From patchwork Wed Sep 28 20:57:08 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Nicolas Iooss <nicolas.iooss@m4x.org>
X-Patchwork-Id: 9354895
Return-Path: <selinux-bounces@tycho.nsa.gov>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	142086077A for <patchwork-selinux@patchwork.kernel.org>;
	Wed, 28 Sep 2016 21:01:39 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 054A02956F
	for <patchwork-selinux@patchwork.kernel.org>;
	Wed, 28 Sep 2016 21:01:39 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id EE10029650; Wed, 28 Sep 2016 21:01:38 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.2 required=2.0 tests=BAYES_00, RCVD_IN_DNSWL_MED
	autolearn=ham version=3.3.1
Received: from emsm-gh1-uea11.nsa.gov (emsm-gh1-uea11.nsa.gov [8.44.101.9])
	(using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256
	bits)) (No client certificate requested)
	by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 28F992956F
	for <patchwork-selinux@patchwork.kernel.org>;
	Wed, 28 Sep 2016 21:01:37 +0000 (UTC)
X-IronPort-AV: E=Sophos;i="5.30,411,1470700800"; d="scan'208";a="19645211"
IronPort-PHdr: =?us-ascii?q?9a23=3AbNV8nxIVtwZ7zc5jA9mcpTZWNBhigK39O0sv0rFi?=
	=?us-ascii?q?tYgUL//xwZ3uMQTl6Ol3ixeRBMOAuqgC0rWd6v24EUU7or+5+EgYd5JNUxJXwe?=
	=?us-ascii?q?43pCcHRPC/NEvgMfTxZDY7FskRHHVs/nW8LFQHUJ2mPw6anHS+4HYoFwnlMkIt?=
	=?us-ascii?q?f6KuS9SU1pv8jr3qs7ToICxwzAKnZr1zKBjk5S7wjeIxxbVYF6Aq1xHSqWFJce?=
	=?us-ascii?q?kFjUlhJFaUggqurpzopM0rzj5U884F24YAFPyiPvdwcbsNFzkiMmYo9OX3pBLD?=
	=?us-ascii?q?Sk2J/XJaXWIIwTRSBA2QyhDxWZP4qWPbse1mw2HOO8z9SrQ9QnKj6KBwUzft1D?=
	=?us-ascii?q?dBMCQ2pjKEwvdshb5W9Ury7yd0xJTZNcTMbPc=3D?=
X-IPAS-Result: =?us-ascii?q?A2GIBQDyLuxX/wHyM5BdHRgHDBgNgwIBAQEBAR6BU7pMIod?=
	=?us-ascii?q?lTAEBAQEBAQEBAgECWyeCMgQDEwWCGAIkExQgDgMJAhcpCAgDAS0VHwsFGASIL?=
	=?us-ascii?q?AQBtXWHYIY3iGoRAWiFEgWZdoFljXyKB4VvkGlUg1GBOnCFEniBKAEBAQ?=
Received: from unknown (HELO tarius.tycho.ncsc.mil) ([144.51.242.1])
	by emsm-gh1-uea11.nsa.gov with ESMTP; 28 Sep 2016 21:01:33 +0000
Received: from prometheus.infosec.tycho.ncsc.mil (prometheus [192.168.25.40])
	by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u8SL1HZm007092;
	Wed, 28 Sep 2016 17:01:21 -0400
Received: from tarius.tycho.ncsc.mil (tarius.infosec.tycho.ncsc.mil
	[144.51.242.1])
	by prometheus.infosec.tycho.ncsc.mil (8.15.2/8.15.2) with ESMTP id
	u8SKvkCd005075 for <selinux@prometheus.infosec.tycho.ncsc.mil>;
	Wed, 28 Sep 2016 16:57:46 -0400
Received: from goalie.tycho.ncsc.mil (goalie [144.51.242.250])
	by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u8SKvkTO005944
	for <selinux@tycho.nsa.gov>; Wed, 28 Sep 2016 16:57:46 -0400
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: 
 A1DgAQCHLexXhyIeaIFdg28BAQEBAYFxpHqRRoQph2pMAQIBAQEBAQITAQEBCgsJCRmFPoIjiE0EAaBSlTeHYIY3iWSFEgWZdoFljXyPdpBpgyEBCwF3gTpwhzIBAQE
