| Message ID | 20211209164928.87459-1-cgzones@googlemail.com (mailing list archive) |
|---|---|
| Headers | show |
| Series | libsepol: add fuzzer for reading binary policies | expand |
On Thu, Dec 9, 2021 at 2:07 PM Christian Göttsche <cgzones@googlemail.com> wrote: > > Add a libfuzz[1] based fuzzer testing the reading and parsing of binary policy > files. This fuzzer will be run within the OSS-Fuzz service. > > Handle and reject a variety of edge cases causing crashes or resource leaks. > > The fifth patch ("libsepol/fuzz: limit element sizes for fuzzing") limits, to > avoid oom reports from the fuzzer, caused by huge memory allocations, all > identifiers to a length of 2^16 for the fuzzer build only. > A potential limit for the release build needs further discussion. > > [1]: https://llvm.org/docs/LibFuzzer.html > > v3: > - Drop RFC status > - [10] libsepol: add checks for read sizes > use PERM_SYMTAB_SIZE instead of bare 32 as limit > - [11] libsepol: enforce avtab item limit > take zero based numbering of variable items into account > - [30] libsepol: validate ocontexts > only check FS and NETIF ocons in selinux policies (not xen) > > v2: > - reorder patches > 1. oss-fuzz related > 2. libsepol parsing and other crashesand UB > 3. enhance policy validation > - misc changes based on review by James Carter > > > Christian Göttsche (36): > cifuzz: enable report-unreproducible-crashes > cifuzz: use the default runtime of 600 seconds > libsepol/fuzz: silence secilc-fuzzer > libsepol: add libfuzz based fuzzer for reading binary policies > libsepol/fuzz: limit element sizes for fuzzing > libsepol: use logging framework in conditional.c > libsepol: use logging framework in ebitmap.c > libsepol: use mallocarray wrapper to avoid overflows > libsepol: use reallocarray wrapper to avoid overflows > libsepol: add checks for read sizes > libsepol: enforce avtab item limit > libsepol: clean memory on conditional insertion failure > libsepol: reject abnormal huge sid ids > libsepol: reject invalid filetrans source type > libsepol: zero member before potential dereference > libsepol: use size_t for indexes in strs helpers > libsepol: do not underflow on short format arguments > libsepol: do not crash on class gaps > libsepol: do not crash on user gaps > libsepol: use correct size for initial string list > libsepol: do not create a string list with initial size zero > libsepol: split validation of datum array gaps and entries > libsepol: validate MLS levels > libsepol: validate expanded user range and level > libsepol: validate permission count of classes > libsepol: resolve log message mismatch > libsepol: validate avtab and avrule types > libsepol: validate constraint expression operators and attributes > libsepol: validate type of avtab type rules > libsepol: validate ocontexts > libsepol: validate genfs contexts > libsepol: validate permissive types > libsepol: validate policy properties > libsepol: validate categories > libsepol: validate fsuse types > libsepol: validate class default targets > > .github/workflows/cifuzz.yml | 3 +- > libsepol/fuzz/binpolicy-fuzzer.c | 63 ++++ > libsepol/fuzz/policy.bin | Bin 0 -> 1552 bytes > libsepol/fuzz/secilc-fuzzer.c | 5 + > libsepol/src/Makefile | 6 + > libsepol/src/avtab.c | 6 + > libsepol/src/conditional.c | 53 ++-- > libsepol/src/ebitmap.c | 27 +- > libsepol/src/expand.c | 4 +- > libsepol/src/hashtab.c | 4 +- > libsepol/src/kernel_to_cil.c | 10 + > libsepol/src/kernel_to_common.c | 23 +- > libsepol/src/kernel_to_common.h | 4 +- > libsepol/src/kernel_to_conf.c | 13 +- > libsepol/src/link.c | 3 +- > libsepol/src/module.c | 4 +- > libsepol/src/module_to_cil.c | 13 +- > libsepol/src/optimize.c | 11 +- > libsepol/src/policydb.c | 27 +- > libsepol/src/policydb_validate.c | 477 +++++++++++++++++++++++++++---- > libsepol/src/private.h | 27 +- > libsepol/src/services.c | 12 +- > libsepol/src/sidtab.c | 3 +- > libsepol/src/user_record.c | 8 +- > libsepol/src/users.c | 12 +- > libsepol/src/util.c | 11 +- > libsepol/src/write.c | 2 +- > scripts/oss-fuzz.sh | 17 +- > 28 files changed, 686 insertions(+), 162 deletions(-) > create mode 100644 libsepol/fuzz/binpolicy-fuzzer.c > create mode 100644 libsepol/fuzz/policy.bin > > -- > 2.34.1 > For the series: Acked-by: James Carter <jwcart2@gmail.com> As I noted, I will move the comment out of the expression when I apply patch 11. Thanks, Jim
