[v3,05/36] libsepol/fuzz: limit element sizes for fuzzing

Message ID	20211209164928.87459-6-cgzones@googlemail.com (mailing list archive)
State	Accepted
Headers	show Return-Path: <selinux-owner@kernel.org> From: =?utf-8?q?Christian_G=C3=B6ttsche?= <cgzones@googlemail.com> To: selinux@vger.kernel.org Subject: [PATCH v3 05/36] libsepol/fuzz: limit element sizes for fuzzing Date: Thu, 9 Dec 2021 17:48:57 +0100 Message-Id: <20211209164928.87459-6-cgzones@googlemail.com> In-Reply-To: <20211209164928.87459-1-cgzones@googlemail.com> References: <20211105154542.38434-1-cgzones@googlemail.com> <20211209164928.87459-1-cgzones@googlemail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk
Series	libsepol: add fuzzer for reading binary policies \| expand [v3,00/36] libsepol: add fuzzer for reading binary policies [v3,01/36] cifuzz: enable report-unreproducible-crashes [v3,02/36] cifuzz: use the default runtime of 600 seconds [v3,03/36] libsepol/fuzz: silence secilc-fuzzer [v3,04/36] libsepol: add libfuzz based fuzzer for reading binary policies [v3,05/36] libsepol/fuzz: limit element sizes for fuzzing [v3,06/36] libsepol: use logging framework in conditional.c [v3,07/36] libsepol: use logging framework in ebitmap.c [v3,08/36] libsepol: use mallocarray wrapper to avoid overflows [v3,09/36] libsepol: use reallocarray wrapper to avoid overflows [v3,10/36] libsepol: add checks for read sizes [v3,11/36] libsepol: enforce avtab item limit [v3,12/36] libsepol: clean memory on conditional insertion failure [v3,13/36] libsepol: reject abnormal huge sid ids [v3,14/36] libsepol: reject invalid filetrans source type [v3,15/36] libsepol: zero member before potential dereference [v3,16/36] libsepol: use size_t for indexes in strs helpers [v3,17/36] libsepol: do not underflow on short format arguments [v3,18/36] libsepol: do not crash on class gaps [v3,19/36] libsepol: do not crash on user gaps [v3,20/36] libsepol: use correct size for initial string list [v3,21/36] libsepol: do not create a string list with initial size zero [v3,22/36] libsepol: split validation of datum array gaps and entries [v3,23/36] libsepol: validate MLS levels [v3,24/36] libsepol: validate expanded user range and level [v3,25/36] libsepol: validate permission count of classes [v3,26/36] libsepol: resolve log message mismatch [v3,27/36] libsepol: validate avtab and avrule types [v3,28/36] libsepol: validate constraint expression operators and attributes [v3,29/36] libsepol: validate type of avtab type rules [v3,30/36] libsepol: validate ocontexts [v3,31/36] libsepol: validate genfs contexts [v3,32/36] libsepol: validate permissive types [v3,33/36] libsepol: validate policy properties [v3,34/36] libsepol: validate categories [v3,35/36] libsepol: validate fsuse types [v3,36/36] libsepol: validate class default targets

Message ID

20211209164928.87459-6-cgzones@googlemail.com (mailing list archive)

State

Accepted

Headers

From: =?utf-8?q?Christian_G=C3=B6ttsche?= <cgzones@googlemail.com>
To: selinux@vger.kernel.org
Subject: [PATCH v3 05/36] libsepol/fuzz: limit element sizes for fuzzing
Date: Thu,  9 Dec 2021 17:48:57 +0100
Message-Id: <20211209164928.87459-6-cgzones@googlemail.com>
In-Reply-To: <20211209164928.87459-1-cgzones@googlemail.com>
References: <20211105154542.38434-1-cgzones@googlemail.com>
 <20211209164928.87459-1-cgzones@googlemail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Precedence: bulk

Series

libsepol: add fuzzer for reading binary policies | expand

Commit Message

Christian Göttsche Dec. 9, 2021, 4:48 p.m. UTC

Limit the maximum length of read sizes, like string length of module
version and name or keys and number of symtab entries.  This avoids the
fuzzer to report oom events for huge allocations (it also improves the
number of executions per seconds of the fuzzer).

