From: James Carter <jwcart2@tycho.nsa.gov>
To: Nicolas Iooss <nicolas.iooss@m4x.org>, selinux@tycho.nsa.gov
Subject: Re: [PATCH 1/3] libsepol/cil: make cil_resolve_name() fail for '.'
Date: Tue, 4 Oct 2016 10:39:59 -0400 [thread overview]
Message-ID: <f347fc41-dbeb-b06e-5f19-d2287af87f7f@tycho.nsa.gov> (raw)
In-Reply-To: <20161003204657.2635-2-nicolas.iooss@m4x.org>
On 10/03/2016 04:46 PM, Nicolas Iooss wrote:
> This CIL policy makes secilc crash with a NULL pointer dereference:
>
> (class CLASS (PERM))
> (classorder (CLASS))
> (sid SID)
> (sidorder (SID))
> (user USER)
> (role ROLE)
> (type TYPE)
> (category CAT)
> (categoryorder (CAT))
> (sensitivity SENS)
> (sensitivityorder (SENS))
> (sensitivitycategory SENS (CAT))
> (allow TYPE self (CLASS (PERM)))
> (roletype ROLE TYPE)
> (userrole USER ROLE)
> (userlevel USER (SENS))
> (userrange USER ((SENS)(SENS (CAT))))
> (sidcontext SID (USER ROLE TYPE ((SENS)(SENS))))
>
> (allow . self (CLASS (PERM)))
>
> Using "." in the allow statement makes strtok_r() return NULL in
> cil_resolve_name() and this result is then used in a call to
> cil_symtab_get_datum(), which is thus invalid.
>
> Instead of crashing, make secilc fail with an error message.
>
> This bug has been found by fuzzing secilc with american fuzzy lop.
>
> Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
> ---
> libsepol/cil/src/cil_resolve_ast.c | 8 +++++++-
> 1 file changed, 7 insertions(+), 1 deletion(-)
>
> diff --git a/libsepol/cil/src/cil_resolve_ast.c b/libsepol/cil/src/cil_resolve_ast.c
> index 917adf8d23da..5b86908c4120 100644
> --- a/libsepol/cil/src/cil_resolve_ast.c
> +++ b/libsepol/cil/src/cil_resolve_ast.c
> @@ -4027,7 +4027,13 @@ int cil_resolve_name(struct cil_tree_node *ast_node, char *name, enum cil_sym_in
> char *current = strtok_r(name_dup, ".", &sp);
> char *next = strtok_r(NULL, ".", &sp);
> symtab_t *symtab = NULL;
> -
> +
> + if (current == NULL) {
> + /* Only dots */
> + cil_tree_log(ast_node, CIL_ERR, "Invalid name %s", name);
I added "free(name_dup);" here when I applied the patch.
Jim
> + goto exit;
> + }
> +
> node = ast_node;
> if (*name == '.') {
> /* Leading '.' */
>
--
James Carter <jwcart2@tycho.nsa.gov>
National Security Agency
next prev parent reply other threads:[~2016-10-04 14:39 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-10-03 20:46 [PATCH 0/3] Fuzzing secilc with AFL Nicolas Iooss
2016-10-03 20:46 ` [PATCH 1/3] libsepol/cil: make cil_resolve_name() fail for '.' Nicolas Iooss
2016-10-04 14:39 ` James Carter [this message]
2016-10-03 20:46 ` [PATCH 2/3] libsepol/cil: fix double-free in cil categories parser Nicolas Iooss
2016-10-03 20:46 ` [PATCH 3/3] libsepol/cil: fix memory leak in __cil_fill_expr() Nicolas Iooss
2016-10-04 14:40 ` [PATCH 0/3] Fuzzing secilc with AFL James Carter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=f347fc41-dbeb-b06e-5f19-d2287af87f7f@tycho.nsa.gov \
--to=jwcart2@tycho.nsa.gov \
--cc=nicolas.iooss@m4x.org \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.