From patchwork Mon Aug 15 15:59:12 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Roberts, William C" X-Patchwork-Id: 9281611 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 9B89F607FD for ; Mon, 15 Aug 2016 16:53:02 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 8996028DE8 for ; Mon, 15 Aug 2016 16:53:02 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 7E6B328DF1; Mon, 15 Aug 2016 16:53:02 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-1.9 required=2.0 tests=BAYES_00 autolearn=ham version=3.3.1 Received: from emsm-gh1-uea10.nsa.gov (smtp.nsa.gov [8.44.101.8]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 74E0F28DE8 for ; Mon, 15 Aug 2016 16:52:58 +0000 (UTC) X-IronPort-AV: E=Sophos;i="5.28,526,1464652800"; d="scan'208";a="16602953" IronPort-PHdr: =?us-ascii?q?9a23=3A6G+QaRDZ5FcC323/KaxZUyQJP3N1i/DPJgcQr6Af?= =?us-ascii?q?oPdwSP/4rsbcNUDSrc9gkEXOFd2CrakV0qyP7uu5ATFIoc7Y9itTKNoUD15NoP?= =?us-ascii?q?5VtjRoONSCB0z/IayiRA0BN+MGamVY+WqmO1NeAsf0ag6aiHSz6TkPBke3blIt?= =?us-ascii?q?dazLE4Lfx/66y/q1s8WKJV4Z3XzkPPgrdEj+7V2I8JJH2c06cud54yCKi0MAQ/?= =?us-ascii?q?5Ry2JsKADbtDfHzeD0wqRe9T9Nsekq7c9KXPayVa05SbtFEGZuaDhtt4XWrx2L?= =?us-ascii?q?cS+jrjtZCz1XwVJ0BF3e4RX7WIrhmjfrvep6ni+BNIv5Sq5wETa95K5xVEXAlD?= =?us-ascii?q?YMNzl/9nrezMN3kuYTux+ooRBlxI/YJYWUL+ZWYrLWfdRcQ3FIGMlWSWgJGY+n?= =?us-ascii?q?R5ceBOoGe+BDps/yoEVdgwG5AFyzBefryzZNwHSwx6ow3v49CinH2hAtG5QFt3?= =?us-ascii?q?GH/53OKK4OXLXtn+HzxjLZYqYTgG/w?= X-IPAS-Result: =?us-ascii?q?A2EmDABS8rFX/wHyM5BeGgEBAQGDJ1Z8pxofAZN7HQOBdoV?= =?us-ascii?q?bTAEBAQEBAQECAQJbJ4IyBAMRfVs9AgQBAiQTFCAOAwkBARcIIQgIAwEtFREHB?= =?us-ascii?q?wsFGASIEL19CwEBASOIKoZfEQGFdwWIKIVzdYoujxYCiWqFV4hQh19UhBpOAYV?= =?us-ascii?q?tgTYBAQE?= Received: from unknown (HELO tarius.tycho.ncsc.mil) ([144.51.242.1]) by emsm-gh1-uea10.nsa.gov with ESMTP; 15 Aug 2016 16:50:39 +0000 Received: from prometheus.infosec.tycho.ncsc.mil (prometheus [192.168.25.40]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u7FGnhPu011117; Mon, 15 Aug 2016 12:50:11 -0400 Received: from tarius.tycho.ncsc.mil (tarius.infosec.tycho.ncsc.mil [144.51.242.1]) by prometheus.infosec.tycho.ncsc.mil (8.15.2/8.15.2) with ESMTP id u7FFxf5f198320 for ; Mon, 15 Aug 2016 11:59:41 -0400 Received: from goalie.tycho.ncsc.mil (goalie [144.51.242.250]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u7FFxUNM005172; Mon, 15 Aug 2016 11:59:40 -0400 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: A1DHBADi5bFX/yNjr8ZeGgEBAQGDJ1Z8ty2EDByGAQKBTkwBAQEBAQEBAl6FBgIEJ1IQIDFXBxKIMb1tAQEBAQEFAQEBASOIKoxoBYgohXN1ii6PFgKPQYhQh19UhBocMgGHIwEBAQ X-IPAS-Result: A1DHBADi5bFX/yNjr8ZeGgEBAQGDJ1Z8ty2EDByGAQKBTkwBAQEBAQEBAl6FBgIEJ1IQIDFXBxKIMb1tAQEBAQEFAQEBASOIKoxoBYgohXN1ii6PFgKPQYhQh19UhBocMgGHIwEBAQ X-IronPort-AV: E=Sophos;i="5.28,525,1464667200"; d="scan'208";a="5645660" Received: from emsm-gh1-uea11.corp.nsa.gov (HELO emsm-gh1-uea11.nsa.gov) ([10.208.41.37]) by goalie.tycho.ncsc.mil with ESMTP; 15 Aug 2016 11:59:35 -0400 IronPort-PHdr: =?us-ascii?q?9a23=3AeP66Gxxpar8w+UHXCy+O+j09IxM/srCxBDY+r6Qd?