From patchwork Mon Oct  3 20:46:55 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Nicolas Iooss <nicolas.iooss@m4x.org>
X-Patchwork-Id: 9360931
Return-Path: <selinux-bounces@tycho.nsa.gov>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	38C63607D6 for <patchwork-selinux@patchwork.kernel.org>;
	Mon,  3 Oct 2016 20:55:06 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 2E4F628711
	for <patchwork-selinux@patchwork.kernel.org>;
	Mon,  3 Oct 2016 20:55:06 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 2108028A81; Mon,  3 Oct 2016 20:55:06 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.2 required=2.0 tests=BAYES_00, RCVD_IN_DNSWL_MED
	autolearn=ham version=3.3.1
Received: from emsm-gh1-uea11.nsa.gov (emsm-gh1-uea11.nsa.gov [8.44.101.9])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 713B328711
	for <patchwork-selinux@patchwork.kernel.org>;
	Mon,  3 Oct 2016 20:55:05 +0000 (UTC)
X-IronPort-AV: E=Sophos;i="5.31,291,1473120000"; d="scan'208";a="19768287"
IronPort-PHdr: =?us-ascii?q?9a23=3AfokFbxfCJM+cfiaY7GaEpMGilGMj4u6mDksu8pMi?=
	=?us-ascii?q?zoh2WeGdxc6/Zx7h7PlgxGXEQZ/co6odzbGH6ea6BCdZvc3JmUtBWaQEbwUCh8?=
	=?us-ascii?q?QSkl5oK+++Imq/EsTXaTcnFt9JTl5v8iLzG0FUHMHjew+a+SXqvnYsExnyfTB4?=
	=?us-ascii?q?Ov7yUtaLyZ/mjaboptaKP14ArQH+SIs6FA+xowTVu5teqqpZAYF19CH0pGBVcf?=
	=?us-ascii?q?9d32JiKAHbtR/94sCt4MwrqHwI6Loc7coIbYHWN+R9FOQZX3waNDUu6cnqswTT?=
	=?us-ascii?q?ZRee7XsbFGMNm1xHBBaWwgv9W8LXsyD9suNmkAidOtbtBeQyWD+l665wDh7vjz?=
	=?us-ascii?q?wcHztl4CfQkMMm3/ETmw6ouxEqm92cW4qSLvcrO/qFcA=3D=3D?=
X-IPAS-Result: =?us-ascii?q?A2FhBQCNxPJX/wHyM5BeHQEFAQsBgz0BAQEBAR6BU7QXhjg?=
	=?us-ascii?q?lh3JMAQEBAQEBAQECAQJbJ4IyBAMTBYIRAgQBAjcUIA4DCQEBFykICAMBLRURD?=
	=?us-ascii?q?gsFGASILAQBtQWHVYY4iGkCEQFohRIBBI42i0KBZY4CigmFc0iQJFSDIByBUnC?=
	=?us-ascii?q?EZg8XYYEoAQEB?=
Received: from unknown (HELO tarius.tycho.ncsc.mil) ([144.51.242.1])
	by emsm-gh1-uea11.nsa.gov with ESMTP; 03 Oct 2016 20:55:03 +0000
Received: from prometheus.infosec.tycho.ncsc.mil (prometheus [192.168.25.40])
	by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u93Kt0fh004825;
	Mon, 3 Oct 2016 16:55:02 -0400
Received: from tarius.tycho.ncsc.mil (tarius.infosec.tycho.ncsc.mil
	[144.51.242.1])
	by prometheus.infosec.tycho.ncsc.mil (8.15.2/8.15.2) with ESMTP id
	u93KrX5h120347 for <selinux@prometheus.infosec.tycho.ncsc.mil>;
	Mon, 3 Oct 2016 16:53:33 -0400
Received: from goalie.tycho.ncsc.mil (goalie [144.51.242.250])
	by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u93KrW4r004766
	for <selinux@tycho.nsa.gov>; Mon, 3 Oct 2016 16:53:33 -0400
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: 
 A1B3AgASxPJXhyIeaIFeHgYMgz0BAQEBAYFxpH+PGIIvhCmHd0wBAgEBAQEBAhMBAQEKCwkJGYURBoEJUVcZiE0EAbUEh1WGOIhpfIUSBY42i0KBZY4Cj3xIkCSDIgxGHIFScIRmgi8BAQE
X-IPAS-Result: 
 A1B3AgASxPJXhyIeaIFeHgYMgz0BAQEBAYFxpH+PGIIvhCmHd0wBAgEBAQEBAhMBAQEKCwkJGYURBoEJUVcZiE0EAbUEh1WGOIhpfIUSBY42i0KBZY4Cj3xIkCSDIgxGHIFScIRmgi8BAQE
X-IronPort-AV: E=Sophos;i="5.31,291,1473134400"; d="scan'208";a="5742507"
Received: from emsm-gh1-uea11.corp.nsa.gov (HELO emsm-gh1-uea11.nsa.gov)
	([10.208.41.37])
	by goalie.tycho.ncsc.mil with ESMTP; 03 Oct 2016 16:53:32 -0400
IronPort-PHdr: =?us-ascii?q?9a23=3AfeLTkBfgA/OWXletRy0UbNvalGMj4u6mDksu8pMi?=
	=?us-ascii?q?zoh2WeGdxc65bB7h7PlgxGXEQZ/co6odzbGH6ea6BCdZvc3JmUtBWaQEbwUCh8?=
	=?us-ascii?q?QSkl5oK+++Imq/EsTXaTcnFt9JTl5v8iLzG0FUHMHjew+a+SXqvnYsExnyfTB4?=
	=?us-ascii?q?Ov7yUtaLyZ/mjaboptaKP14ArQH+SIs6FA+xowTVu5teqqpZAYF19CH0pGBVcf?=
	=?us-ascii?q?9d32JiKAHbtR/94sCt4MwrqHwI6Lpyv/JHBL73e6U+UKxwECUtM2dz4tbi8xbE?=
	=?us-ascii?q?U1ih/HwZB0MXmR1MChONzRb9RYy55i37ve150TLcPMrxVqscXGiyqaBxR0m722?=
	=?us-ascii?q?88Kzcl/TSP2YRLh6VBrUf5qg=3D=3D?=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0E8AgCNxPJXhyIeaIFeHgYMFwEBFgEBB?=
	=?us-ascii?q?QEBBQGCfwEBAQEBgXGkf48Ygi+EKYd3TAEBAQEBAQEBAgECEAEBAQoLCQkZL4I?=
	=?us-ascii?q?yGIIYBoEJUVcZiE0EAbUFh1WGOIhpfIUSBY42i0KBZY4Cj3xIkCSDIgxGHIFSc?=
	=?us-ascii?q?IRmgi8BAQE?=
X-IPAS-Result: =?us-ascii?q?A0E8AgCNxPJXhyIeaIFeHgYMFwEBFgEBBQEBBQGCfwEBAQE?=
	=?us-ascii?q?BgXGkf48Ygi+EKYd3TAEBAQEBAQEBAgECEAEBAQoLCQkZL4IyGIIYBoEJUVcZi?=
	=?us-ascii?q?E0EAbUFh1WGOIhpfIUSBY42i0KBZY4Cj3xIkCSDIgxGHIFScIRmgi8BAQE?=
X-IronPort-AV: E=Sophos;i="5.31,291,1473120000"; d="scan'208";a="19768226"
Received: from mx1.polytechnique.org ([129.104.30.34])
	by emsm-gh1-uea11.nsa.gov with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384;
	03 Oct 2016 20:53:31 +0000
Received: from localhost.localdomain (32.206.133.77.rev.sfr.net
	[77.133.206.32])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128
	bits)) (No client certificate requested)
	by ssl.polytechnique.org (Postfix) with ESMTPSA id 9460D564726
	for <selinux@tycho.nsa.gov>; Mon,  3 Oct 2016 22:47:01 +0200 (CEST)
From: Nicolas Iooss <nicolas.iooss@m4x.org>
To: selinux@tycho.nsa.gov
Subject: [PATCH 1/3] libsepol/cil: make cil_resolve_name() fail for '.'
Date: Mon,  3 Oct 2016 22:46:55 +0200
Message-Id: <20161003204657.2635-2-nicolas.iooss@m4x.org>
X-Mailer: git-send-email 2.10.0
In-Reply-To: <20161003204657.2635-1-nicolas.iooss@m4x.org>
References: <20161003204657.2635-1-nicolas.iooss@m4x.org>
X-AV-Checked: ClamAV using ClamSMTP at svoboda.polytechnique.org (Mon Oct 3
	22:47:01 2016 +0200 (CEST))
X-Org-Mail: nicolas.iooss.2010@polytechnique.org
X-BeenThere: selinux@tycho.nsa.gov
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: "Security-Enhanced Linux \(SELinux\) mailing list"
	<selinux.tycho.nsa.gov>
List-Post: <mailto:selinux@tycho.nsa.gov>
List-Help: <mailto:selinux-request@tycho.nsa.gov?subject=help>
MIME-Version: 1.0
Errors-To: selinux-bounces@tycho.nsa.gov
Sender: "Selinux" <selinux-bounces@tycho.nsa.gov>
X-Virus-Scanned: ClamAV using ClamSMTP

