| Message ID | 20220131105608.31380-1-cgzones@googlemail.com (mailing list archive) |
|---|---|
| State | Accepted |
| Headers | show |
| Series | libsepol: do not add gaps to string list | expand |
On Tue, Feb 1, 2022 at 11:31 AM Christian Göttsche <cgzones@googlemail.com> wrote: > > When converting an ebitmap into a string list, skip potential gaps in > ebitmap_to_strs(). All converting functions like strs_to_str(), > strs_write_each() and strs_write_each_indented() do already skip NULL > elements, but sorting such a list will lead to a NULL dereference. > > #0 0x432ce5 in strcmp /src/llvm-project/compiler-rt/lib/sanitizer_common/sanitizer_common_interceptors.inc:462:25 > #1 0x4f4893 in strs_cmp selinux/libsepol/src/kernel_to_common.c:258:9 > #2 0x47b74b in qsort_r /src/llvm-project/compiler-rt/lib/sanitizer_common/sanitizer_common_interceptors.inc:9994:7 > #3 0x4f481d in strs_sort selinux/libsepol/src/kernel_to_common.c:266:2 > #4 0x4fe781 in attrmap_to_str selinux/libsepol/src/kernel_to_conf.c:1560:2 > #5 0x4fe781 in write_type_attribute_sets_to_conf selinux/libsepol/src/kernel_to_conf.c:1599:11 > #6 0x4f8098 in sepol_kernel_policydb_to_conf selinux/libsepol/src/kernel_to_conf.c:3182:7 > #7 0x4e0277 in LLVMFuzzerTestOneInput selinux/libsepol/fuzz/binpolicy-fuzzer.c:50:9 > #8 0x4d613b in main > #9 0x7fa2d50260b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/libc-start.c:308:16 > #10 0x41d4ed in _start > > Found by oss-fuzz (#44170) > > Signed-off-by: Christian Göttsche <cgzones@googlemail.com> Acked-by: James Carter <jwcart2@gmail.com> > --- > libsepol/src/kernel_to_common.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/libsepol/src/kernel_to_common.c b/libsepol/src/kernel_to_common.c > index 9f5400c9..dc9e689e 100644 > --- a/libsepol/src/kernel_to_common.c > +++ b/libsepol/src/kernel_to_common.c > @@ -366,6 +366,9 @@ int ebitmap_to_strs(struct ebitmap *map, struct strs *strs, char **val_to_name) > int rc; > > ebitmap_for_each_positive_bit(map, node, i) { > + if (!val_to_name[i]) > + continue; > + > rc = strs_add(strs, val_to_name[i]); > if (rc != 0) { > return -1; > -- > 2.34.1 >
On Wed, Feb 2, 2022 at 3:39 PM James Carter <jwcart2@gmail.com> wrote: > > On Tue, Feb 1, 2022 at 11:31 AM Christian Göttsche > <cgzones@googlemail.com> wrote: > > > > When converting an ebitmap into a string list, skip potential gaps in > > ebitmap_to_strs(). All converting functions like strs_to_str(), > > strs_write_each() and strs_write_each_indented() do already skip NULL > > elements, but sorting such a list will lead to a NULL dereference. > > > > #0 0x432ce5 in strcmp /src/llvm-project/compiler-rt/lib/sanitizer_common/sanitizer_common_interceptors.inc:462:25 > > #1 0x4f4893 in strs_cmp selinux/libsepol/src/kernel_to_common.c:258:9 > > #2 0x47b74b in qsort_r /src/llvm-project/compiler-rt/lib/sanitizer_common/sanitizer_common_interceptors.inc:9994:7 > > #3 0x4f481d in strs_sort selinux/libsepol/src/kernel_to_common.c:266:2 > > #4 0x4fe781 in attrmap_to_str selinux/libsepol/src/kernel_to_conf.c:1560:2 > > #5 0x4fe781 in write_type_attribute_sets_to_conf selinux/libsepol/src/kernel_to_conf.c:1599:11 > > #6 0x4f8098 in sepol_kernel_policydb_to_conf selinux/libsepol/src/kernel_to_conf.c:3182:7 > > #7 0x4e0277 in LLVMFuzzerTestOneInput selinux/libsepol/fuzz/binpolicy-fuzzer.c:50:9 > > #8 0x4d613b in main > > #9 0x7fa2d50260b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/libc-start.c:308:16 > > #10 0x41d4ed in _start > > > > Found by oss-fuzz (#44170) > > > > Signed-off-by: Christian Göttsche <cgzones@googlemail.com> > > Acked-by: James Carter <jwcart2@gmail.com> > Merged. Thanks, Jim > > --- > > libsepol/src/kernel_to_common.c | 3 +++ > > 1 file changed, 3 insertions(+) > > > > diff --git a/libsepol/src/kernel_to_common.c b/libsepol/src/kernel_to_common.c > > index 9f5400c9..dc9e689e 100644 > > --- a/libsepol/src/kernel_to_common.c > > +++ b/libsepol/src/kernel_to_common.c > > @@ -366,6 +366,9 @@ int ebitmap_to_strs(struct ebitmap *map, struct strs *strs, char **val_to_name) > > int rc; > > > > ebitmap_for_each_positive_bit(map, node, i) { > > + if (!val_to_name[i]) > > + continue; > > + > > rc = strs_add(strs, val_to_name[i]); > > if (rc != 0) { > > return -1; > > -- > > 2.34.1 > >
diff --git a/libsepol/src/kernel_to_common.c b/libsepol/src/kernel_to_common.c index 9f5400c9..dc9e689e 100644 --- a/libsepol/src/kernel_to_common.c +++ b/libsepol/src/kernel_to_common.c @@ -366,6 +366,9 @@ int ebitmap_to_strs(struct ebitmap *map, struct strs *strs, char **val_to_name) int rc; ebitmap_for_each_positive_bit(map, node, i) { + if (!val_to_name[i]) + continue; + rc = strs_add(strs, val_to_name[i]); if (rc != 0) { return -1;
When converting an ebitmap into a string list, skip potential gaps in ebitmap_to_strs(). All converting functions like strs_to_str(), strs_write_each() and strs_write_each_indented() do already skip NULL elements, but sorting such a list will lead to a NULL dereference. #0 0x432ce5 in strcmp /src/llvm-project/compiler-rt/lib/sanitizer_common/sanitizer_common_interceptors.inc:462:25 #1 0x4f4893 in strs_cmp selinux/libsepol/src/kernel_to_common.c:258:9 #2 0x47b74b in qsort_r /src/llvm-project/compiler-rt/lib/sanitizer_common/sanitizer_common_interceptors.inc:9994:7 #3 0x4f481d in strs_sort selinux/libsepol/src/kernel_to_common.c:266:2 #4 0x4fe781 in attrmap_to_str selinux/libsepol/src/kernel_to_conf.c:1560:2 #5 0x4fe781 in write_type_attribute_sets_to_conf selinux/libsepol/src/kernel_to_conf.c:1599:11 #6 0x4f8098 in sepol_kernel_policydb_to_conf selinux/libsepol/src/kernel_to_conf.c:3182:7 #7 0x4e0277 in LLVMFuzzerTestOneInput selinux/libsepol/fuzz/binpolicy-fuzzer.c:50:9 #8 0x4d613b in main #9 0x7fa2d50260b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/libc-start.c:308:16 #10 0x41d4ed in _start Found by oss-fuzz (#44170) Signed-off-by: Christian Göttsche <cgzones@googlemail.com> --- libsepol/src/kernel_to_common.c | 3 +++ 1 file changed, 3 insertions(+)