X-IPAS-Result: 
 A1DgAQCHLexXhyIeaIFdg28BAQEBAYFxpHqRRoQph2pMAQIBAQEBAQITAQEBCgsJCRmFPoIjiE0EAaBSlTeHYIY3iWSFEgWZdoFljXyPdpBpgyEBCwF3gTpwhzIBAQE
X-IronPort-AV: E=Sophos;i="5.30,411,1470715200"; d="scan'208";a="5734744"
Received: from emsm-gh1-uea10.corp.nsa.gov (HELO emsm-gh1-uea10.nsa.gov)
	([10.208.41.36])
	by goalie.tycho.ncsc.mil with ESMTP; 28 Sep 2016 16:57:46 -0400
IronPort-PHdr: =?us-ascii?q?9a23=3AewkHMxGt8jRMtbFtuFfMBJ1GYnF86YWxBRYc798d?=
	=?us-ascii?q?s5kLTJ75pMSwAkXT6L1XgUPTWs2DsrQf2rCQ6v+rADFYqb+681k6OKRWUBEEjc?=
	=?us-ascii?q?hE1ycBO+WiTXPBEfjxciYhF95DXlI2t1uyMExSBdqsLwaK+i760zceF13FOBZv?=
	=?us-ascii?q?IaytQ8iJ3p7xjr/5osCLKyxzxxOFKYtoKxu3qQiD/uI3uqBFbpgL9x3Sv3FTcP?=
	=?us-ascii?q?5Xz247bXianhL7+9vitMU7q3cY6Lod8JtbXKH7ebkoZaBJBzQhdWYu7YvksgeQ?=
	=?us-ascii?q?YxGI4y46U24RlhNTSynC6wrhFsP3syD9suNmniidOtbtZbVoSXKl9ag9G0ygsz?=
	=?us-ascii?q?sOKzNsqDKfscd3lq8O+B8=3D?=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0GeAgBHLuxXhyIeaIFdHRgHCwEBFgEBB?=
	=?us-ascii?q?QEBBAEBgwEBAQEBAYFxpHqRRoQph2pMAQEBAQEBAQECAQIQAQEBCgsJCRkvgjI?=
	=?us-ascii?q?YgkWCI4hNBAGgRJU3h2CGN4lkhRIFmXaBZY18j3aQaYMhAQsBd4E6cIcyAQEB?=
X-IPAS-Result: =?us-ascii?q?A0GeAgBHLuxXhyIeaIFdHRgHCwEBFgEBBQEBBAEBgwEBAQE?=
	=?us-ascii?q?BAYFxpHqRRoQph2pMAQEBAQEBAQECAQIQAQEBCgsJCRkvgjIYgkWCI4hNBAGgR?=
	=?us-ascii?q?JU3h2CGN4lkhRIFmXaBZY18j3aQaYMhAQsBd4E6cIcyAQEB?=
X-IronPort-AV: E=Sophos;i="5.30,411,1470700800"; d="scan'208";a="18079218"
Received: from mx1.polytechnique.org ([129.104.30.34])
	by emsm-gh1-uea10.nsa.gov with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384;
	28 Sep 2016 20:57:18 +0000
Received: from localhost.localdomain (32.206.133.77.rev.sfr.net
	[77.133.206.32])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128
	bits)) (No client certificate requested)
	by ssl.polytechnique.org (Postfix) with ESMTPSA id 321045649AE
	for <selinux@tycho.nsa.gov>; Wed, 28 Sep 2016 22:57:17 +0200 (CEST)
From: Nicolas Iooss <nicolas.iooss@m4x.org>
To: selinux@tycho.nsa.gov
Subject: [PATCH 1/1] libsepol/cil: do not heap-overflow when too many
	permissions are in a class
Date: Wed, 28 Sep 2016 22:57:08 +0200
Message-Id: <20160928205708.14686-1-nicolas.iooss@m4x.org>
X-Mailer: git-send-email 2.10.0
X-AV-Checked: ClamAV using ClamSMTP at svoboda.polytechnique.org (Wed Sep 28
	22:57:17 2016 +0200 (CEST))
X-Org-Mail: nicolas.iooss.2010@polytechnique.org
X-BeenThere: selinux@tycho.nsa.gov
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: "Security-Enhanced Linux \(SELinux\) mailing list"
	<selinux.tycho.nsa.gov>
List-Post: <mailto:selinux@tycho.nsa.gov>
List-Help: <mailto:selinux-request@tycho.nsa.gov?subject=help>
MIME-Version: 1.0
Errors-To: selinux-bounces@tycho.nsa.gov
Sender: "Selinux" <selinux-bounces@tycho.nsa.gov>
X-Virus-Scanned: ClamAV using ClamSMTP

