From: "Christian Göttsche" <cgzones@googlemail.com>
To: selinux@vger.kernel.org
Subject: [PATCH 1/2] libsepol: avoid fixed sized format buffer for xperms
Date: Mon, 20 Nov 2023 15:31:44 +0100 [thread overview]
Message-ID: <20231120143145.28831-1-cgzones@googlemail.com> (raw)
An extended access vector rule can consist of many individual ranges of
permissions. Use a dynamically growing sized buffer for formatting such
rules instead of a static buffer to avoid write failures due to
truncations.
Reported-by: oss-fuzz (issue 64316)
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
---
libsepol/src/kernel_to_cil.c | 40 +++++++++++++++++++++++-------------
1 file changed, 26 insertions(+), 14 deletions(-)
diff --git a/libsepol/src/kernel_to_cil.c b/libsepol/src/kernel_to_cil.c
index 8fcc385d..c50828df 100644
--- a/libsepol/src/kernel_to_cil.c
+++ b/libsepol/src/kernel_to_cil.c
@@ -1634,18 +1634,25 @@ static char *xperms_to_str(avtab_extended_perms_t *xperms)
uint16_t low_value;
unsigned int bit;
unsigned int in_range = 0;
- static char xpermsbuf[2048];
- char *p;
- int len, remaining;
-
- p = xpermsbuf;
- remaining = sizeof(xpermsbuf);
+ char *buffer = NULL, *p;
+ int len;
+ size_t remaining, size = 128;
if ((xperms->specified != AVTAB_XPERMS_IOCTLFUNCTION)
&& (xperms->specified != AVTAB_XPERMS_IOCTLDRIVER)) {
return NULL;
}
+retry:
+ size *= 2;
+ if (size == 0)
+ goto err;
+ p = realloc(buffer, size);
+ if (!p)
+ goto err;
+ buffer = p;
+ remaining = size;
+
for (bit = 0; bit < sizeof(xperms->perms)*8; bit++) {
len = 0;
@@ -1682,22 +1689,26 @@ static char *xperms_to_str(avtab_extended_perms_t *xperms)
}
}
- if (len < 0 || len >= remaining) {
- return NULL;
- }
+ if (len < 0)
+ goto err;
+ if ((size_t)len >= remaining)
+ goto retry;
p += len;
remaining -= len;
}
- if (remaining < 2) {
- return NULL;
- }
+ if (remaining < 2)
+ goto retry;
- xpermsbuf[0] = '(';
+ buffer[0] = '(';
*p++ = ')';
*p = '\0';
- return xpermsbuf;
+ return buffer;
+
+err:
+ free(buffer);
+ return NULL;
}
static char *avtab_node_to_str(struct policydb *pdb, avtab_key_t *key, avtab_datum_t *datum)
@@ -1769,6 +1780,7 @@ static char *avtab_node_to_str(struct policydb *pdb, avtab_key_t *key, avtab_dat
rule = create_str("(%s %s %s (%s %s (%s)))", 6,
flavor, src, tgt, "ioctl", class, perms);
+ free(perms);
} else {
new = pdb->p_type_val_to_name[data - 1];
--
2.42.0
next reply other threads:[~2023-11-20 14:32 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-11-20 14:31 Christian Göttsche [this message]
2023-11-20 14:31 ` [PATCH 2/2] libsepol: avoid fixed sized format buffer for xperms Christian Göttsche
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20231120143145.28831-1-cgzones@googlemail.com \
--to=cgzones@googlemail.com \
--cc=selinux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).