From: James Carter <jwcart2@gmail.com>
To: selinux@vger.kernel.org
Cc: James Carter <jwcart2@gmail.com>
Subject: [PATCH] libsepol: Fix buffer overflow when using sepol_av_to_string()
Date: Mon, 11 Mar 2024 08:48:31 -0400 [thread overview]
Message-ID: <20240311124832.2659731-1-jwcart2@gmail.com> (raw)
The function sepol_av_to_string() returns a list of permissions
with a space at the beginning. This fits the normal formating of
permisisons for a policy.conf policy which uses a format of
"{ p1 p2 ... pn }", but not the formating for a CIL policy which uses
a format of "(p1 p2 ... pn)". Both kernel_to_cil and module_to_cil
skip the space by using "perms+1", but this is a problem if there
are no permissions because sepol_av_to_string() returns '\0'.
In kernel_to_cil and module_to_cil, check for the permission string
being '\0' and return an error if it is.
Reported-by: oss-fuzz (issue 67276)
Signed-off-by: James Carter <jwcart2@gmail.com>
---
libsepol/src/kernel_to_cil.c | 11 +++++++++++
libsepol/src/module_to_cil.c | 12 ++++++++++++
2 files changed, 23 insertions(+)
diff --git a/libsepol/src/kernel_to_cil.c b/libsepol/src/kernel_to_cil.c
index a081915e..e20ba4af 100644
--- a/libsepol/src/kernel_to_cil.c
+++ b/libsepol/src/kernel_to_cil.c
@@ -302,6 +302,12 @@ static int class_constraint_rules_to_strs(struct policydb *pdb, char *classkey,
rc = -1;
goto exit;
}
+ if (*perms == '\0') {
+ ERR(NULL, "No permisisons in permission string");
+ free(perms);
+ rc = -1;
+ goto exit;
+ }
if (is_mls) {
key_word = "mlsconstrain";
@@ -1775,6 +1781,11 @@ static char *avtab_node_to_str(struct policydb *pdb, avtab_key_t *key, avtab_dat
ERR(NULL, "Failed to generate permission string");
goto exit;
}
+ if (*perms == '\0') {
+ ERR(NULL, "No permisisons in permission string");
+ free(perms);
+ goto exit;
+ }
rule = create_str("(%s %s %s (%s (%s)))",
flavor, src, tgt, class, perms+1);
free(perms);
diff --git a/libsepol/src/module_to_cil.c b/libsepol/src/module_to_cil.c
index 6699a46b..3b3480bf 100644
--- a/libsepol/src/module_to_cil.c
+++ b/libsepol/src/module_to_cil.c
@@ -593,6 +593,12 @@ static int avrule_to_cil(int indent, struct policydb *pdb, uint32_t type, const
rc = -1;
goto exit;
}
+ if (*perms == '\0') {
+ ERR(NULL, "No permissions in permission string");
+ free(perms);
+ rc = -1;
+ goto exit;
+ }
cil_println(indent, "(%s %s %s (%s (%s)))",
rule, src, tgt,
pdb->p_class_val_to_name[classperm->tclass - 1],
@@ -1973,6 +1979,12 @@ static int constraints_to_cil(int indent, struct policydb *pdb, char *classkey,
rc = -1;
goto exit;
}
+ if (*perms == '\0') {
+ ERR(NULL, "No permissions in permission string");
+ free(perms);
+ rc = -1;
+ goto exit;
+ }
cil_println(indent, "(%sconstrain (%s (%s)) %s)", mls, classkey, perms + 1, expr);
free(perms);
} else {
--
2.44.0
next reply other threads:[~2024-03-11 12:48 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-03-11 12:48 James Carter [this message]
2024-03-11 13:48 ` [PATCH] libsepol: Fix buffer overflow when using sepol_av_to_string() Christian Göttsche
2024-03-11 20:32 ` James Carter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240311124832.2659731-1-jwcart2@gmail.com \
--to=jwcart2@gmail.com \
--cc=selinux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).