= =?us-ascii?q?0O4SIJqq85mqBkHD//Il1AaPBtSCrasZwLuN++C4ACpbsM7H6ChDOLV3FDY9wf?= =?us-ascii?q?0MmAIhBMPXQWbaF9XNKxIAIcJZSVV+9Gu6O0UGUOz3ZlnVv2HgpWVKQka3CwN5?= =?us-ascii?q?K6zPF5LIiIzvjqbpqsSVOlgD1WH1Iesrak7n9UOJ7oheqLAhA5558gHOrHpMdr?= =?us-ascii?q?Ye7kJTDnXXoSzB4Nyt9oVo6SVatqFp3cdBVaLnY/ZwFuQAX3wOelo478zztBTF?= =?us-ascii?q?URDHpj5FCj1XwVJ0BF3e4RX7WIrhmjfrvep6ni+BNIv5Sq5wETa95K5xVEXAlD?= =?us-ascii?q?YMNzl/9nrezMN3kuYTux+ooRBlxI/YJYWUL+ZWYrLWfdRcQ3FIGMlWSWgJGY+n?= =?us-ascii?q?R5ceBOoGe+BDps/yoEVdgwG5AFyzBefryzZNwHSwx6ow3v49CinH2hAtG5QFt3?= =?us-ascii?q?GH/53OKK4OXLXtn+HzxjLZYqYTgG+l5Q=3D=3D?= X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0EdDAAe5rFX/yNjr8ZeGgEBAQGDJ1Z8p?= =?us-ascii?q?xofAY9zhAwchgECgU5MAQEBAQEBAQIBAlsngjIEARMBghQCBCdSECAxVwcSiDG?= =?us-ascii?q?9bgEBAQEBBQEBAQEBIogqjGgFiCiFc3WKLo8WAo9BiFCHX1SEGhwyAYcjAQEB?= X-IPAS-Result: =?us-ascii?q?A0EdDAAe5rFX/yNjr8ZeGgEBAQGDJ1Z8pxofAY9zhAwchgE?= =?us-ascii?q?CgU5MAQEBAQEBAQIBAlsngjIEARMBghQCBCdSECAxVwcSiDG9bgEBAQEBBQEBA?= =?us-ascii?q?QEBIogqjGgFiCiFc3WKLo8WAo9BiFCHX1SEGhwyAYcjAQEB?= X-IronPort-AV: E=Sophos;i="5.28,525,1464652800"; d="scan'208";a="18475758" Received: from fmsmga002-icc.fm.intel.com ([198.175.99.35]) by emsm-gh1-uea11.nsa.gov with ESMTP; 15 Aug 2016 15:59:22 +0000 Received: from orsmga001.jf.intel.com ([10.7.209.18]) by fmsmga002-icc.fm.intel.com with ESMTP; 15 Aug 2016 08:59:19 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos; i="5.28,525,1464678000"; d="scan'208"; a="1014647699" Received: from hkramach-mobl1.amr.corp.intel.com (HELO wcrobert-MOBL1.amr.corp.intel.com) ([10.254.184.14]) by orsmga001.jf.intel.com with ESMTP; 15 Aug 2016 08:59:18 -0700 From: william.c.roberts@intel.com To: selinux@tycho.nsa.gov, jwcart2@tycho.nsa.gov, seandroid-list@tycho.nsa.gov, sds@tycho.nsa.gov Subject: [PATCH v3 5/7] libsepol: fix overflow and 0 length allocations Date: Mon, 15 Aug 2016 08:59:12 -0700 Message-Id: <1471276754-25266-6-git-send-email-william.c.roberts@intel.com> X-Mailer: git-send-email 1.9.1 In-Reply-To: <1471276754-25266-1-git-send-email-william.c.roberts@intel.com> References: <1471276754-25266-1-git-send-email-william.c.roberts@intel.com> X-BeenThere: selinux@tycho.nsa.gov X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Post: List-Help: MIME-Version: 1.0 Errors-To: selinux-bounces@tycho.nsa.gov Sender: "Selinux" X-Virus-Scanned: ClamAV using ClamSMTP From: William Roberts Throughout libsepol, values taken from sepolicy are used in places where length == 0 or length == matter, find