| Message ID | 20200123204004.25600-1-jwcart2@tycho.nsa.gov (mailing list archive) |
|---|---|
| State | Accepted |
| Headers | show |
| Series | libsepol/cil: Fix bug in cil_copy_avrule() in extended permission handling | expand |
On Thu, Jan 23, 2020 at 9:39 PM James Carter <jwcart2@tycho.nsa.gov> wrote: > When copying an avrule with extended permissions (permx) in > cil_copy_avrule(), the check for a named permx checks the new permx > instead of the old one, so the check will always fail. This leads to a > segfault when trying to copy a named permx because there will be an > attempt to copy the nonexistent permx struct instead of the name of > the named permx. > > Check whether the original is a named permx instead of the new one. > > Signed-off-by: James Carter <jwcart2@tycho.nsa.gov> (OK, this looks simple enough to try out my new maintainer "powers" :) Acked-by: Ondrej Mosnacek <omosnace@redhat.com> > --- > libsepol/cil/src/cil_copy_ast.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/libsepol/cil/src/cil_copy_ast.c b/libsepol/cil/src/cil_copy_ast.c > index 7af00aaf..67dd8528 100644 > --- a/libsepol/cil/src/cil_copy_ast.c > +++ b/libsepol/cil/src/cil_copy_ast.c > @@ -827,7 +827,7 @@ int cil_copy_avrule(struct cil_db *db, void *data, void **copy, __attribute__((u > if (!new->is_extended) { > cil_copy_classperms_list(orig->perms.classperms, &new->perms.classperms); > } else { > - if (new->perms.x.permx_str != NULL) { > + if (orig->perms.x.permx_str != NULL) { > new->perms.x.permx_str = orig->perms.x.permx_str; > } else { > cil_permissionx_init(&new->perms.x.permx); > -- > 2.21.1 >
On Fri, Jan 24, 2020 at 2:12 PM Ondrej Mosnacek <omosnace@redhat.com> wrote: > On Thu, Jan 23, 2020 at 9:39 PM James Carter <jwcart2@tycho.nsa.gov> wrote: > > When copying an avrule with extended permissions (permx) in > > cil_copy_avrule(), the check for a named permx checks the new permx > > instead of the old one, so the check will always fail. This leads to a > > segfault when trying to copy a named permx because there will be an > > attempt to copy the nonexistent permx struct instead of the name of > > the named permx. > > > > Check whether the original is a named permx instead of the new one. > > > > Signed-off-by: James Carter <jwcart2@tycho.nsa.gov> > > (OK, this looks simple enough to try out my new maintainer "powers" :) > > Acked-by: Ondrej Mosnacek <omosnace@redhat.com> Now applied, thanks. > > > --- > > libsepol/cil/src/cil_copy_ast.c | 2 +- > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > diff --git a/libsepol/cil/src/cil_copy_ast.c b/libsepol/cil/src/cil_copy_ast.c > > index 7af00aaf..67dd8528 100644 > > --- a/libsepol/cil/src/cil_copy_ast.c > > +++ b/libsepol/cil/src/cil_copy_ast.c > > @@ -827,7 +827,7 @@ int cil_copy_avrule(struct cil_db *db, void *data, void **copy, __attribute__((u > > if (!new->is_extended) { > > cil_copy_classperms_list(orig->perms.classperms, &new->perms.classperms); > > } else { > > - if (new->perms.x.permx_str != NULL) { > > + if (orig->perms.x.permx_str != NULL) { > > new->perms.x.permx_str = orig->perms.x.permx_str; > > } else { > > cil_permissionx_init(&new->perms.x.permx); > > -- > > 2.21.1 > > > > -- > Ondrej Mosnacek <omosnace at redhat dot com> > Software Engineer, Security Technologies > Red Hat, Inc. -- Ondrej Mosnacek <omosnace at redhat dot com> Software Engineer, Security Technologies Red Hat, Inc.
diff --git a/libsepol/cil/src/cil_copy_ast.c b/libsepol/cil/src/cil_copy_ast.c index 7af00aaf..67dd8528 100644 --- a/libsepol/cil/src/cil_copy_ast.c +++ b/libsepol/cil/src/cil_copy_ast.c @@ -827,7 +827,7 @@ int cil_copy_avrule(struct cil_db *db, void *data, void **copy, __attribute__((u if (!new->is_extended) { cil_copy_classperms_list(orig->perms.classperms, &new->perms.classperms); } else { - if (new->perms.x.permx_str != NULL) { + if (orig->perms.x.permx_str != NULL) { new->perms.x.permx_str = orig->perms.x.permx_str; } else { cil_permissionx_init(&new->perms.x.permx);
When copying an avrule with extended permissions (permx) in cil_copy_avrule(), the check for a named permx checks the new permx instead of the old one, so the check will always fail. This leads to a segfault when trying to copy a named permx because there will be an attempt to copy the nonexistent permx struct instead of the name of the named permx. Check whether the original is a named permx instead of the new one. Signed-off-by: James Carter <jwcart2@tycho.nsa.gov> --- libsepol/cil/src/cil_copy_ast.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)