[RFC,13/35] libsepol: validate MLS levels

Message ID	20211011162533.53404-14-cgzones@googlemail.com (mailing list archive)
State	Changes Requested
Headers	show Return-Path: <selinux-owner@kernel.org> From: =?utf-8?q?Christian_G=C3=B6ttsche?= <cgzones@googlemail.com> To: selinux@vger.kernel.org Subject: [RFC PATCH 13/35] libsepol: validate MLS levels Date: Mon, 11 Oct 2021 18:25:11 +0200 Message-Id: <20211011162533.53404-14-cgzones@googlemail.com> In-Reply-To: <20211011162533.53404-1-cgzones@googlemail.com> References: <20211011162533.53404-1-cgzones@googlemail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk
Series	libsepol: add fuzzer for reading binary policies \| expand [RFC,00/35] libsepol: add fuzzer for reading binary policies [RFC,01/35] cifuzz: enable report-unreproducible-crashes [RFC,02/35] cifuzz: use the default runtime of 600 seconds [RFC,03/35] libsepol/fuzz: silence secilc-fuzzer [RFC,04/35] libsepol: add libfuzz based fuzzer for reading binary policies [RFC,05/35] libsepol/fuzz: limit element sizes for fuzzing [RFC,06/35] libsepol: use logging framework in conditional.c [RFC,07/35] libsepol: use logging framework in ebitmap.c [RFC,08/35] libsepol: use mallocarray wrapper to avoid overflows [RFC,09/35] libsepol: use reallocarray wrapper to avoid overflows [RFC,10/35] libsepol: add checks for read sizes [RFC,11/35] libsepol: enforce avtab item limit [RFC,12/35] libsepol: clean memory on conditional read failure [RFC,13/35] libsepol: validate MLS levels [RFC,14/35] libsepol: reject invalid fsuse types [RFC,15/35] libsepol: reject invalid default targets [RFC,16/35] libsepol: validate expanded user range and level [RFC,17/35] libsepol: validate types [RFC,18/35] libsepol: use size_t for indexes in strs helpers [RFC,19/35] libsepol: reject abnormal huge sid ids [RFC,20/35] libsepol: do not crash on class gaps [RFC,21/35] libsepol: do not crash on user gaps [RFC,22/35] libsepol: validate permission count of classes [RFC,23/35] libsepol: resolve log message mismatch [RFC,24/35] libsepol: zero member before potential dereference [RFC,25/35] libsepol: validate avtab types [RFC,26/35] libsepol: validate constraint expression operators and attributes [RFC,27/35] libsepol: validate type of avtab type rules [RFC,28/35] libsepol: validate ocontexts [RFC,29/35] libsepol: validate genfs contexts [RFC,30/35] libsepol: validate permissive types [RFC,31/35] libsepol: validate policy properties [RFC,32/35] libsepol: do not underflow on short format arguments [RFC,33/35] libsepol: validate categories [RFC,34/35] libsepol: use correct size for initial string list [RFC,35/35] libsepol: do not create a string list with initial size zero

Message ID

20211011162533.53404-14-cgzones@googlemail.com (mailing list archive)

State

Changes Requested

Headers

From: =?utf-8?q?Christian_G=C3=B6ttsche?= <cgzones@googlemail.com>
To: selinux@vger.kernel.org
Subject: [RFC PATCH 13/35] libsepol: validate MLS levels
Date: Mon, 11 Oct 2021 18:25:11 +0200
Message-Id: <20211011162533.53404-14-cgzones@googlemail.com>
In-Reply-To: <20211011162533.53404-1-cgzones@googlemail.com>
References: <20211011162533.53404-1-cgzones@googlemail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Precedence: bulk

Series

libsepol: add fuzzer for reading binary policies | expand

Commit Message

Christian Göttsche Oct. 11, 2021, 4:25 p.m. UTC

Validate the level map of the policy to ensure no level refers to a non
existent category.

READ of size 8 at 0x602000000c58 thread T0
    #0 0x568d2c in cats_ebitmap_len ./libsepol/src/kernel_to_conf.c:1003:14
    #1 0x568d2c in cats_ebitmap_to_str ./libsepol/src/kernel_to_conf.c:1038:19
    #2 0x55e371 in write_level_rules_to_conf ./libsepol/src/kernel_to_conf.c:1106:11
    #3 0x55e371 in write_mls_rules_to_conf ./libsepol/src/kernel_to_conf.c:1140:7
    #4 0x55adb1 in sepol_kernel_policydb_to_conf ./libsepol/src/kernel_to_conf.c:3103:7
    #5 0x55a34f in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:38:9
    #6 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o
    #7 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o
    #8 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o
    #9 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2)
    #10 0x7f741d0d67ec in __libc_start_main csu/../csu/libc-start.c:332:16
    #11 0x423689 in _start (./out/binpolicy-fuzzer+0x423689)

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
---
 libsepol/src/policydb_validate.c | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)