and fix these. Also, correct any type mismatches noticed along the way. Signed-off-by: William Roberts --- libsepol/src/conditional.c | 3 ++- libsepol/src/context.c | 16 ++++++++----- libsepol/src/context_record.c | 52 ++++++++++++++++++++++++------------------- libsepol/src/module.c | 13 +++++++++++ libsepol/src/module_to_cil.c | 4 +++- libsepol/src/policydb.c | 52 ++++++++++++++++++++++++++++++++++++++++--- libsepol/src/private.h | 3 +++ 7 files changed, 110 insertions(+), 33 deletions(-) diff --git a/libsepol/src/conditional.c b/libsepol/src/conditional.c index ea47cdd..8680eb2 100644 --- a/libsepol/src/conditional.c +++ b/libsepol/src/conditional.c @@ -589,7 +589,8 @@ int cond_read_bool(policydb_t * p, goto err; len = le32_to_cpu(buf[2]); - + if (zero_or_saturated(len)) + goto err; key = malloc(len + 1); if (!key) goto err; diff --git a/libsepol/src/context.c b/libsepol/src/context.c index 84dad34..39552f2 100644 --- a/libsepol/src/context.c +++ b/libsepol/src/context.c @@ -10,6 +10,7 @@ #include "context.h" #include "handle.h" #include "mls.h" +#include "private.h" /* ----- Compatibility ---- */ int policydb_context_isvalid(const policydb_t * p, const context_struct_t * c) @@ -297,10 +298,18 @@ int context_from_string(sepol_handle_t * handle, char *con_cpy = NULL; sepol_context_t *ctx_record = NULL; + if (zero_or_saturated(con_str_len)) { + ERR(handle, "Invalid context length"); + goto err; + } + /* sepol_context_from_string expects a NULL-terminated string */ con_cpy = malloc(con_str_len + 1); - if (!con_cpy) - goto omem; + if (!con_cpy) { + ERR(handle, "out of memory"); + goto err; + } + memcpy(con_cpy, con_str, con_str_len); con_cpy[con_str_len] = '\0'; @@ -315,9 +324,6 @@ int context_from_string(sepol_handle_t * handle, sepol_context_free(ctx_record); return STATUS_SUCCESS; - omem: - ERR(handle, "out of memory"); - err: ERR(handle, "could not create context structure"); free(con_cpy); diff --git a/libsepol/src/context_record.c b/libsepol/src/context_record.c index ac2884a..fdf60a0 100644 --- a/libsepol/src/context_record.c +++ b/libsepol/src/context_record.c @@ -5,6 +5,7 @@ #include "context_internal.h" #include "debug.h" +#include "private.h" struct sepol_context { @@ -284,39 +285,44 @@ int sepol_context_to_string(sepol_handle_t * handle, { int rc; - const int user_sz = strlen(con->user); - const int role_sz = strlen(con->role); - const int type_sz = strlen(con->type); - const int mls_sz = (con->mls) ? strlen(con->mls) : 0; - const int total_sz = user_sz + role_sz + type_sz + - mls_sz + ((con->mls) ? 3 : 2); - - char *str = (char *)malloc(total_sz + 1); - if (!str) - goto omem; + char *str = NULL; + const size_t user_sz = strlen(con->user); + const size_t role_sz = strlen(con->role); + const size_t type_sz = strlen(con->type); + const size_t mls_sz = (con->mls) ? strlen(con->mls) : 0; + const size_t total_sz = user_sz + role_sz + type_sz + + mls_sz + ((con->mls) ? 