src/cil.c
> @@ -1456,6 +1456,12 @@ int cil_userprefixes_to_string(struct cil_db *db, char **out, size_t *size)
>
>                 buf_pos = snprintf(str_tmp, str_len, "user %s prefix %s;\n", user->datum.fqn,
>                                                                         userprefix->prefix_str);
> +               if (buf_pos < 0) {
> +                       free(str_tmp);
> +                       *size = 0;
> +                       *out = NULL;
> +                       goto exit;
> +               }
>                 str_len -= buf_pos;
>                 str_tmp += buf_pos;
>         }
> --
> 2.34.1
>

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: [PATCH] libsepol/cil: bail out on snprintf failure
  2022-01-03 17:45 ` James Carter
@ 2022-01-05 18:24   ` James Carter
  0 siblings, 0 replies; 3+ messages in thread
From: James Carter @ 2022-01-05 18:24 UTC (permalink / raw)
  To: Christian Göttsche; +Cc: SElinux list

On Mon, Jan 3, 2022 at 12:45 PM James Carter <jwcart2@gmail.com> wrote:
>
> On Mon, Dec 20, 2021 at 3:16 PM Christian Göttsche
> <cgzones@googlemail.com> wrote:
> >
> > Do not continue with a negative return value once a string append
> > operation fails to avoid increasing the buffer length variable
> > `str_len`, potentially leading to an out-of-bounds write.
> >
> > Found by GitHub CodeQL.
> >
> > Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
>
> Acked-by: James Carter <jwcart2@gmail.com>
>

Merged.
Thanks,
Jim

> > ---
> >  libsepol/cil/src/cil.c | 6 ++++++
> >  1 file changed, 6 insertions(+)
> >
> > diff --git a/libsepol/cil/src/cil.c b/libsepol/cil/src/cil.c
> > index 9916cbee..38edcf8e 100644
> > --- a/libsepol/cil/src/cil.c
> > +++ b/libsepol/cil/src/cil.c
> > @@ -1456,6 +1456,12 @@ int cil_userprefixes_to_string(struct cil_db *db, char **out, size_t *size)
> >
> >                 buf_pos = snprintf(str_tmp, str_len, "user %s prefix %s;\n", user->datum.fqn,
> >                                                                         userprefix->prefix_str);
> > +               if (buf_pos < 0) {
> > +                       free(str_tmp);
> > +                       *size = 0;
> > +                       *out = NULL;
> > +                       goto exit;
> > +               }
> >                 str_len -= buf_pos;
> >                 str_tmp += buf_pos;
> >         }
> > --
> > 2.34.1
> >

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2022-01-05 18:25 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-12-20 18:03 [PATCH] libsepol/cil: bail out on snprintf failure Christian Göttsche
2022-01-03 17:45 ` James Carter
2022-01-05 18:24   ` James Carter

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.