From patchwork Thu Sep 29 05:50:12 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Nicolas Iooss <nicolas.iooss@m4x.org>
X-Patchwork-Id: 9355757
Return-Path: <selinux-bounces@tycho.nsa.gov>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	1AEC7600C8 for <patchwork-selinux@patchwork.kernel.org>;
	Thu, 29 Sep 2016 05:50:38 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 0073828A6F
	for <patchwork-selinux@patchwork.kernel.org>;
	Thu, 29 Sep 2016 05:50:38 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id E420229631; Thu, 29 Sep 2016 05:50:37 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.2 required=2.0 tests=BAYES_00, RCVD_IN_DNSWL_MED
	autolearn=ham version=3.3.1
Received: from emsm-gh1-uea11.nsa.gov (smtp.nsa.gov [8.44.101.9])
	(using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 9A3B928A6F
	for <patchwork-selinux@patchwork.kernel.org>;
	Thu, 29 Sep 2016 05:50:35 +0000 (UTC)
X-IronPort-AV: E=Sophos;i="5.30,413,1470700800"; d="scan'208";a="19650484"
IronPort-PHdr: =?us-ascii?q?9a23=3ATDIulhWmhZtXh8up6EnQ4zz9UUvV8LGtZVwlr6E/?=
	=?us-ascii?q?grcLSJyIuqrYZhGGt8tkgFKBZ4jH8fUM07OQ6PG6HzVQqsfc+Fk5M7V0Hycfjs?=
	=?us-ascii?q?sXmwFySOWkMmbcaMDQUiohAc5ZX0Vk9XzoeWJcGcL5ekGA6ibqtW1aJBzzOEJP?=
	=?us-ascii?q?K/jvHcaK1oLshrr0os2YMlgArQH+SIs6FA+xowTVu5teqqpZAYF19CH0pGBVcf?=
	=?us-ascii?q?9d32JiKAHbtR/94sCt4MwrqHwI6Loc7coIbYHWN+R9FOQZX3waNDUu6cnqswTT?=
	=?us-ascii?q?ZRee7XsbFGMNm1xHBBaWwgv9W8LXsyD9suNmkAidOtbtBeQyWD+l665wDh7vjz?=
	=?us-ascii?q?wcHztl4CfQkMMm3/ETmw6ouxEqm92cW4qSLvcrO/qFcA=3D=3D?=
X-IPAS-Result: =?us-ascii?q?A2ERBQBnquxX/wHyM5BdHQEFAQsBGQYMgxQBAQEBAR6BU7p?=
	=?us-ascii?q?QIIdmTAEBAQEBAQEBAgECWyeCMgQDEwWCGAIkExQgDgMJAhcpCAgDAS0VHwsFG?=
	=?us-ascii?q?ASILAQBtEGHVoY3iGsRAYV6BZl3gWWOAYoJhW+QaVSDUYE6cIVceIEoAQEB?=
Received: from unknown (HELO tarius.tycho.ncsc.mil) ([144.51.242.1])
	by emsm-gh1-uea11.nsa.gov with ESMTP; 29 Sep 2016 05:50:34 +0000
Received: from prometheus.infosec.tycho.ncsc.mil (prometheus [192.168.25.40])
	by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u8T5oTxt024825;
	Thu, 29 Sep 2016 01:50:31 -0400
Received: from tarius.tycho.ncsc.mil (tarius.infosec.tycho.ncsc.mil
	[144.51.242.1])
	by prometheus.infosec.tycho.ncsc.mil (8.15.2/8.15.2) with ESMTP id
	u8T5oSjK016281 for <selinux@prometheus.infosec.tycho.ncsc.mil>;
	Thu, 29 Sep 2016 01:50:28 -0400
Received: from goalie.tycho.ncsc.mil (goalie [144.51.242.250])
	by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u8T5oRCP024823
	for <selinux@tycho.nsa.gov>; Thu, 29 Sep 2016 01:50:27 -0400
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: 
 A1A4AQDkquxXhyIeaIFdg28BAQEBAYFxpHuRR4Qph2tMAQIBAQEBAQITAQEBCgsJCRmFPoIjiE0EAZ8KlTeHVoY3iWWFEgWZd4FljgGPeJBpgyEBCwF3gTpwh3wBAQE
X-IPAS-Result: 
