| Message ID | 1476817128-16108-2-git-send-email-jwcart2@tycho.nsa.gov (mailing list archive) |
|---|---|
| State | Not Applicable |
| Headers | show |
diff --git a/libsepol/cil/src/cil_post.c b/libsepol/cil/src/cil_post.c index f8447c9..caf3321 100644 --- a/libsepol/cil/src/cil_post.c +++ b/libsepol/cil/src/cil_post.c @@ -952,6 +952,11 @@ static int __cil_cat_expr_range_to_bitmap_helper(struct cil_list_item *i1, struc c2 = alias->actual; } + if (c1->value > c2->value) { + cil_log(CIL_ERR, "Invalid category range\n"); + goto exit; + } + for (i = c1->value; i <= c2->value; i++) { if (ebitmap_set_bit(bitmap, i, 1)) { cil_log(CIL_ERR, "Failed to set cat bit\n");
Nicolas Looss found while fuzzing secilc with AFL that the following policy will cause a segfault. (category c0) (category c1) (categoryorder (c0 c1)) (sensitivity s0) (sensitivitycategory s0 (range c1 c0)) The category range "(range c1 c0)" is invalid because c1 comes after c0 in order. The invalid range is evaluated as containing no categories. There is a check for the resulting empty list and the category datum expression is set to NULL. The segfault occurs because the datum expression is assumed to be non-NULL after evaluation. Add a check for an invalid range when evaluating category ranges. Signed-off-by: James Carter <jwcart2@tycho.nsa.gov> --- libsepol/cil/src/cil_post.c | 5 +++++ 1 file changed, 5 insertions(+)