This CIL policy makes secilc crash with a NULL pointer dereference:

    (class CLASS (PERM))
    (classorder (CLASS))
    (sid SID)
    (sidorder (SID))
    (user USER)
    (role ROLE)
    (type TYPE)
    (category CAT)
    (categoryorder (CAT))
    (sensitivity SENS)
    (sensitivityorder (SENS))
    (sensitivitycategory SENS (CAT))
    (allow TYPE self (CLASS (PERM)))
    (roletype ROLE TYPE)
    (userrole USER ROLE)
    (userlevel USER (SENS))
    (userrange USER ((SENS)(SENS (CAT))))
    (sidcontext SID (USER ROLE TYPE ((SENS)(SENS))))

    (allow . self (CLASS (PERM)))

Using "." in the allow statement makes strtok_r() return NULL in
cil_resolve_name() and this result is then used in a call to
cil_symtab_get_datum(), which is thus invalid.

Instead of crashing, make secilc fail with an error message.

This bug has been found by fuzzing secilc with american fuzzy lop.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
---
 libsepol/cil/src/cil_resolve_ast.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/libsepol/cil/src/cil_resolve_ast.c b/libsepol/cil/src/cil_resolve_ast.c
index 917adf8d23da..5b86908c4120 100644
--- a/libsepol/cil/src/cil_resolve_ast.c
+++ b/libsepol/cil/src/cil_resolve_ast.c
@@ -4027,7 +4027,13 @@ int cil_resolve_name(struct cil_tree_node *ast_node, char *name, enum cil_sym_in
 		char *current = strtok_r(name_dup, ".", &sp);
 		char *next = strtok_r(NULL, ".", &sp);
 		symtab_t *symtab = NULL;
-		
+
+		if (current == NULL) {
+			/* Only dots */
+			cil_tree_log(ast_node, CIL_ERR, "Invalid name %s", name);
+			goto exit;
+		}
+
 		node = ast_node;
 		if (*name == '.') {
 			/* Leading '.' */