 A1A4AQDkquxXhyIeaIFdg28BAQEBAYFxpHuRR4Qph2tMAQIBAQEBAQITAQEBCgsJCRmFPoIjiE0EAZ8KlTeHVoY3iWWFEgWZd4FljgGPeJBpgyEBCwF3gTpwh3wBAQE
X-IronPort-AV: E=Sophos;i="5.30,413,1470715200"; d="scan'208";a="5735305"
Received: from emsm-gh1-uea10.corp.nsa.gov (HELO emsm-gh1-uea10.nsa.gov)
	([10.208.41.36])
	by goalie.tycho.ncsc.mil with ESMTP; 29 Sep 2016 01:50:26 -0400
IronPort-PHdr: =?us-ascii?q?9a23=3AD9pcrhD5/QyylxmSlCxrUyQJP3N1i/DPJgcQr6Af?=
	=?us-ascii?q?oPdwSP74ocbcNUDSrc9gkEXOFd2CrakV0ayP4+uxBCQp2tWoiDg6aptCVhsI24?=
	=?us-ascii?q?09vjcLJ4q7M3D9N+PgdCcgHc5PBxdP9nC/NlVJSo6lPwWB6kO74TNaIBjjLw09?=
	=?us-ascii?q?fr2zQd+IyZ3nnLHvs7ToICxwzAKnZr1zKBjk5S7wjeIxxbVYF6Aq1xHSqWFJce?=
	=?us-ascii?q?kFjUlhJFaUggqurpzopM0roGxsvKc6+spBV7jqV7gpRrxfSjI9OiY649O4mwPE?=
	=?us-ascii?q?SF6p53AbVmwN2jtPBBPepEX8X5z2tiLh8Ot63zKBFciqXfYzQzv0vPQjcwPhlC?=
	=?us-ascii?q?pSb21xy2rQkMEl1K8=3D?=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0FDAQD6quxXhyIeaIFdHQEXAQwBBAEBF?=
	=?us-ascii?q?gEBBgEEAQGDAQEBAQEBgXGke5FHhCmHa0wBAQEBAQEBAQIBAhABAQEKCwkJGS+?=
	=?us-ascii?q?CMhiCRYIjiE0EAZ8KlTeHVoY3iWWFEgWZd4FljgGPeJBpgyEBCwF3gTpwh3wBA?=
	=?us-ascii?q?QE?=
X-IPAS-Result: =?us-ascii?q?A0FDAQD6quxXhyIeaIFdHQEXAQwBBAEBFgEBBgEEAQGDAQE?=
	=?us-ascii?q?BAQEBgXGke5FHhCmHa0wBAQEBAQEBAQIBAhABAQEKCwkJGS+CMhiCRYIjiE0EA?=
	=?us-ascii?q?Z8KlTeHVoY3iWWFEgWZd4FljgGPeJBpgyEBCwF3gTpwh3wBAQE?=
X-IronPort-AV: E=Sophos;i="5.30,413,1470700800"; d="scan'208";a="18086755"
Received: from mx1.polytechnique.org ([129.104.30.34])
	by emsm-gh1-uea10.nsa.gov with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384;
	29 Sep 2016 05:50:25 +0000
Received: from localhost.localdomain (32.206.133.77.rev.sfr.net
	[77.133.206.32])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128
	bits)) (No client certificate requested)
	by ssl.polytechnique.org (Postfix) with ESMTPSA id 770C056474D
	for <selinux@tycho.nsa.gov>; Thu, 29 Sep 2016 07:50:24 +0200 (CEST)
From: Nicolas Iooss <nicolas.iooss@m4x.org>
To: selinux@tycho.nsa.gov
Subject: [PATCH v2 1/1] libsepol/cil: do not heap-overflow when too many
	permissions are in a class
Date: Thu, 29 Sep 2016 07:50:12 +0200
Message-Id: <20160929055012.10460-1-nicolas.iooss@m4x.org>
X-Mailer: git-send-email 2.10.0
X-AV-Checked: ClamAV using ClamSMTP at svoboda.polytechnique.org (Thu Sep 29
	07:50:24 2016 +0200 (CEST))
X-Org-Mail: nicolas.iooss.2010@polytechnique.org
X-BeenThere: selinux@tycho.nsa.gov
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: "Security-Enhanced Linux \(SELinux\) mailing list"
	<selinux.tycho.nsa.gov>
List-Post: <mailto:selinux@tycho.nsa.gov>
List-Help: <mailto:selinux-request@tycho.nsa.gov?subject=help>
MIME-Version: 1.0
Errors-To: selinux-bounces@tycho.nsa.gov
Sender: "Selinux" <selinux-bounces@tycho.nsa.gov>
X-Virus-Scanned: ClamAV using ClamSMTP

