| Message ID | 20220106204336.147180-1-cgzones@googlemail.com (mailing list archive) |
|---|---|
| State | Accepted |
| Headers | show |
| Series | libsepol: check for saturated class name length | expand |
On Fri, Jan 7, 2022 at 1:58 PM Christian Göttsche <cgzones@googlemail.com> wrote: > > Check the from the polciy read length value to guard allocations. > > In the fuzzer build the value will also be bounded to avoid oom reports. > > ==143646==ERROR: AddressSanitizer: allocator is out of memory trying to allocate 0xd60000000 bytes > #0 0x4dac18 in __interceptor_calloc (./out/binpolicy-fuzzer+0x4dac18) > #1 0x55d388 in scope_index_read ./libsepol/src/policydb.c:3945:7 > #2 0x550097 in avrule_decl_read ./libsepol/src/policydb.c:3984:6 > #3 0x550097 in avrule_block_read ./libsepol/src/policydb.c:4044:8 > #4 0x54b3ac in policydb_read ./libsepol/src/policydb.c:4456:7 > #5 0x518fd9 in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:35:6 > #6 0x43f623 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (./out/binpolicy-fuzzer+0x43f623) > #7 0x42910f in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (./out/binpolicy-fuzzer+0x42910f) > #8 0x42ee76 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (./out/binpolicy-fuzzer+0x42ee76) > #9 0x458ff2 in main (./out/binpolicy-fuzzer+0x458ff2) > #10 0x7fd37b7931c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16 > > Found by oss-fuzz (#42909) > > Signed-off-by: Christian Göttsche <cgzones@googlemail.com> Acked-by: James Carter <jwcart2@gmail.com> > --- > libsepol/src/policydb.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/libsepol/src/policydb.c b/libsepol/src/policydb.c > index 79aba3af..562e044e 100644 > --- a/libsepol/src/policydb.c > +++ b/libsepol/src/policydb.c > @@ -3937,7 +3937,7 @@ static int scope_index_read(scope_index_t * scope_index, > if (rc < 0) > return -1; > scope_index->class_perms_len = le32_to_cpu(buf[0]); > - if (scope_index->class_perms_len == 0) { > + if (zero_or_saturated(scope_index->class_perms_len)) { > scope_index->class_perms_map = NULL; > return 0; > } > -- > 2.34.1 >
On Wed, Jan 12, 2022 at 10:28 AM James Carter <jwcart2@gmail.com> wrote: > > On Fri, Jan 7, 2022 at 1:58 PM Christian Göttsche > <cgzones@googlemail.com> wrote: > > > > Check the from the polciy read length value to guard allocations. > > > > In the fuzzer build the value will also be bounded to avoid oom reports. > > > > ==143646==ERROR: AddressSanitizer: allocator is out of memory trying to allocate 0xd60000000 bytes > > #0 0x4dac18 in __interceptor_calloc (./out/binpolicy-fuzzer+0x4dac18) > > #1 0x55d388 in scope_index_read ./libsepol/src/policydb.c:3945:7 > > #2 0x550097 in avrule_decl_read ./libsepol/src/policydb.c:3984:6 > > #3 0x550097 in avrule_block_read ./libsepol/src/policydb.c:4044:8 > > #4 0x54b3ac in policydb_read ./libsepol/src/policydb.c:4456:7 > > #5 0x518fd9 in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:35:6 > > #6 0x43f623 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (./out/binpolicy-fuzzer+0x43f623) > > #7 0x42910f in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (./out/binpolicy-fuzzer+0x42910f) > > #8 0x42ee76 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (./out/binpolicy-fuzzer+0x42ee76) > > #9 0x458ff2 in main (./out/binpolicy-fuzzer+0x458ff2) > > #10 0x7fd37b7931c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16 > > > > Found by oss-fuzz (#42909) > > > > Signed-off-by: Christian Göttsche <cgzones@googlemail.com> > > Acked-by: James Carter <jwcart2@gmail.com> > Merged. Jim > > --- > > libsepol/src/policydb.c | 2 +- > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > diff --git a/libsepol/src/policydb.c b/libsepol/src/policydb.c > > index 79aba3af..562e044e 100644 > > --- a/libsepol/src/policydb.c > > +++ b/libsepol/src/policydb.c > > @@ -3937,7 +3937,7 @@ static int scope_index_read(scope_index_t * scope_index, > > if (rc < 0) > > return -1; > > scope_index->class_perms_len = le32_to_cpu(buf[0]); > > - if (scope_index->class_perms_len == 0) { > > + if (zero_or_saturated(scope_index->class_perms_len)) { > > scope_index->class_perms_map = NULL; > > return 0; > > } > > -- > > 2.34.1 > >
diff --git a/libsepol/src/policydb.c b/libsepol/src/policydb.c index 79aba3af..562e044e 100644 --- a/libsepol/src/policydb.c +++ b/libsepol/src/policydb.c @@ -3937,7 +3937,7 @@ static int scope_index_read(scope_index_t * scope_index, if (rc < 0) return -1; scope_index->class_perms_len = le32_to_cpu(buf[0]); - if (scope_index->class_perms_len == 0) { + if (zero_or_saturated(scope_index->class_perms_len)) { scope_index->class_perms_map = NULL; return 0; }
Check the from the polciy read length value to guard allocations. In the fuzzer build the value will also be bounded to avoid oom reports. ==143646==ERROR: AddressSanitizer: allocator is out of memory trying to allocate 0xd60000000 bytes #0 0x4dac18 in __interceptor_calloc (./out/binpolicy-fuzzer+0x4dac18) #1 0x55d388 in scope_index_read ./libsepol/src/policydb.c:3945:7 #2 0x550097 in avrule_decl_read ./libsepol/src/policydb.c:3984:6 #3 0x550097 in avrule_block_read ./libsepol/src/policydb.c:4044:8 #4 0x54b3ac in policydb_read ./libsepol/src/policydb.c:4456:7 #5 0x518fd9 in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:35:6 #6 0x43f623 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (./out/binpolicy-fuzzer+0x43f623) #7 0x42910f in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (./out/binpolicy-fuzzer+0x42910f) #8 0x42ee76 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (./out/binpolicy-fuzzer+0x42ee76) #9 0x458ff2 in main (./out/binpolicy-fuzzer+0x458ff2) #10 0x7fd37b7931c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16 Found by oss-fuzz (#42909) Signed-off-by: Christian Göttsche <cgzones@googlemail.com> --- libsepol/src/policydb.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)