| Message ID | 20240311124832.2659731-1-jwcart2@gmail.com (mailing list archive) |
|---|---|
| State | Accepted |
| Commit | c205b924e280 |
| Delegated to: | Petr Lautrbach |
| Headers | show |
| Series | libsepol: Fix buffer overflow when using sepol_av_to_string() | expand |
On Mon, 11 Mar 2024 at 13:48, James Carter <jwcart2@gmail.com> wrote: > > The function sepol_av_to_string() returns a list of permissions > with a space at the beginning. This fits the normal formating of > permisisons for a policy.conf policy which uses a format of > "{ p1 p2 ... pn }", but not the formating for a CIL policy which uses > a format of "(p1 p2 ... pn)". Both kernel_to_cil and module_to_cil > skip the space by using "perms+1", but this is a problem if there > are no permissions because sepol_av_to_string() returns '\0'. > > In kernel_to_cil and module_to_cil, check for the permission string > being '\0' and return an error if it is. > > Reported-by: oss-fuzz (issue 67276) > Signed-off-by: James Carter <jwcart2@gmail.com> > --- > libsepol/src/kernel_to_cil.c | 11 +++++++++++ > libsepol/src/module_to_cil.c | 12 ++++++++++++ I think there are also two occurrences in libsepol/src/kernel_to_conf.c. Also: s/permisisons/permissions/ > 2 files changed, 23 insertions(+) > > diff --git a/libsepol/src/kernel_to_cil.c b/libsepol/src/kernel_to_cil.c > index a081915e..e20ba4af 100644 > --- a/libsepol/src/kernel_to_cil.c > +++ b/libsepol/src/kernel_to_cil.c > @@ -302,6 +302,12 @@ static int class_constraint_rules_to_strs(struct policydb *pdb, char *classkey, > rc = -1; > goto exit; > } > + if (*perms == '\0') { > + ERR(NULL, "No permisisons in permission string"); > + free(perms); > + rc = -1; > + goto exit; > + } > > if (is_mls) { > key_word = "mlsconstrain"; > @@ -1775,6 +1781,11 @@ static char *avtab_node_to_str(struct policydb *pdb, avtab_key_t *key, avtab_dat > ERR(NULL, "Failed to generate permission string"); > goto exit; > } > + if (*perms == '\0') { > + ERR(NULL, "No permisisons in permission string"); > + free(perms); > + goto exit; > + } > rule = create_str("(%s %s %s (%s (%s)))", > flavor, src, tgt, class, perms+1); > free(perms); > diff --git a/libsepol/src/module_to_cil.c b/libsepol/src/module_to_cil.c > index 6699a46b..3b3480bf 100644 > --- a/libsepol/src/module_to_cil.c > +++ b/libsepol/src/module_to_cil.c > @@ -593,6 +593,12 @@ static int avrule_to_cil(int indent, struct policydb *pdb, uint32_t type, const > rc = -1; > goto exit; > } > + if (*perms == '\0') { > + ERR(NULL, "No permissions in permission string"); > + free(perms); > + rc = -1; > + goto exit; > + } > cil_println(indent, "(%s %s %s (%s (%s)))", > rule, src, tgt, > pdb->p_class_val_to_name[classperm->tclass - 1], > @@ -1973,6 +1979,12 @@ static int constraints_to_cil(int indent, struct policydb *pdb, char *classkey, > rc = -1; > goto exit; > } > + if (*perms == '\0') { > + ERR(NULL, "No permissions in permission string"); > + free(perms); > + rc = -1; > + goto exit; > + } > cil_println(indent, "(%sconstrain (%s (%s)) %s)", mls, classkey, perms + 1, expr); > free(perms); > } else { > -- > 2.44.0 > >
On Mon, Mar 11, 2024 at 9:48 AM Christian Göttsche <cgzones@googlemail.com> wrote: > > On Mon, 11 Mar 2024 at 13:48, James Carter <jwcart2@gmail.com> wrote: > > > > The function sepol_av_to_string() returns a list of permissions > > with a space at the beginning. This fits the normal formating of > > permisisons for a policy.conf policy which uses a format of > > "{ p1 p2 ... pn }", but not the formating for a CIL policy which uses > > a format of "(p1 p2 ... pn)". Both kernel_to_cil and module_to_cil > > skip the space by using "perms+1", but this is a problem if there > > are no permissions because sepol_av_to_string() returns '\0'. > > > > In kernel_to_cil and module_to_cil, check for the permission string > > being '\0' and return an error if it is. > > > > Reported-by: oss-fuzz (issue 67276) > > Signed-off-by: James Carter <jwcart2@gmail.com> > > --- > > libsepol/src/kernel_to_cil.c | 11 +++++++++++ > > libsepol/src/module_to_cil.c | 12 ++++++++++++ > > I think there are also two occurrences in libsepol/src/kernel_to_conf.c. > > Also: s/permisisons/permissions/ > Thanks, I was thinking that it was just a CIL problem. Jim > > 2 files changed, 23 insertions(+) > > > > diff --git a/libsepol/src/kernel_to_cil.c b/libsepol/src/kernel_to_cil.c > > index a081915e..e20ba4af 100644 > > --- a/libsepol/src/kernel_to_cil.c > > +++ b/libsepol/src/kernel_to_cil.c > > @@ -302,6 +302,12 @@ static int class_constraint_rules_to_strs(struct policydb *pdb, char *classkey, > > rc = -1; > > goto exit; > > } > > + if (*perms == '\0') { > > + ERR(NULL, "No permisisons in permission string"); > > + free(perms); > > + rc = -1; > > + goto exit; > > + } > > > > if (is_mls) { > > key_word = "mlsconstrain"; > > @@ -1775,6 +1781,11 @@ static char *avtab_node_to_str(struct policydb *pdb, avtab_key_t *key, avtab_dat > > ERR(NULL, "Failed to generate permission string"); > > goto exit; > > } > > + if (*perms == '\0') { > > + ERR(NULL, "No permisisons in permission string"); > > + free(perms); > > + goto exit; > > + } > > rule = create_str("(%s %s %s (%s (%s)))", > > flavor, src, tgt, class, perms+1); > > free(perms); > > diff --git a/libsepol/src/module_to_cil.c b/libsepol/src/module_to_cil.c > > index 6699a46b..3b3480bf 100644 > > --- a/libsepol/src/module_to_cil.c > > +++ b/libsepol/src/module_to_cil.c > > @@ -593,6 +593,12 @@ static int avrule_to_cil(int indent, struct policydb *pdb, uint32_t type, const > > rc = -1; > > goto exit; > > } > > + if (*perms == '\0') { > > + ERR(NULL, "No permissions in permission string"); > > + free(perms); > > + rc = -1; > > + goto exit; > > + } > > cil_println(indent, "(%s %s %s (%s (%s)))", > > rule, src, tgt, > > pdb->p_class_val_to_name[classperm->tclass - 1], > > @@ -1973,6 +1979,12 @@ static int constraints_to_cil(int indent, struct policydb *pdb, char *classkey, > > rc = -1; > > goto exit; > > } > > + if (*perms == '\0') { > > + ERR(NULL, "No permissions in permission string"); > > + free(perms); > > + rc = -1; > > + goto exit; > > + } > > cil_println(indent, "(%sconstrain (%s (%s)) %s)", mls, classkey, perms + 1, expr); > > free(perms); > > } else { > > -- > > 2.44.0 > > > >
diff --git a/libsepol/src/kernel_to_cil.c b/libsepol/src/kernel_to_cil.c index a081915e..e20ba4af 100644 --- a/libsepol/src/kernel_to_cil.c +++ b/libsepol/src/kernel_to_cil.c @@ -302,6 +302,12 @@ static int class_constraint_rules_to_strs(struct policydb *pdb, char *classkey, rc = -1; goto exit; } + if (*perms == '\0') { + ERR(NULL, "No permisisons in permission string"); + free(perms); + rc = -1; + goto exit; + } if (is_mls) { key_word = "mlsconstrain"; @@ -1775,6 +1781,11 @@ static char *avtab_node_to_str(struct policydb *pdb, avtab_key_t *key, avtab_dat ERR(NULL, "Failed to generate permission string"); goto exit; } + if (*perms == '\0') { + ERR(NULL, "No permisisons in permission string"); + free(perms); + goto exit; + } rule = create_str("(%s %s %s (%s (%s)))", flavor, src, tgt, class, perms+1); free(perms); diff --git a/libsepol/src/module_to_cil.c b/libsepol/src/module_to_cil.c index 6699a46b..3b3480bf 100644 --- a/libsepol/src/module_to_cil.c +++ b/libsepol/src/module_to_cil.c @@ -593,6 +593,12 @@ static int avrule_to_cil(int indent, struct policydb *pdb, uint32_t type, const rc = -1; goto exit; } + if (*perms == '\0') { + ERR(NULL, "No permissions in permission string"); + free(perms); + rc = -1; + goto exit; + } cil_println(indent, "(%s %s %s (%s (%s)))", rule, src, tgt, pdb->p_class_val_to_name[classperm->tclass - 1], @@ -1973,6 +1979,12 @@ static int constraints_to_cil(int indent, struct policydb *pdb, char *classkey, rc = -1; goto exit; } + if (*perms == '\0') { + ERR(NULL, "No permissions in permission string"); + free(perms); + rc = -1; + goto exit; + } cil_println(indent, "(%sconstrain (%s (%s)) %s)", mls, classkey, perms + 1, expr); free(perms); } else {
The function sepol_av_to_string() returns a list of permissions with a space at the beginning. This fits the normal formating of permisisons for a policy.conf policy which uses a format of "{ p1 p2 ... pn }", but not the formating for a CIL policy which uses a format of "(p1 p2 ... pn)". Both kernel_to_cil and module_to_cil skip the space by using "perms+1", but this is a problem if there are no permissions because sepol_av_to_string() returns '\0'. In kernel_to_cil and module_to_cil, check for the permission string being '\0' and return an error if it is. Reported-by: oss-fuzz (issue 67276) Signed-off-by: James Carter <jwcart2@gmail.com> --- libsepol/src/kernel_to_cil.c | 11 +++++++++++ libsepol/src/module_to_cil.c | 12 ++++++++++++ 2 files changed, 23 insertions(+)