From patchwork Tue Oct 18 18:58:47 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: James Carter X-Patchwork-Id: 9382807 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id E37C6600CA for ; Tue, 18 Oct 2016 18:59:25 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id D29EE296FC for ; Tue, 18 Oct 2016 18:59:25 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id C678E2970A; Tue, 18 Oct 2016 18:59:25 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-4.2 required=2.0 tests=BAYES_00, RCVD_IN_DNSWL_MED autolearn=ham version=3.3.1 Received: from emsm-gh1-uea11.nsa.gov (smtp.nsa.gov [8.44.101.9]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 392B7296FC for ; Tue, 18 Oct 2016 18:59:25 +0000 (UTC) X-IronPort-AV: E=Sophos;i="5.31,362,1473120000"; d="scan'208";a="16921" IronPort-PHdr: =?us-ascii?q?9a23=3A3rKJbRYvvOvLw2GfLWmKJTX/LSx+4OfEezUN459i?= =?us-ascii?q?sYplN5qZpcm4bnLW6fgltlLVR4KTs6sC0LuM9f28EjVavd6oizMrSNR0TRgLiM?= =?us-ascii?q?EbzUQLIfWuLgnFFsPsdDEwB89YVVVorDmROElRH9viNRWJ+iXhpQAbFhi3Dwdp?= =?us-ascii?q?POO9QteU1JXtkb3usMSJP01hv3mUWftKNhK4rAHc5IE9oLBJDeIP8CbPuWZCYO?= =?us-ascii?q?9MxGlldhq5lhf44dqsrtY4q3wD888784Z8dYmyP+FiFf0LRAghZns44MztqAnr?= =?us-ascii?q?URqE5nxaVH4f1BVPHVvr9hb/C7X4tybh/sF0wjWXJ4WiT68/UC6+tY93WRToj2?= =?us-ascii?q?EBLDd//2bJ3J8jxJlHqQ6s8kQsi7XfZ5uYYb8kJq4=3D?= X-IPAS-Result: =?us-ascii?q?A2FEBQDibwZY/wHyM5BcHAEBBAEBCgEBGAEFAQsBgxEBAQE?= =?us-ascii?q?BAR2BRA+6cCWICkwBAQEBAQEBAQIBAl8ngjIEAxMFghECBAECJBMUIA4DCQEBF?= =?us-ascii?q?ykICAMBLRURDgsFGASIMcN3jysRAWiFEwWBIQGNHotGApAGAooAhXWQe1RGgxQ?= =?us-ascii?q?cGYFWVoV5eIEoAQEB?= Received: from unknown (HELO tarius.tycho.ncsc.mil) ([144.51.242.1]) by emsm-gh1-uea11.nsa.gov with ESMTP; 18 Oct 2016 18:59:24 +0000 Received: from prometheus.infosec.tycho.ncsc.mil (prometheus [192.168.25.40]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u9IIxMRk022497; Tue, 18 Oct 2016 14:59:23 -0400 Received: from tarius.tycho.ncsc.mil (tarius.infosec.tycho.ncsc.mil [144.51.242.1]) by prometheus.infosec.tycho.ncsc.mil (8.15.2/8.15.2) with ESMTP id u9IIvWBl189959 for ; Tue, 18 Oct 2016 14:57:32 -0400 Received: from moss-lions.infosec.tycho.ncsc.mil (moss-lions [192.168.25.4]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u9IIvVje022041 for ; Tue, 18 Oct 2016 14:57:32 -0400 From: James Carter To: selinux@tycho.nsa.gov Subject: [PATCH 6/7] libsepol/cil: Verify alias in aliasactual statement is really an alias Date: Tue, 18 Oct 2016 14:58:47 -0400 Message-Id: <1476817128-16108-7-git-send-email-jwcart2@tycho.nsa.gov> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1476817128-16108-1-git-send-email-jwcart2@tycho.nsa.gov> References: <1476817128-16108-1-git-send-email-jwcart2@tycho.nsa.gov> X-BeenThere: selinux@tycho.nsa.gov X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Post: List-Help: MIME-Version: 1.0 Errors-To: selinux-bounces@tycho.nsa.gov Sender: "Selinux" X-Virus-Scanned: ClamAV using ClamSMTP Nicolas Looss found while fuzzing secilc with AFL that the statement "(sensitivityaliasactual SENS SENS)" will cause a segfault. The segfault occurs because when the aliasactual is resolved the first identifier is assumed to refer to an alias structure, but it is not. Add a check to verify that the datum retrieved is actually an alias and exit with an error if it is not. Signed-off-by: James Carter --- libsepol/cil/src/cil_resolve_ast.c | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/libsepol/cil/src/cil_resolve_ast.c b/libsepol/cil/src/cil_resolve_ast.c index f3f3e92..149e4f4 100644 --- a/libsepol/cil/src/cil_resolve_ast.c +++ b/libsepol/cil/src/cil_resolve_ast.c @@ -452,7 +452,7 @@ exit: return rc; } -int cil_resolve_aliasactual(struct cil_tree_node *current, void *extra_args, enum cil_flavor flavor) +int cil_resolve_aliasactual(struct cil_tree_node *current, void *extra_args, enum cil_flavor flavor, enum cil_flavor alias_flavor) { int rc = SEPOL_ERR; enum cil_sym_index sym_index; @@ -465,10 +465,15 @@ int cil_resolve_aliasactual(struct cil_tree_node *current, void *extra_args, enu if (rc != SEPOL_OK) { goto exit; } + rc = cil_resolve_name(current, aliasactual->alias_str, sym_index, extra_args, &alias_datum); if (rc != SEPOL_OK) { goto exit; } + if (NODE(alias_datum)->flavor != alias_flavor) { + cil_log(CIL_ERR, "%s is not an alias\n",alias_datum->name); + goto exit; + } rc = cil_resolve_name(current, aliasactual->actual_str, sym_index, extra_args, &actual_datum); if (rc != SEPOL_OK) { @@ -3365,13 +3370,13 @@ int __cil_resolve_ast_node(struct cil_tree_node *node, void *extra_args) case CIL_PASS_ALIAS1: switch (node->flavor) { case CIL_TYPEALIASACTUAL: - rc = cil_resolve_aliasactual(node, args, CIL_TYPE); + rc = cil_resolve_aliasactual(node, args, CIL_TYPE, CIL_TYPEALIAS); break; case CIL_SENSALIASACTUAL: - rc = cil_resolve_aliasactual(node, args, CIL_SENS); + rc = cil_resolve_aliasactual(node, args, CIL_SENS, CIL_SENSALIAS); break; case CIL_CATALIASACTUAL: - rc = cil_resolve_aliasactual(node, args, CIL_CAT); + rc = cil_resolve_aliasactual(node, args, CIL_CAT, CIL_CATALIAS); break; default: break;