When compiling a CIL policy with more than 32 items in a class (e.g. in
(class capability (chown ...)) with many items),
cil_classorder_to_policydb() overflows perm_value_to_cil[class_index]
array. As this array is allocated on the heap through
calloc(PERMS_PER_CLASS+1, sizeof(...)), this makes secilc crash with the
following message:

    *** Error in `/usr/bin/secilc': double free or corruption (!prev): 0x000000000062be80 ***
    ======= Backtrace: =========
    /usr/lib/libc.so.6(+0x70c4b)[0x7ffff76a7c4b]
    /usr/lib/libc.so.6(+0x76fe6)[0x7ffff76adfe6]
    /usr/lib/libc.so.6(+0x777de)[0x7ffff76ae7de]
    /lib/libsepol.so.1(+0x14fbda)[0x7ffff7b24bda]
    /lib/libsepol.so.1(+0x152db8)[0x7ffff7b27db8]
    /lib/libsepol.so.1(cil_build_policydb+0x63)[0x7ffff7af8723]
    /usr/bin/secilc[0x40273b]
    /usr/lib/libc.so.6(__libc_start_main+0xf1)[0x7ffff7657291]
    /usr/bin/secilc[0x402f7a]

Fix this by detecting the overflow before adding new permissions to a
class.

This bug has been found by fuzzing secilc with american fuzzy lop.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
---
v2: check that sepol_common->permissions.nprim would not make
  sepol_class->permissions.nprim overflow when added to it.

 libsepol/cil/src/cil_binary.c | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

diff --git a/libsepol/cil/src/cil_binary.c b/libsepol/cil/src/cil_binary.c
index cc73648ad1b7..f83dc2ddd1ee 100644
--- a/libsepol/cil/src/cil_binary.c
+++ b/libsepol/cil/src/cil_binary.c
@@ -332,6 +332,12 @@ int cil_classorder_to_policydb(policydb_t *pdb, const struct cil_db *db, struct
 					goto exit;
 				}
 			}
+			if (sepol_common->permissions.nprim > PERMS_PER_CLASS ||
+			    sepol_class->permissions.nprim + sepol_common->permissions.nprim > PERMS_PER_CLASS) {
+				cil_log(CIL_ERR, "Too many permissions in class '%s'\n", cil_class->datum.fqn);
+				rc = SEPOL_ERR;
+				goto exit;
+			}
 			sepol_class->comdatum = sepol_common;
 			sepol_class->comkey = cil_strdup(key);
 			sepol_class->permissions.nprim += sepol_common->permissions.nprim;
@@ -344,9 +350,15 @@ int cil_classorder_to_policydb(policydb_t *pdb, const struct cil_db *db, struct
 
 		for (curr = NODE(cil_class)->cl_head; curr; curr = curr->next) {
 			struct cil_perm *cil_perm = curr->data;
-			perm_datum_t *sepol_perm = cil_malloc(sizeof(*sepol_perm));
-			memset(sepol_perm, 0, sizeof(perm_datum_t));
+			perm_datum_t *sepol_perm;
 
+			if (sepol_class->permissions.nprim + 1 > PERMS_PER_CLASS) {
+				cil_log(CIL_ERR, "Too many permissions in class '%s'\n", cil_class->datum.fqn);
+				rc = SEPOL_ERR;
+				goto exit;
+			}
+			sepol_perm = cil_malloc(sizeof(*sepol_perm));
+			memset(sepol_perm, 0, sizeof(perm_datum_t));
 			key = cil_strdup(cil_perm->datum.fqn);
 			rc = hashtab_insert(sepol_class->permissions.table, key, sepol_perm);
 			if (rc != SEPOL_OK) {