This change only affects the fuzzer build.

    ==15211== ERROR: libFuzzer: out-of-memory (malloc(3115956666))
       To change the out-of-memory limit use -rss_limit_mb=<N>

        #0 0x52dc61 in __sanitizer_print_stack_trace (./out/binpolicy-fuzzer+0x52dc61)
        #1 0x475618 in fuzzer::PrintStackTrace() fuzzer.o
        #2 0x458855 in fuzzer::Fuzzer::HandleMalloc(unsigned long) fuzzer.o
        #3 0x45876a in fuzzer::MallocHook(void const volatile*, unsigned long) fuzzer.o
        #4 0x534557 in __sanitizer::RunMallocHooks(void const*, unsigned long) (./out/binpolicy-fuzzer+0x534557)
        #5 0x4aa7d7 in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) (./out/binpolicy-fuzzer+0x4aa7d7)
        #6 0x4aa143 in __asan::asan_malloc(unsigned long, __sanitizer::BufferedStackTrace*) (./out/binpolicy-fuzzer+0x4aa143)
        #7 0x5259cb in malloc (./out/binpolicy-fuzzer+0x5259cb)
        #8 0x59d307 in str_read ./libsepol/src/services.c:1746:8
        #9 0x585b97 in perm_read ./libsepol/src/policydb.c:2063:5
        #10 0x581f8a in common_read ./libsepol/src/policydb.c:2119:7
        #11 0x576681 in policydb_read ./libsepol/src/policydb.c:4417:8
        #12 0x55a214 in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:26:6
        #13 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o
        #14 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o
        #15 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o
        #16 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2)
        #17 0x7fe1ec88a7ec in __libc_start_main csu/../csu/libc-start.c:332:16
        #18 0x423689 in _start (./out/binpolicy-fuzzer+0x423689)

    ==12683== ERROR: libFuzzer: out-of-memory (malloc(2526451450))
       To change the out-of-memory limit use -rss_limit_mb=<N>

        #0 0x52dc61 in __sanitizer_print_stack_trace (./out/binpolicy-fuzzer+0x52dc61)
        #1 0x475618 in fuzzer::PrintStackTrace() fuzzer.o
        #2 0x458855 in fuzzer::Fuzzer::HandleMalloc(unsigned long) fuzzer.o
        #3 0x45876a in fuzzer::MallocHook(void const volatile*, unsigned long) fuzzer.o
        #4 0x534557 in __sanitizer::RunMallocHooks(void const*, unsigned long) (./out/binpolicy-fuzzer+0x534557)
        #5 0x4aa7d7 in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) (./out/binpolicy-fuzzer+0x4aa7d7)
        #6 0x4aa143 in __asan::asan_malloc(unsigned long, __sanitizer::BufferedStackTrace*) (./out/binpolicy-fuzzer+0x4aa143)
        #7 0x5259cb in malloc (./out/binpolicy-fuzzer+0x5259cb)
        #8 0x575f8a in policydb_read ./libsepol/src/policydb.c:4356:18
        #9 0x55a214 in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:26:6
        #10 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o
        #11 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o
        #12 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o
        #13 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2)
        #14 0x7fa737b377ec in __libc_start_main csu/../csu/libc-start.c:332:16
        #15 0x423689 in _start (./out/binpolicy-fuzzer+0x423689)

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
---
 libsepol/src/private.h | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/libsepol/src/private.h b/libsepol/src/private.h
index 71287282..6146f59f 100644
--- a/libsepol/src/private.h
+++ b/libsepol/src/private.h
@@ -44,7 +44,12 @@ 
 
 #define ARRAY_SIZE(x) (sizeof(x)/sizeof((x)[0]))
 
-#define is_saturated(x) (x == (typeof(x))-1)
+#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
+# define is_saturated(x) (x == (typeof(x))-1 || (x) > (1U << 16))
+#else
+# define is_saturated(x) (x == (typeof(x))-1)
+#endif
+
 #define zero_or_saturated(x) ((x == 0) || is_saturated(x))
 
 #define spaceship_cmp(a, b) (((a) > (b)) - ((a) < (b)))

[v3,05/36] libsepol/fuzz: limit element sizes for fuzzing

Commit Message

Patch