From: william.c.roberts@intel.com
To: selinux@tycho.nsa.gov, jwcart2@tycho.nsa.gov,
seandroid-list@tycho.nsa.gov, sds@tycho.nsa.gov
Subject: [PATCH v4 6/7] libsepol: fix unitialized jmp and invalid dereference
Date: Tue, 16 Aug 2016 10:28:36 -0700 [thread overview]
Message-ID: <1471368517-20552-7-git-send-email-william.c.roberts@intel.com> (raw)
In-Reply-To: <1471368517-20552-1-git-send-email-william.c.roberts@intel.com>
From: William Roberts <william.c.roberts@intel.com>
When initializing role_datum_t array, initialize the array.
This corrects this issue:
==25766== Conditional jump or move depends on uninitialised value(s)
==25766== at 0x40ABFE: context_is_valid (context.c:59)
==25766== by 0x40AAED: policydb_context_isvalid (context.c:19)
==25766== by 0x43CBF4: context_read_and_validate (policydb.c:1881)
==25766== by 0x43E7B3: ocontext_read_selinux (policydb.c:2631)
==25766== by 0x43EC4D: ocontext_read (policydb.c:2729)
==25766== by 0x442019: policydb_read (policydb.c:3937)
==25766== by 0x442F15: sepol_policydb_read (policydb_public.c:174)
==25766== by 0x407ED4: init (check_seapp.c:885)
==25766== by 0x408D83: main (check_seapp.c:1230)
Also, check for NULL when determining if a role can be associated
with a type.
Signed-off-by: William Roberts <william.c.roberts@intel.com>
---
libsepol/src/context.c | 2 +-
libsepol/src/policydb.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/libsepol/src/context.c b/libsepol/src/context.c
index 84dad34..420ee16 100644
--- a/libsepol/src/context.c
+++ b/libsepol/src/context.c
@@ -55,7 +55,7 @@ int context_is_valid(const policydb_t * p, const context_struct_t * c)
* Role must be authorized for the type.
*/
role = p->role_val_to_struct[c->role - 1];
- if (!ebitmap_get_bit(&role->cache, c->type - 1))
+ if (!role || !ebitmap_get_bit(&role->cache, c->type - 1))
/* role may not be associated with type */
return 0;
diff --git a/libsepol/src/policydb.c b/libsepol/src/policydb.c
index b8f6ca8..60761b7 100644
--- a/libsepol/src/policydb.c
+++ b/libsepol/src/policydb.c
@@ -1068,7 +1068,7 @@ int policydb_index_others(sepol_handle_t * handle,
free(p->role_val_to_struct);
p->role_val_to_struct = (role_datum_t **)
- malloc(p->p_roles.nprim * sizeof(role_datum_t *));
+ calloc(p->p_roles.nprim, sizeof(role_datum_t *));
if (!p->role_val_to_struct)
return -1;
--
1.9.1
next prev parent reply other threads:[~2016-08-16 17:28 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-08-16 17:28 Fix AFL Found Bugs in libsepol v4 william.c.roberts
2016-08-16 17:28 ` [PATCH v4 1/7] libsepol: fix invalid access of NULL on type_val_to_struct william.c.roberts
2016-08-16 17:28 ` [PATCH v4 2/7] libsepol: ensure key is valid before doing search william.c.roberts
2016-08-16 17:28 ` [PATCH v4 3/7] ebitmap: detect invalid bitmap william.c.roberts
2016-08-16 17:28 ` [PATCH v4 4/7] genfs_read: fix use heap-use-after-free william.c.roberts
2016-08-16 17:28 ` [PATCH v4 5/7] libsepol: bound attr_type_map access by nprim william.c.roberts
2016-08-16 17:28 ` william.c.roberts [this message]
2016-08-16 17:28 ` [PATCH v4 7/7] libsepol: fix overflow and 0 length allocations william.c.roberts
2016-08-16 17:45 ` Roberts, William C
2016-08-16 18:40 ` Stephen Smalley
2016-08-17 14:13 ` Fix AFL Found Bugs in libsepol v4 James Carter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1471368517-20552-7-git-send-email-william.c.roberts@intel.com \
--to=william.c.roberts@intel.com \
--cc=jwcart2@tycho.nsa.gov \
--cc=sds@tycho.nsa.gov \
--cc=seandroid-list@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.