mbox series

[RFC,00/35] libsepol: add fuzzer for reading binary policies

Message ID 20211011162533.53404-1-cgzones@googlemail.com (mailing list archive)
Headers show
Series libsepol: add fuzzer for reading binary policies | expand

Message

Christian Göttsche Oct. 11, 2021, 4:24 p.m. UTC
Add a libfuzz[1] based fuzzer testing the reading and parsing of binary policy
files. This fuzzer will be run within the OSS-Fuzz service.

Handle and reject a variety of edge cases causing crashes or resource leaks.

The fifth patch ("libsepol/fuzz: limit element sizes for fuzzing") needs some
discussion: To avoid oom reports from the fuzzer, caused by huge memory
allocations, all identifiers are limited to a length of 2^16 for the fuzzer
build only.  Probably there should be a limit for the release build too.
Is there a specification for the binary policy format saying something about
the maximum length of identifiers?
After a quick look at the kernel sources (most interesting is str_read()) I
could not find any limits either.

[1]: https://llvm.org/docs/LibFuzzer.html

Christian Göttsche (35):
  cifuzz: enable report-unreproducible-crashes
  cifuzz: use the default runtime of 600 seconds
  libsepol/fuzz: silence secilc-fuzzer
  libsepol: add libfuzz based fuzzer for reading binary policies
  libsepol/fuzz: limit element sizes for fuzzing
  libsepol: use logging framework in conditional.c
  libsepol: use logging framework in ebitmap.c
  libsepol: use mallocarray wrapper to avoid overflows
  libsepol: use reallocarray wrapper to avoid overflows
  libsepol: add checks for read sizes
  libsepol: enforce avtab item limit
  libsepol: clean memory on conditional read failure
  libsepol: validate MLS levels
  libsepol: reject invalid fsuse types
  libsepol: reject invalid default targets
  libsepol: validate expanded user range and level
  libsepol: validate types
  libsepol: use size_t for indexes in strs helpers
  libsepol: reject abnormal huge sid ids
  libsepol: do not crash on class gaps
  libsepol: do not crash on user gaps
  libsepol: validate permission count of classes
  libsepol: resolve log message mismatch
  libsepol: zero member before potential dereference
  libsepol: validate avtab types
  libsepol: validate constraint expression operators and attributes
  libsepol: validate type of avtab type rules
  libsepol: validate ocontexts
  libsepol: validate genfs contexts
  libsepol: validate permissive types
  libsepol: validate policy properties
  libsepol: do not underflow on short format arguments
  libsepol: validate categories
  libsepol: use correct size for initial string list
  libsepol: do not create a string list with initial size zero

 .github/workflows/cifuzz.yml     |   3 +-
 libsepol/fuzz/binpolicy-fuzzer.c |  63 +++++++
 libsepol/fuzz/policy.bin         | Bin 0 -> 1552 bytes
 libsepol/fuzz/secilc-fuzzer.c    |   5 +
 libsepol/src/Makefile            |   6 +
 libsepol/src/avtab.c             |   6 +
 libsepol/src/conditional.c       |  36 ++--
 libsepol/src/ebitmap.c           |  27 ++-
 libsepol/src/expand.c            |   4 +-
 libsepol/src/hashtab.c           |   4 +-
 libsepol/src/kernel_to_cil.c     |  10 ++
 libsepol/src/kernel_to_common.c  |  23 ++-
 libsepol/src/kernel_to_common.h  |   4 +-
 libsepol/src/kernel_to_conf.c    |  13 +-
 libsepol/src/link.c              |   3 +-
 libsepol/src/module.c            |   4 +-
 libsepol/src/module_to_cil.c     |  13 +-
 libsepol/src/optimize.c          |  11 +-
 libsepol/src/policydb.c          |  68 +++++++-
 libsepol/src/policydb_validate.c | 274 +++++++++++++++++++++++++++++--
 libsepol/src/private.h           |  27 ++-
 libsepol/src/services.c          |  12 +-
 libsepol/src/sidtab.c            |   3 +-
 libsepol/src/user_record.c       |   8 +-
 libsepol/src/users.c             |  12 +-
 libsepol/src/util.c              |  11 +-
 libsepol/src/write.c             |   2 +-
 scripts/oss-fuzz.sh              |  19 ++-
 28 files changed, 556 insertions(+), 115 deletions(-)
 create mode 100644 libsepol/fuzz/binpolicy-fuzzer.c
 create mode 100644 libsepol/fuzz/policy.bin

Comments

James Carter Oct. 13, 2021, 2:07 p.m. UTC | #1
This needs to be broken up into three patch sets.