Comments

James Carter Oct. 13, 2021, 3:38 p.m. UTC | #1

On Mon, Oct 11, 2021 at 12:41 PM Christian Göttsche
<cgzones@googlemail.com> wrote:
>
> Validate the level map of the policy to ensure no level refers to a non
> existent category.
>
> READ of size 8 at 0x602000000c58 thread T0
>     #0 0x568d2c in cats_ebitmap_len ./libsepol/src/kernel_to_conf.c:1003:14
>     #1 0x568d2c in cats_ebitmap_to_str ./libsepol/src/kernel_to_conf.c:1038:19
>     #2 0x55e371 in write_level_rules_to_conf ./libsepol/src/kernel_to_conf.c:1106:11
>     #3 0x55e371 in write_mls_rules_to_conf ./libsepol/src/kernel_to_conf.c:1140:7
>     #4 0x55adb1 in sepol_kernel_policydb_to_conf ./libsepol/src/kernel_to_conf.c:3103:7
>     #5 0x55a34f in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:38:9
>     #6 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o
>     #7 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o
>     #8 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o
>     #9 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2)
>     #10 0x7f741d0d67ec in __libc_start_main csu/../csu/libc-start.c:332:16
>     #11 0x423689 in _start (./out/binpolicy-fuzzer+0x423689)
>
> Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
> ---
>  libsepol/src/policydb_validate.c | 26 ++++++++++++++++++++++++++
>  1 file changed, 26 insertions(+)
>
> diff --git a/libsepol/src/policydb_validate.c b/libsepol/src/policydb_validate.c
> index 5804d247..ca0dcca3 100644
> --- a/libsepol/src/policydb_validate.c
> +++ b/libsepol/src/policydb_validate.c
> @@ -310,6 +310,29 @@ bad:
>         return -1;
>  }
>
> +static int validate_mls_level(mls_level_t *level, validate_t *sens, validate_t *cats)
> +{
> +       if (level->sens == 0)
> +               return 0;
> +       if (validate_value(level->sens, sens))
> +               goto bad;
> +       if (validate_ebitmap(&level->cat, cats))
> +               goto bad;
> +
> +       return 0;
> +
> +       bad:
> +       return -1;
> +}
> +
> +static int validate_level(__attribute__ ((unused))hashtab_key_t k, hashtab_datum_t d, void *args)

I would prefer validate_level_datum for the name of this function.

> +{
> +       level_datum_t *level = d;
> +       validate_t *flavors = args;
> +
> +       return validate_mls_level(level->level, &flavors[SYM_LEVELS], &flavors[SYM_CATS]);
> +}
> +
>  static int validate_datum_arrays(sepol_handle_t *handle, policydb_t *p, validate_t flavors[])
>  {
>         unsigned int i;
> @@ -368,6 +391,9 @@ static int validate_datum_arrays(sepol_handle_t *handle, policydb_t *p, validate
>                 }
>         }
>
> +       if (hashtab_map(p->p_levels.table, validate_level, flavors))
> +               goto bad;
> +

This should not be in validate_datum_arrays(). This also applies to
patches 17 and 33.
I think the best course would be to pull out the validate_X_datum()
calls out of validate_datum_arrays() so that the only thing being
checked is that the gaps in the X_val_to_struct arrays correspond to
any gaps in the X_val_to_name arrays.

Have a function called validate_global_symtabs() or something that
walks all of the symtabs and does the checks on the datums (including
aliases). So this hashtab_map() call would be in the function, along
with calls to hashtab_map using modified validate_X_datum() functions
that can be used with hashtab_map().

I think something like:

if (hashtab_map(p->p_commons.table, validate_common_datum, flavors))
            goto bad;
if (hashtab_map(p->p_classes.table, validate_class_datum, flavors))
            goto bad;
if (hashtab_map(p->p_roles.table, validate_role_datum, flavors))
            goto bad;
if (hashtab_map(p->p_types.table, validate_type_datum, flavors))
            goto bad;
if (hashtab_map(p->p_users.table, validate_user_datum, flavors))
            goto bad;
if (hashtab_map(p->p_bools.table, validate_bool_datum, flavors))
            goto bad;
if (hashtab_map(p->p_levels.table, validate_level_datum, flavors))
            goto bad;
if (hashtab_map(p->p_cats.table, validate_cat_datum, flavors))
            goto bad;

Thanks,
Jim

diff --git a/libsepol/src/policydb_validate.c b/libsepol/src/policydb_validate.c
index 5804d247..ca0dcca3 100644
--- a/libsepol/src/policydb_validate.c
+++ b/libsepol/src/policydb_validate.c
@@ -310,6 +310,29 @@  bad:
 	return -1;
 }
 
+static int validate_mls_level(mls_level_t *level, validate_t *sens, validate_t *cats)
+{
+	if (level->sens == 0)
+		return 0;
+	if (validate_value(level->sens, sens))
+		goto bad;
+	if (validate_ebitmap(&level->cat, cats))
+		goto bad;
+
+	return 0;
+
+	bad:
+	return -1;
+}
+
+static int validate_level(__attribute__ ((unused))hashtab_key_t k, hashtab_datum_t d, void *args)
+{
+	level_datum_t *level = d;
+	validate_t *flavors = args;
+
+	return validate_mls_level(level->level, &flavors[SYM_LEVELS], &flavors[SYM_CATS]);
+}
+
 static int validate_datum_arrays(sepol_handle_t *handle, policydb_t *p, validate_t flavors[])
 {
 	unsigned int i;
@@ -368,6 +391,9 @@  static int validate_datum_arrays(sepol_handle_t *handle, policydb_t *p, validate
 		}
 	}
 
+	if (hashtab_map(p->p_levels.table, validate_level, flavors))
+		goto bad;
+
 	return 0;
 
 bad:

[RFC,13/35] libsepol: validate MLS levels

Commit Message

Comments

Patch