From patchwork Mon Aug  8 16:44:14 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: "Roberts, William C" <william.c.roberts@intel.com>
X-Patchwork-Id: 9268749
Return-Path: <selinux-bounces@tycho.nsa.gov>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	49E4F6075A for <patchwork-selinux@patchwork.kernel.org>;
	Mon,  8 Aug 2016 16:50:34 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 39F832815E
	for <patchwork-selinux@patchwork.kernel.org>;
	Mon,  8 Aug 2016 16:50:34 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 2E9DE283F5; Mon,  8 Aug 2016 16:50:34 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=2.0 tests=BAYES_00 autolearn=ham
	version=3.3.1
Received: from emsm-gh1-uea10.nsa.gov (emsm-gh1-uea10.nsa.gov [8.44.101.8])
	(using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256
	bits)) (No client certificate requested)
	by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 9517C2815E
	for <patchwork-selinux@patchwork.kernel.org>;
	Mon,  8 Aug 2016 16:50:31 +0000 (UTC)
X-IronPort-AV: E=Sophos;i="5.28,490,1464652800"; d="scan'208";a="16390523"
IronPort-PHdr: =?us-ascii?q?9a23=3APcCbDBP2iTjT9Odpalcl6mtUPXoX/o7sNwtQ0KIM?=
	=?us-ascii?q?zox0KPX5rarrMEGX3/hxlliBBdydsKMczbuO+Pm4ACQp2tWoiDg6aptCVhsI24?=
	=?us-ascii?q?09vjcLJ4q7M3D9N+PgdCcgHc5PBxdP9nC/NlVJSo6lPwWB6kO74TNaIBjjLw09?=
	=?us-ascii?q?fr2zQd+KyZXvnLnqotX6WEZhvHKFe7R8LRG7/036l/I9ps9cEJs30QbDuXBSeu?=
	=?us-ascii?q?5blitCLFOXmAvgtI/rpMYwuxlKv7od0+IIEeCjJ+VrBYBfWS8rN2Ez+d3DqQjI?=
	=?us-ascii?q?TQzJ4GAVFGoRjF4AGAXM6h3gWZb99y/7rfZVxDiRPcqwS6s9Hzul8eMjUxPzoD?=
	=?us-ascii?q?sWPD4+tmfMg4p/i7wIjgimoklgworQYYiQcvE4ZKTXcMkGXkJAWNpcU2pKBYbv?=
	=?us-ascii?q?PMM0E+MdMLMA/MHGrFwUoE77XFGh?=
X-IPAS-Result: =?us-ascii?q?A2GICADstqhX/wHyM5BdHAEBgyeBUqUNgWuUESWHREwBAQE?=
	=?us-ascii?q?BAQECAlongjIEAxGCHAIkExQgDgMJAhcIIQgIAwEtFRgHCwUYBIgQwmkBJIgqh?=
	=?us-ascii?q?l8RAYVaHQWPDYosjwoCgWmIAQyFSQKQLFSEGk4BhiiBNgEBAQ?=
Received: from unknown (HELO tarius.tycho.ncsc.mil) ([144.51.242.1])
	by emsm-gh1-uea10.nsa.gov with ESMTP; 08 Aug 2016 16:49:01 +0000
Received: from prometheus.infosec.tycho.ncsc.mil (prometheus [192.168.25.40])
	by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u78Gj5O6002439;
	Mon, 8 Aug 2016 12:46:22 -0400
Received: from tarius.tycho.ncsc.mil (tarius.infosec.tycho.ncsc.mil
	[144.51.242.1])
	by prometheus.infosec.tycho.ncsc.mil (8.15.2/8.15.2) with ESMTP id
	u78GiiqX041184 for <selinux@prometheus.infosec.tycho.ncsc.mil>;
	Mon, 8 Aug 2016 12:44:44 -0400
Received: from goalie.tycho.ncsc.mil (goalie [144.51.242.250])
	by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u78Git5r002399;
	Mon, 8 Aug 2016 12:44:56 -0400
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: 
 A1DPBwAmtqhX/yNjr8ZdHAEBgyeBUqUNkXyEDBSGCYFATAEBAQEBAV6FM1IwgQ8SiDHCWwEBCCeIKoxLHQWPDYosjwoCgWmIDYVJApAsVIQaTgGHXgEBAQ
X-IPAS-Result: 
 A1DPBwAmtqhX/yNjr8ZdHAEBgyeBUqUNkXyEDBSGCYFATAEBAQEBAV6FM1IwgQ8SiDHCWwEBCCeIKoxLHQWPDYosjwoCgWmIDYVJApAsVIQaTgGHXgEBAQ
X-IronPort-AV: E=Sophos;i="5.28,490,1464667200"; d="scan'208";a="5631403"
Received: from emsm-gh1-uea11.corp.nsa.gov (HELO emsm-gh1-uea11.nsa.gov)
	([10.208.41.37])
	by goalie.tycho.ncsc.mil with ESMTP; 08 Aug 2016 12:48:21 -0400
IronPort-PHdr: =?us-ascii?q?9a23=3Aw/LPmBZMwyAuw6b6aojSuEz/LSx+4OfEezUN459i?=
	=?us-ascii?q?sYplN5qZpM29bnLW6fgltlLVR4KTs6sC0LuO9fG4EjVYuN6oizMrSNR0TRgLiM?=
	=?us-ascii?q?EbzUQLIfWuLgnFFsPsdDEwB89YVVVorDmROElRH9viNRWJ+iXhpQAbFhi3Dwdp?=
	=?us-ascii?q?POO9QteU1JXvkbHqsMSLOk1hv3mUWftKNhK4rAHc5IE9oLBJDeIP8CbPuWZCYO?=
	=?us-ascii?q?9MxGlldhq5lhf44dqsrtY4q3wD89pozcNLUL37cqIkVvQYSW1+ayFm0vbsrwXO?=
	=?us-ascii?q?QTGC7XoECC1WzkIJUED560ThU5PwtDbqnvZs0ymde8vtRPY7Xirmp7xmQRnkki?=
	=?us-ascii?q?AGO3s98XrLotBhh6Jc5hS6rlpwxJCQKJqZL9Jib6jdepUcXmMHUcFPBAJbBYbp?=
	=?us-ascii?q?cIoLC+sIOKBT6ZP6rVYUsQCWBA+wCeepwThN1Sy+5rEzz+l0SVKO5wcnBd9b9S?=
	=?us-ascii?q?qMoQ=3D=3D?=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0GECACqtqhX/yNjr8ZdHAEBgyeBUqUNg?=
	=?us-ascii?q?WuQEYQMFIYJgUBMAQEBAQEBAgJaJ4IyBAETgkJSMIEPEogxwlwBAQgCJYgqjEs?=
	=?us-ascii?q?dBY8NiiyPCgKBaYgNhUkCkCxUhBpOAYdeAQEB?=
X-IPAS-Result: =?us-ascii?q?A0GECACqtqhX/yNjr8ZdHAEBgyeBUqUNgWuQEYQMFIYJgUB?=
	=?us-ascii?q?MAQEBAQEBAgJaJ4IyBAETgkJSMIEPEogxwlwBAQgCJYgqjEsdBY8NiiyPCgKBa?=
	=?us-ascii?q?YgNhUkCkCxUhBpOAYdeAQEB?=
X-IronPort-AV: E=Sophos;i="5.28,490,1464652800"; d="scan'208";a="18301084"
Received: from fmsmga002-icc.fm.intel.com ([198.175.99.35])
	by emsm-gh1-uea11.nsa.gov with ESMTP; 08 Aug 2016 16:44:17 +0000
Received: from fmsmga001-icc.fm.intel.com ([198.175.99.7])
	by fmsmga002-icc.fm.intel.com with ESMTP; 08 Aug 2016 09:44:16 -0700
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos; i="5.28,490,1464678000"; d="scan'208";
	a="1021744613"
Received: from liangy-mobl1.amr.corp.intel.com (HELO
	wcrobert-MOBL1.amr.corp.intel.com) ([10.252.134.240])
	by fmsmga001.fm.intel.com with ESMTP; 08 Aug 2016 09:44:16 -0700
From: william.c.roberts@intel.com
To: selinux@tycho.nsa.gov, seandroid-list@tycho.nsa.gov, sds@tycho.nsa.gov
Subject: [PATCH] libsepol: fix invalid read when policy file is corrupt
Date: Mon,  8 Aug 2016 09:44:14 -0700
Message-Id: <1470674654-13930-1-git-send-email-william.c.roberts@intel.com>
X-Mailer: git-send-email 1.9.1
X-BeenThere: selinux@tycho.nsa.gov
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: "Security-Enhanced Linux \(SELinux\) mailing list"
	<selinux.tycho.nsa.gov>
List-Post: <mailto:selinux@tycho.nsa.gov>
List-Help: <mailto:selinux-request@tycho.nsa.gov?subject=help>
MIME-Version: 1.0
Errors-To: selinux-bounces@tycho.nsa.gov
Sender: "Selinux" <selinux-bounces@tycho.nsa.gov>
X-Virus-Scanned: ClamAV using ClamSMTP

