From: James Carter <jwcart2@gmail.com>
To: Nicolas Iooss <nicolas.iooss@m4x.org>
Cc: SElinux list <selinux@vger.kernel.org>
Subject: Re: [PATCH 1/6] libsepol: do not decode out-of-bound rolebounds
Date: Mon, 4 Jan 2021 10:51:21 -0500 [thread overview]
Message-ID: <CAP+JOzQc3yXczhk5JfUrr+6rFe3AXis+yJAukCFbz=aQotriQQ@mail.gmail.com> (raw)
In-Reply-To: <CAP+JOzQBQ--xZWukZcZTsZ1Eq01Fk4xCa66AotYCHKxZEG-QgQ@mail.gmail.com>
[-- Attachment #1: Type: text/plain, Size: 1866 bytes --]
On Mon, Jan 4, 2021 at 10:48 AM James Carter <jwcart2@gmail.com> wrote:
>
> On Wed, Dec 30, 2020 at 5:11 AM Nicolas Iooss <nicolas.iooss@m4x.org> wrote:
> >
> > While fuzzing /usr/libexec/hll/pp, a policy module was generated with a
> > role->bounds larger that the number of roles in the policy.
> >
> > This issue has been found while fuzzing hll/pp with the American Fuzzy
> > Lop.
> >
> > Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
> > ---
> > libsepol/src/module_to_cil.c | 4 +++-
> > 1 file changed, 3 insertions(+), 1 deletion(-)
> >
> > diff --git a/libsepol/src/module_to_cil.c b/libsepol/src/module_to_cil.c
> > index a87bc15e7610..c99790eb76e7 100644
> > --- a/libsepol/src/module_to_cil.c
> > +++ b/libsepol/src/module_to_cil.c
> > @@ -2165,7 +2165,9 @@ static int role_to_cil(int indent, struct policydb *pdb, struct avrule_block *UN
> > }
> > }
> >
> > - if (role->bounds > 0) {
> > + if (role->bounds >= pdb->p_roles.nprim) {
> > + log_err("Warning: role %s defines an out-of-bound rolebounds", key);
> > + } else if (role->bounds > 0) {
> > cil_println(indent, "(rolebounds %s %s)", key, pdb->p_role_val_to_name[role->bounds - 1]);
> > }
> > break;
> > --
> > 2.29.2
> >
>
> There are other places where the bounds value is used as an index and
> type datums also have bounds that are used in the same way.
>
> Correct me if I am wrong, but I think that this can only occur by
> crafting a binary (and not as a result of a policy being compiled). So
> I think the correct place for the check would be when the binary file
> is read.
>
> I'll have to test to be sure, but I think the attached patch might do
> the proper checking.
>
Oops, that patch had typos. This one.
> Jim
[-- Attachment #2: bounds.patch --]
[-- Type: text/x-patch, Size: 908 bytes --]
diff --git a/libsepol/src/policydb.c b/libsepol/src/policydb.c
index ce8f3ad7..6faaaa58 100644
--- a/libsepol/src/policydb.c
+++ b/libsepol/src/policydb.c
@@ -1030,6 +1030,8 @@ static int role_index(hashtab_key_t key, hashtab_datum_t datum, void *datap)
return -EINVAL;
if (p->p_role_val_to_name[role->s.value - 1] != NULL)
return -EINVAL;
+ if (role->bounds > p->p_roles.nprim)
+ return -EINVAL;
p->p_role_val_to_name[role->s.value - 1] = (char *)key;
p->role_val_to_struct[role->s.value - 1] = role;
@@ -1049,6 +1051,8 @@ static int type_index(hashtab_key_t key, hashtab_datum_t datum, void *datap)
return -EINVAL;
if (p->p_type_val_to_name[typdatum->s.value - 1] != NULL)
return -EINVAL;
+ if (typdatum->bounds > p->p_types.nprim)
+ return -EINVAL;
p->p_type_val_to_name[typdatum->s.value - 1] = (char *)key;
p->type_val_to_struct[typdatum->s.value - 1] = typdatum;
}
next prev parent reply other threads:[~2021-01-04 15:52 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-12-30 10:07 [PATCH 1/6] libsepol: do not decode out-of-bound rolebounds Nicolas Iooss
2020-12-30 10:07 ` [PATCH 2/6] libsepol: ensure that hashtab_search is not called with a NULL key Nicolas Iooss
2021-01-04 16:31 ` James Carter
2021-01-06 8:12 ` Nicolas Iooss
2020-12-30 10:07 ` [PATCH 3/6] libsepol/cil: constify some strings Nicolas Iooss
2021-01-04 16:33 ` James Carter
2021-01-05 16:07 ` James Carter
2020-12-30 10:07 ` [PATCH 4/6] libsepol/cil: fix NULL pointer dereference when parsing an improper integer Nicolas Iooss
2020-12-31 15:04 ` William Roberts
2021-01-02 11:13 ` Nicolas Iooss
2021-01-03 18:32 ` William Roberts
2021-01-04 16:43 ` James Carter
2021-01-05 12:51 ` William Roberts
2020-12-30 10:07 ` [PATCH 5/6] libsepol/cil: fix out-of-bound read in cil_print_recursive_blockinherit Nicolas Iooss
2021-01-04 18:17 ` James Carter
2021-01-05 16:08 ` James Carter
2020-12-30 10:07 ` [PATCH 6/6] libsepol/cil: destroy perm_datums when __cil_resolve_perms fails Nicolas Iooss
2020-12-31 15:05 ` William Roberts
2021-01-04 18:18 ` James Carter
2021-01-05 16:08 ` James Carter
2021-01-04 15:48 ` [PATCH 1/6] libsepol: do not decode out-of-bound rolebounds James Carter
2021-01-04 15:51 ` James Carter [this message]
2021-01-06 8:05 ` Nicolas Iooss
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAP+JOzQc3yXczhk5JfUrr+6rFe3AXis+yJAukCFbz=aQotriQQ@mail.gmail.com' \
--to=jwcart2@gmail.com \
--cc=nicolas.iooss@m4x.org \
--cc=selinux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).