When compiling a CIL policy with more than 32 items in a class (e.g. in
(class capability (chown ...)) with many items),
cil_classorder_to_policydb() overflows perm_value_to_cil[class_index]
array. As this array is allocated on the heap through
calloc(PERMS_PER_CLASS+1, sizeof(...)), this makes secilc crash with the
following message:

    *** Error in `/usr/bin/secilc': double free or corruption (!prev): 0x000000000062be80 ***
    ======= Backtrace: =========
    /usr/lib/libc.so.6(+0x70c4b)[0x7ffff76a7c4b]
    /usr/lib/libc.so.6(+0x76fe6)[0x7ffff76adfe6]
    /usr/lib/libc.so.6(+0x777de)[0x7ffff76ae7de]
    /lib/libsepol.so.1(+0x14fbda)[0x7ffff7b24bda]
    /lib/libsepol.so.1(+0x152db8)[0x7ffff7b27db8]
    /lib/libsepol.so.1(cil_build_policydb+0x63)[0x7ffff7af8723]
    /usr/bin/secilc[0x40273b]
    /usr/lib/libc.so.6(__libc_start_main+0xf1)[0x7ffff7657291]
    /usr/bin/secilc[0x402f7a]

Fix this by detecting the overflow before adding new permissions to a
class.

This bug has been found by fuzzing secilc with american fuzzy lop.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
---
 libsepol/cil/src/cil_binary.c | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

diff --git a/libsepol/cil/src/cil_binary.c b/libsepol/cil/src/cil_binary.c
index cc73648ad1b7..d3b3e90df45b 100644
--- a/libsepol/cil/src/cil_binary.c
+++ b/libsepol/cil/src/cil_binary.c
@@ -332,6 +332,11 @@ int cil_classorder_to_policydb(policydb_t *pdb, const struct cil_db *db, struct
 					goto exit;
 				}
 			}
+			if (sepol_class->permissions.nprim + sepol_common->permissions.nprim > PERMS_PER_CLASS) {
+				cil_log(CIL_ERR, "Too many permissions in class '%s'\n", cil_class->datum.fqn);
+				rc = SEPOL_ERR;
+				goto exit;
+			}
 			sepol_class->comdatum = sepol_common;
 			sepol_class->comkey = cil_strdup(key);
 			sepol_class->permissions.nprim += sepol_common->permissions.nprim;
@@ -344,9 +349,15 @@ int cil_classorder_to_policydb(policydb_t *pdb, const struct cil_db *db, struct
 
 		for (curr = NODE(cil_class)->cl_head; curr; curr = curr->next) {
 			struct cil_perm *cil_perm = curr->data;
-			perm_datum_t *sepol_perm = cil_malloc(sizeof(*sepol_perm));
-			memset(sepol_perm, 0, sizeof(perm_datum_t));
+			perm_datum_t *sepol_perm;
 
+			if (sepol_class->permissions.nprim + 1 > PERMS_PER_CLASS) {
+				cil_log(CIL_ERR, "Too many permissions in class '%s'\n", cil_class->datum.fqn);
+				rc = SEPOL_ERR;
+				goto exit;
+			}
+			sepol_perm = cil_malloc(sizeof(*sepol_perm));
+			memset(sepol_perm, 0, sizeof(perm_datum_t));
 			key = cil_strdup(cil_perm->datum.fqn);
 			rc = hashtab_insert(sepol_class->permissions.table, key, sepol_perm);
 			if (rc != SEPOL_OK) {