From: William Roberts <william.c.roberts@intel.com>

AFL Found this bug:
==6523== Invalid read of size 8
==6523==    at 0x4166B4: type_set_expand (expand.c:2508)
==6523==    by 0x43A0B8: policydb_role_cache (policydb.c:790)
==6523==    by 0x41CD70: hashtab_map (hashtab.c:235)
==6523==    by 0x43AC9E: policydb_index_others (policydb.c:1103)
==6523==    by 0x441B14: policydb_read (policydb.c:3888)
==6523==    by 0x442A1F: sepol_policydb_read (policydb_public.c:174)
==6523==    by 0x407ED4: init (check_seapp.c:885)
==6523==    by 0x408D97: main (check_seapp.c:1231)

This occurs when the type_val_to_struct[] mapping array
doesn't contain the type indicated in the ebitmap.

Signed-off-by: William Roberts <william.c.roberts@intel.com>
---
 libsepol/src/expand.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/libsepol/src/expand.c b/libsepol/src/expand.c
index 9cb7965..4d3c623 100644
--- a/libsepol/src/expand.c
+++ b/libsepol/src/expand.c
@@ -2505,6 +2505,14 @@ int type_set_expand(type_set_t * set, ebitmap_t * t, policydb_t * p,
 		/* First go through the types and OR all the attributes to types */
 		ebitmap_for_each_bit(&set->types, tnode, i) {
 			if (ebitmap_node_get_bit(tnode, i)) {
+
+				/*
+				 * invalid policies might have more types set in the ebitmap than
+				 * what's available in the type_val_to_struct mapping
+				 */
+				if (i > p->p_types.nprim - 1)
+						return -1;
+
 				if (p->type_val_to_struct[i]->flavor ==
 				    TYPE_ATTRIB) {
 					if (ebitmap_union