On Wed, Dec 15, 2021 at 12:41 PM James Carter <jwcart2@gmail.com> wrote: > > On Thu, Dec 9, 2021 at 2:07 PM Christian Göttsche > <cgzones@googlemail.com> wrote: > > > > Add a libfuzz[1] based fuzzer testing the reading and parsing of binary policy > > files. This fuzzer will be run within the OSS-Fuzz service. > > > > Handle and reject a variety of edge cases causing crashes or resource leaks. > > > > The fifth patch ("libsepol/fuzz: limit element sizes for fuzzing") limits, to > > avoid oom reports from the fuzzer, caused by huge memory allocations, all > > identifiers to a length of 2^16 for the fuzzer build only. > > A potential limit for the release build needs further discussion. > > > > [1]: https://llvm.org/docs/LibFuzzer.html > > > > v3: > > - Drop RFC status > > - [10] libsepol: add checks for read sizes > > use PERM_SYMTAB_SIZE instead of bare 32 as limit > > - [11] libsepol: enforce avtab item limit > > take zero based numbering of variable items into account > > - [30] libsepol: validate ocontexts > > only check FS and NETIF ocons in selinux policies (not xen) > > > > v2: > > - reorder patches > > 1. oss-fuzz related > > 2. libsepol parsing and other crashesand UB > > 3. enhance policy validation > > - misc changes based on review by James Carter > > > > > > Christian Göttsche (36): > > cifuzz: enable report-unreproducible-crashes > > cifuzz: use the default runtime of 600 seconds > > libsepol/fuzz: silence secilc-fuzzer > > libsepol: add libfuzz based fuzzer for reading binary policies > > libsepol/fuzz: limit element sizes for fuzzing > > libsepol: use logging framework in conditional.c > > libsepol: use logging framework in ebitmap.c > > libsepol: use mallocarray wrapper to avoid overflows > > libsepol: use reallocarray wrapper to avoid overflows > > libsepol: add checks for read sizes > > libsepol: enforce avtab item limit > > libsepol: clean memory on conditional insertion failure > > libsepol: reject abnormal huge sid ids > > libsepol: reject invalid filetrans source type > > libsepol: zero member before potential dereference > > libsepol: use size_t for indexes in strs helpers > > libsepol: do not underflow on short format arguments > > libsepol: do not crash on class gaps > > libsepol: do not crash on user gaps > > libsepol: use correct size for initial string list > > libsepol: do not create a string list with initial size zero > > libsepol: split validation of datum array gaps and entries > > libsepol: validate MLS levels > > libsepol: validate expanded user range and level > > libsepol: validate permission count of classes > > libsepol: resolve log message mismatch > > libsepol: validate avtab and avrule types > > libsepol: validate constraint expression operators and attributes > > libsepol: validate type of avtab type rules > > libsepol: validate ocontexts > > libsepol: validate genfs contexts > > libsepol: validate permissive types > > libsepol: validate policy properties > > libsepol: validate categories > > libsepol: validate fsuse types > > libsepol: validate class default targets > > > > .github/workflows/cifuzz.yml | 3 +- > > libsepol/fuzz/binpolicy-fuzzer.c | 63 ++++ > > libsepol/fuzz/policy.bin | Bin 0 -> 1552 bytes > > libsepol/fuzz/secilc-fuzzer.c | 5 + > > libsepol/src/Makefile | 6 + > > libsepol/src/avtab.c | 6 + > > libsepol/src/conditional.c | 53 ++-- > > libsepol/src/ebitmap.c | 27 +- > > libsepol/src/expand.c | 4 +- > > libsepol/src/hashtab.c | 4 +- > > libsepol/src/kernel_to_cil.c | 10 + > > libsepol/src/kernel_to_common.c | 23 +- > > libsepol/src/kernel_to_common.h | 4 +- > > libsepol/src/kernel_to_conf.c | 13 +- > > libsepol/src/link.c | 3 +- > > libsepol/src/module.c | 4 +- > > libsepol/src/module_to_cil.c | 13 +- > > libsepol/src/optimize.c | 11 +- > > libsepol/src/policydb.c | 27 +- > > libsepol/src/policydb_validate.c | 477 +++++++++++++++++++++++++++---- > > libsepol/src/private.h | 27 +- > > libsepol/src/services.c | 12 +- > > libsepol/src/sidtab.c | 3 +- > > libsepol/src/user_record.c | 8 +- > > libsepol/src/users.c | 12 +- > > libsepol/src/util.c | 11 +- > > libsepol/src/write.c | 2 +- > > scripts/oss-fuzz.sh | 17 +- > > 28 files changed, 686 insertions(+), 162 deletions(-) > > create mode 100644 libsepol/fuzz/binpolicy-fuzzer.c > > create mode 100644 libsepol/fuzz/policy.bin > > > > -- > > 2.34.1 > > > > For the series: > Acked-by: James Carter <jwcart2@gmail.com> > > As I noted, I will move the comment out of the expression when I apply patch 11. > > Thanks, > Jim This series has been merged. Thanks, Jim
