diff mbox series

libsepol: check for saturated class name length

Message ID 20220106204336.147180-1-cgzones@googlemail.com (mailing list archive)
State Accepted
Headers show
Series libsepol: check for saturated class name length | expand

Commit Message

Christian Göttsche Jan. 6, 2022, 8:43 p.m. UTC
Check the from the polciy read length value to guard allocations.

In the fuzzer build the value will also be bounded to avoid oom reports.

    ==143646==ERROR: AddressSanitizer: allocator is out of memory trying to allocate 0xd60000000 bytes
        #0 0x4dac18 in __interceptor_calloc (./out/binpolicy-fuzzer+0x4dac18)
        #1 0x55d388 in scope_index_read ./libsepol/src/policydb.c:3945:7
        #2 0x550097 in avrule_decl_read ./libsepol/src/policydb.c:3984:6
        #3 0x550097 in avrule_block_read ./libsepol/src/policydb.c:4044:8
        #4 0x54b3ac in policydb_read ./libsepol/src/policydb.c:4456:7
        #5 0x518fd9 in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:35:6
        #6 0x43f623 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (./out/binpolicy-fuzzer+0x43f623)
        #7 0x42910f in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (./out/binpolicy-fuzzer+0x42910f)
        #8 0x42ee76 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (./out/binpolicy-fuzzer+0x42ee76)
        #9 0x458ff2 in main (./out/binpolicy-fuzzer+0x458ff2)
        #10 0x7fd37b7931c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16

Found by oss-fuzz (#42909)

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
---
 libsepol/src/policydb.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

James Carter Jan. 12, 2022, 3:28 p.m. UTC | #1
On Fri, Jan 7, 2022 at 1:58 PM Christian Göttsche
<cgzones@googlemail.com> wrote:
>
> Check the from the polciy read length value to guard allocations.
>
> In the fuzzer build the value will also be bounded to avoid oom reports.
>
>     ==143646==ERROR: AddressSanitizer: allocator is out of memory trying to allocate 0xd60000000 bytes
>         #0 0x4dac18 in __interceptor_calloc (./out/binpolicy-fuzzer+0x4dac18)
>         #1 0x55d388 in scope_index_read ./libsepol/src/policydb.c:3945:7
>         #2 0x550097 in avrule_decl_read ./libsepol/src/policydb.c:3984:6
>         #3 0x550097 in avrule_block_read ./libsepol/src/policydb.c:4044:8
>         #4 0x54b3ac in policydb_read ./libsepol/src/policydb.c:4456:7
>         #5 0x518fd9 in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:35:6
>         #6 0x43f623 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (./out/binpolicy-fuzzer+0x43f623)
>         #7 0x42910f in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (./out/binpolicy-fuzzer+0x42910f)
>         #8 0x42ee76 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (./out/binpolicy-fuzzer+0x42ee76)
>         #9 0x458ff2 in main (./out/binpolicy-fuzzer+0x458ff2)
>         #10 0x7fd37b7931c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
>
> Found by oss-fuzz (#42909)
>
> Signed-off-by: Christian Göttsche <cgzones@googlemail.com>

Acked-by: James Carter <jwcart2@gmail.com>

> ---
>  libsepol/src/policydb.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/libsepol/src/policydb.c b/libsepol/src/policydb.c
> index 79aba3af..562e044e 100644
> --- a/libsepol/src/policydb.c
> +++ b/libsepol/src/policydb.c
> @@ -3937,7 +3937,7 @@ static int scope_index_read(scope_index_t * scope_index,
>         if (rc < 0)
>                 return -1;
>         scope_index->class_perms_len = le32_to_cpu(buf[0]);
> -       if (scope_index->class_perms_len == 0) {
> +       if (zero_or_saturated(scope_index->class_perms_len)) {
>                 scope_index->class_perms_map = NULL;
>                 return 0;
>         }
> --
> 2.34.1
>
James Carter Jan. 18, 2022, 4:15 p.m. UTC | #2
On Wed, Jan 12, 2022 at 10:28 AM James Carter <jwcart2@gmail.com> wrote:
>
> On Fri, Jan 7, 2022 at 1:58 PM Christian Göttsche
> <cgzones@googlemail.com> wrote:
> >
> > Check the from the polciy read length value to guard allocations.
> >
> > In the fuzzer build the value will also be bounded to avoid oom reports.
> >
> >     ==143646==ERROR: AddressSanitizer: allocator is out of memory trying to allocate 0xd60000000 bytes
> >         #0 0x4dac18 in __interceptor_calloc (./out/binpolicy-fuzzer+0x4dac18)
> >         #1 0x55d388 in scope_index_read ./libsepol/src/policydb.c:3945:7
> >         #2 0x550097 in avrule_decl_read ./libsepol/src/policydb.c:3984:6
> >         #3 0x550097 in avrule_block_read ./libsepol/src/policydb.c:4044:8
> >         #4 0x54b3ac in policydb_read ./libsepol/src/policydb.c:4456:7
> >         #5 0x518fd9 in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:35:6
> >         #6 0x43f623 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (./out/binpolicy-fuzzer+0x43f623)
> >         #7 0x42910f in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (./out/binpolicy-fuzzer+0x42910f)
> >         #8 0x42ee76 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (./out/binpolicy-fuzzer+0x42ee76)
> >         #9 0x458ff2 in main (./out/binpolicy-fuzzer+0x458ff2)
> >         #10 0x7fd37b7931c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
> >
> > Found by oss-fuzz (#42909)
> >
> > Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
>
> Acked-by: James Carter <jwcart2@gmail.com>
>

Merged.
Jim

> > ---
> >  libsepol/src/policydb.c | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/libsepol/src/policydb.c b/libsepol/src/policydb.c
> > index 79aba3af..562e044e 100644
> > --- a/libsepol/src/policydb.c
> > +++ b/libsepol/src/policydb.c
> > @@ -3937,7 +3937,7 @@ static int scope_index_read(scope_index_t * scope_index,
> >         if (rc < 0)
> >                 return -1;
> >         scope_index->class_perms_len = le32_to_cpu(buf[0]);
> > -       if (scope_index->class_perms_len == 0) {
> > +       if (zero_or_saturated(scope_index->class_perms_len)) {
> >                 scope_index->class_perms_map = NULL;
> >                 return 0;
> >         }
> > --
> > 2.34.1
> >
diff mbox series

Patch

diff --git a/libsepol/src/policydb.c b/libsepol/src/policydb.c
index 79aba3af..562e044e 100644
--- a/libsepol/src/policydb.c
+++ b/libsepol/src/policydb.c
@@ -3937,7 +3937,7 @@  static int scope_index_read(scope_index_t * scope_index,
 	if (rc < 0)
 		return -1;
 	scope_index->class_perms_len = le32_to_cpu(buf[0]);
-	if (scope_index->class_perms_len == 0) {
+	if (zero_or_saturated(scope_index->class_perms_len)) {
 		scope_index->class_perms_map = NULL;
 		return 0;
 	}