| Message ID | 20211011162533.53404-1-cgzones@googlemail.com (mailing list archive) |
|---|---|
| Headers | show |
| Series | libsepol: add fuzzer for reading binary policies | expand |
This needs to be broken up into three patch sets. 1) libfuzz: patches 1-5 2) policydb_validate improvements: patches 13, 16, 17, 22, 23, 25-31, 33 3) General libsepol fixes: patches 6-12, 14, 15, 18-21, 24, 32, 34, 35 I have some comments on the individual patches which will be coming soon. Thanks, Jim On Mon, Oct 11, 2021 at 12:42 PM Christian Göttsche <cgzones@googlemail.com> wrote: > > Add a libfuzz[1] based fuzzer testing the reading and parsing of binary policy > files. This fuzzer will be run within the OSS-Fuzz service. > > Handle and reject a variety of edge cases causing crashes or resource leaks. > > The fifth patch ("libsepol/fuzz: limit element sizes for fuzzing") needs some > discussion: To avoid oom reports from the fuzzer, caused by huge memory > allocations, all identifiers are limited to a length of 2^16 for the fuzzer > build only. Probably there should be a limit for the release build too. > Is there a specification for the binary policy format saying something about > the maximum length of identifiers? > After a quick look at the kernel sources (most interesting is str_read()) I > could not find any limits either. > > [1]: https://llvm.org/docs/LibFuzzer.html > > Christian Göttsche (35): > cifuzz: enable report-unreproducible-crashes > cifuzz: use the default runtime of 600 seconds > libsepol/fuzz: silence secilc-fuzzer > libsepol: add libfuzz based fuzzer for reading binary policies > libsepol/fuzz: limit element sizes for fuzzing > libsepol: use logging framework in conditional.c > libsepol: use logging framework in ebitmap.c > libsepol: use mallocarray wrapper to avoid overflows > libsepol: use reallocarray wrapper to avoid overflows > libsepol: add checks for read sizes > libsepol: enforce avtab item limit > libsepol: clean memory on conditional read failure > libsepol: validate MLS levels > libsepol: reject invalid fsuse types > libsepol: reject invalid default targets > libsepol: validate expanded user range and level > libsepol: validate types > libsepol: use size_t for indexes in strs helpers > libsepol: reject abnormal huge sid ids > libsepol: do not crash on class gaps > libsepol: do not crash on user gaps > libsepol: validate permission count of classes > libsepol: resolve log message mismatch > libsepol: zero member before potential dereference > libsepol: validate avtab types > libsepol: validate constraint expression operators and attributes > libsepol: validate type of avtab type rules > libsepol: validate ocontexts > libsepol: validate genfs contexts > libsepol: validate permissive types > libsepol: validate policy properties > libsepol: do not underflow on short format arguments > libsepol: validate categories > libsepol: use correct size for initial string list > libsepol: do not create a string list with initial size zero > > .github/workflows/cifuzz.yml | 3 +- > libsepol/fuzz/binpolicy-fuzzer.c | 63 +++++++ > libsepol/fuzz/policy.bin | Bin 0 -> 1552 bytes > libsepol/fuzz/secilc-fuzzer.c | 5 + > libsepol/src/Makefile | 6 + > libsepol/src/avtab.c | 6 + > libsepol/src/conditional.c | 36 ++-- > libsepol/src/ebitmap.c | 27 ++- > libsepol/src/expand.c | 4 +- > libsepol/src/hashtab.c | 4 +- > libsepol/src/kernel_to_cil.c | 10 ++ > libsepol/src/kernel_to_common.c | 23 ++- > libsepol/src/kernel_to_common.h | 4 +- > libsepol/src/kernel_to_conf.c | 13 +- > libsepol/src/link.c | 3 +- > libsepol/src/module.c | 4 +- > libsepol/src/module_to_cil.c | 13 +- > libsepol/src/optimize.c | 11 +- > libsepol/src/policydb.c | 68 +++++++- > libsepol/src/policydb_validate.c | 274 +++++++++++++++++++++++++++++-- > libsepol/src/private.h | 27 ++- > libsepol/src/services.c | 12 +- > libsepol/src/sidtab.c | 3 +- > libsepol/src/user_record.c | 8 +- > libsepol/src/users.c | 12 +- > libsepol/src/util.c | 11 +- > libsepol/src/write.c | 2 +- > scripts/oss-fuzz.sh | 19 ++- > 28 files changed, 556 insertions(+), 115 deletions(-) > create mode 100644 libsepol/fuzz/binpolicy-fuzzer.c > create mode 100644 libsepol/fuzz/policy.bin > > -- > 2.33.0 >