Add a libfuzz[1] based fuzzer testing the reading and parsing of binary policy files. This fuzzer will be run within the OSS-Fuzz service. Handle and reject a variety of edge cases causing crashes or resource leaks. The fifth patch ("libsepol/fuzz: limit element sizes for fuzzing") limits, to avoid oom reports from the fuzzer, caused by huge memory allocations, all identifiers to a length of 2^16 for the fuzzer build only. A potential limit for the release build needs further discussion. [1]: https://llvm.org/docs/LibFuzzer.html v3: - Drop RFC status - [10] libsepol: add checks for read sizes use PERM_SYMTAB_SIZE instead of bare 32 as limit - [11] libsepol: enforce avtab item limit take zero based numbering of variable items into account - [30] libsepol: validate ocontexts only check FS and NETIF ocons in selinux policies (not xen) v2: - reorder patches 1. oss-fuzz related 2. libsepol parsing and other crashesand UB 3. enhance policy validation - misc changes based on review by James Carter Christian Göttsche (36): cifuzz: enable report-unreproducible-crashes cifuzz: use the default runtime of 600 seconds libsepol/fuzz: silence secilc-fuzzer libsepol: add libfuzz based fuzzer for reading binary policies libsepol/fuzz: limit element sizes for fuzzing libsepol: use logging framework in conditional.c libsepol: use logging framework in ebitmap.c libsepol: use mallocarray wrapper to avoid overflows libsepol: use reallocarray wrapper to avoid overflows libsepol: add checks for read sizes libsepol: enforce avtab item limit libsepol: clean memory on conditional insertion failure libsepol: reject abnormal huge sid ids libsepol: reject invalid filetrans source type libsepol: zero member before potential dereference libsepol: use size_t for indexes in strs helpers libsepol: do not underflow on short format arguments libsepol: do not crash on class gaps libsepol: do not crash on user gaps libsepol: use correct size for initial string list libsepol: do not create a string list with initial size zero libsepol: split validation of datum array gaps and entries libsepol: validate MLS levels libsepol: validate expanded user range and level libsepol: validate permission count of classes libsepol: resolve log message mismatch libsepol: validate avtab and avrule types libsepol: validate constraint expression operators and attributes libsepol: validate type of avtab type rules libsepol: validate ocontexts libsepol: validate genfs contexts libsepol: validate permissive types libsepol: validate policy properties libsepol: validate categories libsepol: validate fsuse types libsepol: validate class default targets .github/workflows/cifuzz.yml | 3 +- libsepol/fuzz/binpolicy-fuzzer.c | 63 ++++ libsepol/fuzz/policy.bin | Bin 0 -> 1552 bytes libsepol/fuzz/secilc-fuzzer.c | 5 + libsepol/src/Makefile | 6 + libsepol/src/avtab.c | 6 + libsepol/src/conditional.c | 53 ++-- libsepol/src/ebitmap.c | 27 +- libsepol/src/expand.c | 4 +- libsepol/src/hashtab.c | 4 +- libsepol/src/kernel_to_cil.c | 10 + libsepol/src/kernel_to_common.c | 23 +- libsepol/src/kernel_to_common.h | 4 +- libsepol/src/kernel_to_conf.c | 13 +- libsepol/src/link.c | 3 +- libsepol/src/module.c | 4 +- libsepol/src/module_to_cil.c | 13 +- libsepol/src/optimize.c | 11 +- libsepol/src/policydb.c | 27 +- libsepol/src/policydb_validate.c | 477 +++++++++++++++++++++++++++---- libsepol/src/private.h | 27 +- libsepol/src/services.c | 12 +- libsepol/src/sidtab.c | 3 +- libsepol/src/user_record.c | 8 +- libsepol/src/users.c | 12 +- libsepol/src/util.c | 11 +- libsepol/src/write.c | 2 +- scripts/oss-fuzz.sh | 17 +- 28 files changed, 686 insertions(+), 162 deletions(-) create mode 100644 libsepol/fuzz/binpolicy-fuzzer.c create mode 100644 libsepol/fuzz/policy.bin