| Message ID | 20231208151831.48343-1-cgzones@googlemail.com (mailing list archive) |
|---|---|
| State | New, archived |
| Delegated to: | Petr Lautrbach |
| Headers | show |
| Series | libsepol: validate common classes in scope indices | expand |
On Fri, Dec 8, 2023 at 10:19 AM Christian Göttsche <cgzones@googlemail.com> wrote: > > Validate common classes inside scope indices similar to all other symbol > table types. > > Reported-by: oss-fuzz (issue 64849) > Signed-off-by: Christian Göttsche <cgzones@googlemail.com> > --- > This probably also resolves issue 64854, which I could not reproduce > locally. > --- > libsepol/include/sepol/policydb/policydb.h | 1 + > libsepol/src/policydb_validate.c | 2 ++ > 2 files changed, 3 insertions(+) > > diff --git a/libsepol/include/sepol/policydb/policydb.h b/libsepol/include/sepol/policydb/policydb.h > index 6682069e..658b25d4 100644 > --- a/libsepol/include/sepol/policydb/policydb.h > +++ b/libsepol/include/sepol/policydb/policydb.h > @@ -430,6 +430,7 @@ typedef struct genfs { > * subtract one) into the global policydb->scope array. */ > typedef struct scope_index { > ebitmap_t scope[SYM_NUM]; > +#define p_commons_scope scope[SYM_COMMONS] > #define p_classes_scope scope[SYM_CLASSES] > #define p_roles_scope scope[SYM_ROLES] > #define p_types_scope scope[SYM_TYPES] > diff --git a/libsepol/src/policydb_validate.c b/libsepol/src/policydb_validate.c > index bd8e9f8f..4919f674 100644 > --- a/libsepol/src/policydb_validate.c > +++ b/libsepol/src/policydb_validate.c > @@ -1344,6 +1344,8 @@ bad: > > static int validate_scope_index(sepol_handle_t *handle, const scope_index_t *scope_index, validate_t flavors[]) > { > + if (validate_ebitmap(&scope_index->p_commons_scope, &flavors[SYM_COMMONS])) > + goto bad; As far as I know, there will never be any commons in the scope index, so it would be better to just check that it is empty. Thanks, Jim > if (validate_ebitmap(&scope_index->p_classes_scope, &flavors[SYM_CLASSES])) > goto bad; > if (validate_ebitmap(&scope_index->p_roles_scope, &flavors[SYM_ROLES])) > -- > 2.43.0 > >
diff --git a/libsepol/include/sepol/policydb/policydb.h b/libsepol/include/sepol/policydb/policydb.h index 6682069e..658b25d4 100644 --- a/libsepol/include/sepol/policydb/policydb.h +++ b/libsepol/include/sepol/policydb/policydb.h @@ -430,6 +430,7 @@ typedef struct genfs { * subtract one) into the global policydb->scope array. */ typedef struct scope_index { ebitmap_t scope[SYM_NUM]; +#define p_commons_scope scope[SYM_COMMONS] #define p_classes_scope scope[SYM_CLASSES] #define p_roles_scope scope[SYM_ROLES] #define p_types_scope scope[SYM_TYPES] diff --git a/libsepol/src/policydb_validate.c b/libsepol/src/policydb_validate.c index bd8e9f8f..4919f674 100644 --- a/libsepol/src/policydb_validate.c +++ b/libsepol/src/policydb_validate.c @@ -1344,6 +1344,8 @@ bad: static int validate_scope_index(sepol_handle_t *handle, const scope_index_t *scope_index, validate_t flavors[]) { + if (validate_ebitmap(&scope_index->p_commons_scope, &flavors[SYM_COMMONS])) + goto bad; if (validate_ebitmap(&scope_index->p_classes_scope, &flavors[SYM_CLASSES])) goto bad; if (validate_ebitmap(&scope_index->p_roles_scope, &flavors[SYM_ROLES]))
Validate common classes inside scope indices similar to all other symbol table types. Reported-by: oss-fuzz (issue 64849) Signed-off-by: Christian Göttsche <cgzones@googlemail.com> --- This probably also resolves issue 64854, which I could not reproduce locally. --- libsepol/include/sepol/policydb/policydb.h | 1 + libsepol/src/policydb_validate.c | 2 ++ 2 files changed, 3 insertions(+)