Add a libfuzz[1] based fuzzer testing the reading and parsing of binary policy files. This fuzzer will be run within the OSS-Fuzz service. Handle and reject a variety of edge cases causing crashes or resource leaks. The fifth patch ("libsepol/fuzz: limit element sizes for fuzzing") needs some discussion: To avoid oom reports from the fuzzer, caused by huge memory allocations, all identifiers are limited to a length of 2^16 for the fuzzer build only. Probably there should be a limit for the release build too. Is there a specification for the binary policy format saying something about the maximum length of identifiers? After a quick look at the kernel sources (most interesting is str_read()) I could not find any limits either. [1]: https://llvm.org/docs/LibFuzzer.html Christian Göttsche (35): cifuzz: enable report-unreproducible-crashes cifuzz: use the default runtime of 600 seconds libsepol/fuzz: silence secilc-fuzzer libsepol: add libfuzz based fuzzer for reading binary policies libsepol/fuzz: limit element sizes for fuzzing libsepol: use logging framework in conditional.c libsepol: use logging framework in ebitmap.c libsepol: use mallocarray wrapper to avoid overflows libsepol: use reallocarray wrapper to avoid overflows libsepol: add checks for read sizes libsepol: enforce avtab item limit libsepol: clean memory on conditional read failure libsepol: validate MLS levels libsepol: reject invalid fsuse types libsepol: reject invalid default targets libsepol: validate expanded user range and level libsepol: validate types libsepol: use size_t for indexes in strs helpers libsepol: reject abnormal huge sid ids libsepol: do not crash on class gaps libsepol: do not crash on user gaps libsepol: validate permission count of classes libsepol: resolve log message mismatch libsepol: zero member before potential dereference libsepol: validate avtab types libsepol: validate constraint expression operators and attributes libsepol: validate type of avtab type rules libsepol: validate ocontexts libsepol: validate genfs contexts libsepol: validate permissive types libsepol: validate policy properties libsepol: do not underflow on short format arguments libsepol: validate categories libsepol: use correct size for initial string list libsepol: do not create a string list with initial size zero .github/workflows/cifuzz.yml | 3 +- libsepol/fuzz/binpolicy-fuzzer.c | 63 +++++++ libsepol/fuzz/policy.bin | Bin 0 -> 1552 bytes libsepol/fuzz/secilc-fuzzer.c | 5 + libsepol/src/Makefile | 6 + libsepol/src/avtab.c | 6 + libsepol/src/conditional.c | 36 ++-- libsepol/src/ebitmap.c | 27 ++- libsepol/src/expand.c | 4 +- libsepol/src/hashtab.c | 4 +- libsepol/src/kernel_to_cil.c | 10 ++ libsepol/src/kernel_to_common.c | 23 ++- libsepol/src/kernel_to_common.h | 4 +- libsepol/src/kernel_to_conf.c | 13 +- libsepol/src/link.c | 3 +- libsepol/src/module.c | 4 +- libsepol/src/module_to_cil.c | 13 +- libsepol/src/optimize.c | 11 +- libsepol/src/policydb.c | 68 +++++++- libsepol/src/policydb_validate.c | 274 +++++++++++++++++++++++++++++-- libsepol/src/private.h | 27 ++- libsepol/src/services.c | 12 +- libsepol/src/sidtab.c | 3 +- libsepol/src/user_record.c | 8 +- libsepol/src/users.c | 12 +- libsepol/src/util.c | 11 +- libsepol/src/write.c | 2 +- scripts/oss-fuzz.sh | 19 ++- 28 files changed, 556 insertions(+), 115 deletions(-) create mode 100644 libsepol/fuzz/binpolicy-fuzzer.c create mode 100644 libsepol/fuzz/policy.bin