1) libfuzz: patches 1-5
2) policydb_validate improvements: patches 13, 16, 17, 22, 23, 25-31, 33
3) General libsepol fixes: patches 6-12, 14, 15, 18-21, 24, 32, 34, 35

I have some comments on the individual patches which will be coming soon.

Thanks,
Jim

On Mon, Oct 11, 2021 at 12:42 PM Christian Göttsche
<cgzones@googlemail.com> wrote:
>
> Add a libfuzz[1] based fuzzer testing the reading and parsing of binary policy
> files. This fuzzer will be run within the OSS-Fuzz service.
>
> Handle and reject a variety of edge cases causing crashes or resource leaks.
>
> The fifth patch ("libsepol/fuzz: limit element sizes for fuzzing") needs some
> discussion: To avoid oom reports from the fuzzer, caused by huge memory
> allocations, all identifiers are limited to a length of 2^16 for the fuzzer
> build only.  Probably there should be a limit for the release build too.
> Is there a specification for the binary policy format saying something about
> the maximum length of identifiers?
> After a quick look at the kernel sources (most interesting is str_read()) I
> could not find any limits either.
>
> [1]: https://llvm.org/docs/LibFuzzer.html
>
> Christian Göttsche (35):
>   cifuzz: enable report-unreproducible-crashes
>   cifuzz: use the default runtime of 600 seconds
>   libsepol/fuzz: silence secilc-fuzzer
>   libsepol: add libfuzz based fuzzer for reading binary policies
>   libsepol/fuzz: limit element sizes for fuzzing
>   libsepol: use logging framework in conditional.c
>   libsepol: use logging framework in ebitmap.c
>   libsepol: use mallocarray wrapper to avoid overflows
>   libsepol: use reallocarray wrapper to avoid overflows
>   libsepol: add checks for read sizes
>   libsepol: enforce avtab item limit
>   libsepol: clean memory on conditional read failure
>   libsepol: validate MLS levels
>   libsepol: reject invalid fsuse types
>   libsepol: reject invalid default targets
>   libsepol: validate expanded user range and level
>   libsepol: validate types
>   libsepol: use size_t for indexes in strs helpers
>   libsepol: reject abnormal huge sid ids
>   libsepol: do not crash on class gaps
>   libsepol: do not crash on user gaps
>   libsepol: validate permission count of classes
>   libsepol: resolve log message mismatch
>   libsepol: zero member before potential dereference
>   libsepol: validate avtab types
>   libsepol: validate constraint expression operators and attributes
>   libsepol: validate type of avtab type rules
>   libsepol: validate ocontexts
>   libsepol: validate genfs contexts
>   libsepol: validate permissive types
>   libsepol: validate policy properties
>   libsepol: do not underflow on short format arguments
>   libsepol: validate categories
>   libsepol: use correct size for initial string list
>   libsepol: do not create a string list with initial size zero
>
>  .github/workflows/cifuzz.yml     |   3 +-
>  libsepol/fuzz/binpolicy-fuzzer.c |  63 +++++++
>  libsepol/fuzz/policy.bin         | Bin 0 -> 1552 bytes
>  libsepol/fuzz/secilc-fuzzer.c    |   5 +
>  libsepol/src/Makefile            |   6 +
>  libsepol/src/avtab.c             |   6 +
>  libsepol/src/conditional.c       |  36 ++--
>  libsepol/src/ebitmap.c           |  27 ++-
>  libsepol/src/expand.c            |   4 +-
>  libsepol/src/hashtab.c           |   4 +-
>  libsepol/src/kernel_to_cil.c     |  10 ++
>  libsepol/src/kernel_to_common.c  |  23 ++-
>  libsepol/src/kernel_to_common.h  |   4 +-
>  libsepol/src/kernel_to_conf.c    |  13 +-
>  libsepol/src/link.c              |   3 +-
>  libsepol/src/module.c            |   4 +-
>  libsepol/src/module_to_cil.c     |  13 +-
>  libsepol/src/optimize.c          |  11 +-
>  libsepol/src/policydb.c          |  68 +++++++-
>  libsepol/src/policydb_validate.c | 274 +++++++++++++++++++++++++++++--
>  libsepol/src/private.h           |  27 ++-
>  libsepol/src/services.c          |  12 +-
>  libsepol/src/sidtab.c            |   3 +-
>  libsepol/src/user_record.c       |   8 +-
>  libsepol/src/users.c             |  12 +-
>  libsepol/src/util.c              |  11 +-
>  libsepol/src/write.c             |   2 +-
>  scripts/oss-fuzz.sh              |  19 ++-
>  28 files changed, 556 insertions(+), 115 deletions(-)
>  create mode 100644 libsepol/fuzz/binpolicy-fuzzer.c
>  create mode 100644 libsepol/fuzz/policy.bin
>
> --
> 2.33.0
>