3 : 2) + 1; + + if (zero_or_saturated(total_sz)) { + ERR(handle, "invalid size"); + goto err; + } + str = (char *)malloc(total_sz); + if (!str) { + ERR(handle, "out of memory"); + goto err; + } if (con->mls) { - rc = snprintf(str, total_sz + 1, "%s:%s:%s:%s", + rc = snprintf(str, total_sz, "%s:%s:%s:%s", con->user, con->role, con->type, con->mls); - if (rc < 0 || (rc >= total_sz + 1)) { - ERR(handle, "print error"); - goto err; - } } else { - rc = snprintf(str, total_sz + 1, "%s:%s:%s", + rc = snprintf(str, total_sz, "%s:%s:%s", con->user, con->role, con->type); - if (rc < 0 || (rc >= total_sz + 1)) { - ERR(handle, "print error"); - goto err; - } + } + + /* + * rc is >= 0 on the size_t cast and is safe to promote + * to an unsigned value. + */ + if (rc < 0 || (size_t)rc >= total_sz) { + ERR(handle, "print error"); + goto err; } *str_ptr = str; return STATUS_SUCCESS; - omem: - ERR(handle, "out of memory"); - err: ERR(handle, "could not convert context to string"); free(str); diff --git a/libsepol/src/module.c b/libsepol/src/module.c index 1665ede..f25df95 100644 --- a/libsepol/src/module.c +++ b/libsepol/src/module.c @@ -30,6 +30,7 @@ #include #include #include +#include #define SEPOL_PACKAGE_SECTION_FC 0xf97cff90 #define SEPOL_PACKAGE_SECTION_SEUSER 0x97cff91 @@ -793,6 +794,12 @@ int sepol_module_package_info(struct sepol_policy_file *spf, int *type, goto cleanup; } len = le32_to_cpu(buf[0]); + if (zero_or_saturated(len)) { + ERR(file->handle, + "invalid module name length: 0x%"PRIx32, + len); + goto cleanup; + } *name = malloc(len + 1); if (!*name) { ERR(file->handle, "out of memory"); @@ -814,6 +821,12 @@ int sepol_module_package_info(struct sepol_policy_file *spf, int *type, goto cleanup; } len = le32_to_cpu(buf[0]); + if (zero_or_saturated(len)) { + ERR(file->handle, + "invalid module version length: 0x%"PRIx32, + len); + goto cleanup; + } *version = malloc(len + 1); if (!*version) { ERR(file->handle, "out of memory"); diff --git a/libsepol/src/module_to_cil.c b/libsepol/src/module_to_cil.c index 36f3b7d..fc65019 100644 --- a/libsepol/src/module_to_cil.c +++ b/libsepol/src/module_to_cil.c @@ -47,6 +47,8 @@ #include #include +#include "private.h" + #ifdef __GNUC__ # define UNUSED(x) UNUSED_ ## x __attribute__((__unused__)) #else @@ -124,7 +126,7 @@ static int get_line(char **start, char *end, char **line) for (len = 0; p < end && *p != '\n' && *p != '\0'; p++, len++); - if (len == 0) { + if (zero_or_saturated(len)) { rc = 0; goto exit; } diff --git a/libsepol/src/policydb.c b/libsepol/src/policydb.c index 971793d..604e022 100644 --- a/libsepol/src/policydb.c +++ b/libsepol/src/policydb.c @@ -1911,6 +1911,9 @@ static int perm_read(policydb_t * p goto bad; len = le32_to_cpu(buf[0]); + if (zero_or_saturated(len)) + goto bad; + perdatum->s.value = le32_to_cpu(buf[1]); key = malloc(len + 1); @@ -1949,6 +1952,9 @@ static int common_read(policydb_t * p, hashtab_t h, struct policy_file *fp) goto bad; len = le32_to_cpu(buf[0]); + if (zero_or_saturated(len)) + goto bad; + comdatum->s.value = le32_to_cpu(buf[1]); if (symtab_init(&comdatum->permissions, PERM_SYMTAB_SIZE)) @@ -2092,7 +2098,11 @@ static int class_read(policydb_t * p, hashtab_t h, struct policy_file *fp) goto bad; len = le32_to_cpu(buf[0]); + if (zero_or_saturated(len)) + goto bad; len2 = le32_to_cpu(buf[1]); + if (is_saturated(len2)) + goto bad; cladatum->s.value = le32_to_cpu(buf[2]); if (symtab_init(&cladatum->permissions, PERM_SYMTAB_SIZE)) @@ -2199,6 +2209,9 @@ static int role_read(policydb_t * p, hashtab_t h, struct policy_file *fp) goto bad; len = le32_to_cpu(buf[0]); + if (zero_or_saturated(len)) + goto bad; + role->s.value = le32_to_cpu(buf[1]); if (policydb_has_boundary_feature(p)) role->bounds = le32_to_cpu(buf[2]); @@ -2287,6 +2300,9 @@ static int type_read(policydb_t * p, hashtab_t h, struct policy_file *fp) goto bad; len = le32_to_cpu(buf[pos]); + if (zero_or_saturated(len)) + goto bad; + typdatum->s.value = le32_to_cpu(buf[++pos]); if (policydb_has_boundary_feature(p)) { uint32_t properties; @@ -2447,6 +2463,8 @@ int filename_trans_read(filename_trans_t **t, struct policy_file *fp) if (rc < 0) return -1; len = le32_to_cpu(buf[0]); + if (zero_or_saturated(len)) + return -1; name = calloc(len + 1, sizeof(*name)); if (!name) @@ -2556,6 +2574,9 @@ static int ocontext_read_xen(struct policydb_compat_info *info, if (rc < 0) return -1; len = le32_to_cpu(buf[0]); + if (zero_or_saturated(len)) + return -1; + c->u.name = malloc(len + 1); if (!c->u.name) return -1; @@ -2618,6 +2639,8 @@ static int ocontext_read_selinux(struct policydb_compat_info *info, if (rc < 0) return -1; len = le32_to_cpu(buf[0]); + if (zero_or_saturated(len)) + return -1; c->u.name = malloc(len + 1); if (!c->u.name) return -1; @@ -2659,6 +2682,8 @@ static int ocontext_read_selinux(struct policydb_compat_info *info, return -1; c->v.behavior = le32_to_cpu(buf[0]); len = le32_to_cpu(buf[1]); + if (zero_or_saturated(len)) + return -1; c->u.name = malloc(len + 1); if (!c->u.name) return -1; @@ -2719,7 +2744,7 @@ static int genfs_read(policydb_t * p, struct policy_file *fp) uint32_t buf[1]; size_t nel, nel2, len, len2; genfs_t *genfs_p, *newgenfs, *genfs; - unsigned int i, j; + size_t i, j; ocontext_t *l, *c, *newc = NULL; int rc; @@ -2733,6 +2758,8 @@ static int genfs_read(policydb_t * p, struct policy_file *fp) if (rc < 0) goto bad; len = le32_to_cpu(buf[0]); + if (zero_or_saturated(len)) + goto bad; newgenfs = calloc(1, sizeof(genfs_t)); if (!newgenfs) goto bad; @@ -2778,6 +2805,8 @@ static int genfs_read(policydb_t * p, struct policy_file *fp) if (rc < 0) goto bad; len = le32_to_cpu(buf[0]); + if (zero_or_saturated(len)) + goto bad; newc->u.name = malloc(len + 1); if (!newc->u.name) { goto bad; @@ -2877,6 +2906,9 @@ static int user_read(policydb_t * p, hashtab_t h, struct policy_file *fp) goto bad; len = le32_to_cpu(buf[0]); + if (zero_or_saturated(len)) + goto bad; + usrdatum->s.value = le32_to_cpu(buf[1]); if (policydb_has_boundary_feature(p)) usrdatum->bounds = le32_to_cpu(buf[2]); @@ -2960,6 +2992,9 @@ static int sens_read(policydb_t * p goto bad; len = le32_to_cpu(buf[0]); + if (zero_or_saturated(len)) + goto bad; + levdatum->isalias = le32_to_cpu(buf[1]); key = malloc(len + 1); @@ -3003,6 +3038,9 @@ static int cat_read(policydb_t * p goto bad; len = le32_to_cpu(buf[0]); + if(zero_or_saturated(len)) + goto bad; + catdatum->s.value = le32_to_cpu(buf[1]); catdatum->isalias = le32_to_cpu(buf[2]); @@ -3339,6 +3377,8 @@ static int filename_trans_rule_read(filename_trans_rule_t ** r, struct policy_fi return -1; len = le32_to_cpu(buf[0]); + if (zero_or_saturated(len)) + return -1; ftr->name = malloc(len + 1); if (!ftr->name) @@ -3580,6 +3620,8 @@ static int scope_read(policydb_t * p, int symnum, struct policy_file *fp) if (rc < 0) goto cleanup; key_len = le32_to_cpu(buf[0]); + if (zero_or_saturated(key_len)) + goto cleanup; key = malloc(key_len + 1); if (!key) goto cleanup; @@ -3664,8 +3706,8 @@ int policydb_read(policydb_t * p, struct policy_file *fp, unsigned verbose) } len = buf[1]; - if (len > POLICYDB_STRING_MAX_LENGTH) { - ERR(fp->handle, "policydb string length too long "); + if (len == 0 || len > POLICYDB_STRING_MAX_LENGTH) { + ERR(fp->handle, "policydb string length %s ", len ? "too long" : "zero"); return POLICYDB_ERROR; } @@ -3798,6 +3840,8 @@ int policydb_read(policydb_t * p, struct policy_file *fp, unsigned verbose) goto bad; } len = le32_to_cpu(buf[0]); + if (zero_or_saturated(len)) + goto bad; if ((p->name = malloc(len + 1)) == NULL) { goto bad; } @@ -3809,6 +3853,8 @@ int policydb_read(policydb_t * p, struct policy_file *fp, unsigned verbose) goto bad; } len = le32_to_cpu(buf[0]); + if (zero_or_saturated(len)) + goto bad; if ((p->version = malloc(len + 1)) == NULL) { goto bad; } diff --git a/libsepol/src/private.h b/libsepol/src/private.h index 9c700c9..0beb4d4 100644 --- a/libsepol/src/private.h +++ b/libsepol/src/private.h @@ -45,6 +45,9 @@ #define ARRAY_SIZE(x) (sizeof(x)/sizeof((x)[0])) +#define is_saturated(x) (x == (typeof(x))-1) +#define zero_or_saturated(x) ((x == 0) || is_saturated(x)) + /* Policy compatibility information. */ struct policydb_compat_info { unsigned int type;