From patchwork Sun Mar 14 20:16:46 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Nicolas Iooss X-Patchwork-Id: 12137959 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.8 required=3.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 993D7C433E6 for ; Sun, 14 Mar 2021 20:19:29 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 71B8E64EBD for ; Sun, 14 Mar 2021 20:19:29 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234014AbhCNUSW (ORCPT ); Sun, 14 Mar 2021 16:18:22 -0400 Received: from mx1.polytechnique.org ([129.104.30.34]:48188 "EHLO mx1.polytechnique.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233756AbhCNURp (ORCPT ); Sun, 14 Mar 2021 16:17:45 -0400 Received: from localhost.localdomain (85-168-38-217.rev.numericable.fr [85.168.38.217]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ssl.polytechnique.org (Postfix) with ESMTPSA id 576D45646B2 for ; Sun, 14 Mar 2021 21:17:44 +0100 (CET) From: Nicolas Iooss To: selinux@vger.kernel.org Subject: [PATCH 1/6] libsepol/cil: fix out-of-bound read of a file context pattern ending with "\" Date: Sun, 14 Mar 2021 21:16:46 +0100 Message-Id: <20210314201651.474432-1-nicolas.iooss@m4x.org> X-Mailer: git-send-email 2.30.2 MIME-Version: 1.0 X-AV-Checked: ClamAV using ClamSMTP at svoboda.polytechnique.org (Sun Mar 14 21:17:44 2021 +0100 (CET)) X-Org-Mail: nicolas.iooss.2010@polytechnique.org Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org OSS-Fuzz found a Heap-buffer-overflow in the CIL compiler when trying to compile the following policy: (sid SID) (sidorder(SID)) (filecon "\" any ()) (filecon "" any ()) When cil_post_fc_fill_data() processes "\", it goes beyond the NUL terminator of the string. Fix this by returning when '\0' is read after a backslash. Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28484 Signed-off-by: Nicolas Iooss --- libsepol/cil/src/cil_post.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libsepol/cil/src/cil_post.c b/libsepol/cil/src/cil_post.c index a55df1ea5bb0..5f9cf4efd242 100644 --- a/libsepol/cil/src/cil_post.c +++ b/libsepol/cil/src/cil_post.c @@ -179,6 +179,12 @@ void cil_post_fc_fill_data(struct fc_data *fc, char *path) break; case '\\': c++; + if (path[c] == '\0') { + if (!fc->meta) { + fc->stem_len++; + } + return; + } /* FALLTHRU */ default: if (!fc->meta) { From patchwork Sun Mar 14 20:16:47 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Nicolas Iooss X-Patchwork-Id: 12137967 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.8 required=3.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8046FC4332D for ; Sun, 14 Mar 2021 20:19:30 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 5AB8F64E6B for ; Sun, 14 Mar 2021 20:19:30 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234007AbhCNUSY (ORCPT ); Sun, 14 Mar 2021 16:18:24 -0400 Received: from mx1.polytechnique.org ([129.104.30.34]:56810 "EHLO mx1.polytechnique.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233760AbhCNURt (ORCPT ); Sun, 14 Mar 2021 16:17:49 -0400 Received: from localhost.localdomain (85-168-38-217.rev.numericable.fr [85.168.38.217]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ssl.polytechnique.org (Postfix) with ESMTPSA id 96F9C5646B0 for ; Sun, 14 Mar 2021 21:17:46 +0100 (CET) From: Nicolas Iooss To: selinux@vger.kernel.org Subject: [PATCH 2/6] libsepol/cil: make cil_post_fc_fill_data static Date: Sun, 14 Mar 2021 21:16:47 +0100 Message-Id: <20210314201651.474432-2-nicolas.iooss@m4x.org> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20210314201651.474432-1-nicolas.iooss@m4x.org> References: <20210314201651.474432-1-nicolas.iooss@m4x.org> MIME-Version: 1.0 X-AV-Checked: ClamAV using ClamSMTP at svoboda.polytechnique.org (Sun Mar 14 21:17:46 2021 +0100 (CET)) X-Org-Mail: nicolas.iooss.2010@polytechnique.org Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org cil_post_fc_fill_data() is not used outside of cil_post.c, and is not exported in libsepol.so. Make it static, in order to ease the analysis of static analyzers. While at it, make its path argument "const char*" and the fields of "struct fc_data" "unsigned int" or "size_t", in order to make the types better match the values. Signed-off-by: Nicolas Iooss Acked-by: James Carter --- libsepol/cil/src/cil_post.c | 11 +++++++++-- libsepol/cil/src/cil_post.h | 7 ------- 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/libsepol/cil/src/cil_post.c b/libsepol/cil/src/cil_post.c index 5f9cf4efd242..783929e50df8 100644 --- a/libsepol/cil/src/cil_post.c +++ b/libsepol/cil/src/cil_post.c @@ -27,6 +27,7 @@ * either expressed or implied, of Tresys Technology, LLC. */ +#include #include #include #include @@ -50,6 +51,12 @@ #define GEN_REQUIRE_ATTR "cil_gen_require" /* Also in libsepol/src/module_to_cil.c */ #define TYPEATTR_INFIX "_typeattr_" /* Also in libsepol/src/module_to_cil.c */ +struct fc_data { + unsigned int meta; + size_t stem_len; + size_t str_len; +}; + static int __cil_expr_to_bitmap(struct cil_list *expr, ebitmap_t *out, int max, struct cil_db *db); static int __cil_expr_list_to_bitmap(struct cil_list *expr_list, ebitmap_t *out, int max, struct cil_db *db); @@ -156,9 +163,9 @@ static int cil_verify_is_list(struct cil_list *list, enum cil_flavor flavor) return CIL_TRUE; } -void cil_post_fc_fill_data(struct fc_data *fc, char *path) +static void cil_post_fc_fill_data(struct fc_data *fc, const char *path) { - int c = 0; + size_t c = 0; fc->meta = 0; fc->stem_len = 0; fc->str_len = 0; diff --git a/libsepol/cil/src/cil_post.h b/libsepol/cil/src/cil_post.h index 3d5415486b77..b1d2206f9ef6 100644 --- a/libsepol/cil/src/cil_post.h +++ b/libsepol/cil/src/cil_post.h @@ -30,13 +30,6 @@ #ifndef CIL_POST_H_ #define CIL_POST_H_ -struct fc_data { - int meta; - int stem_len; - int str_len; -}; - -void cil_post_fc_fill_data(struct fc_data *fc, char *path); int cil_post_filecon_compare(const void *a, const void *b); int cil_post_ibpkeycon_compare(const void *a, const void *b); int cil_post_portcon_compare(const void *a, const void *b); From patchwork Sun Mar 14 20:16:48 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Nicolas Iooss X-Patchwork-Id: 12137963 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.8 required=3.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id B13B6C43381 for ; Sun, 14 Mar 2021 20:19:29 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 85AD264EB7 for ; Sun, 14 Mar 2021 20:19:29 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233886AbhCNUSX (ORCPT ); Sun, 14 Mar 2021 16:18:23 -0400 Received: from mx1.polytechnique.org ([129.104.30.34]:49133 "EHLO mx1.polytechnique.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233806AbhCNURt (ORCPT ); Sun, 14 Mar 2021 16:17:49 -0400 Received: from localhost.localdomain (85-168-38-217.rev.numericable.fr [85.168.38.217]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ssl.polytechnique.org (Postfix) with ESMTPSA id BB96D5646B0 for ; Sun, 14 Mar 2021 21:17:47 +0100 (CET) From: Nicolas Iooss To: selinux@vger.kernel.org Subject: [PATCH 3/6] libsepol/cil: remove stray printf Date: Sun, 14 Mar 2021 21:16:48 +0100 Message-Id: <20210314201651.474432-3-nicolas.iooss@m4x.org> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20210314201651.474432-1-nicolas.iooss@m4x.org> References: <20210314201651.474432-1-nicolas.iooss@m4x.org> MIME-Version: 1.0 X-AV-Checked: ClamAV using ClamSMTP at svoboda.polytechnique.org (Sun Mar 14 21:17:48 2021 +0100 (CET)) X-Org-Mail: nicolas.iooss.2010@polytechnique.org Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org printf("%i\n", node->flavor); looks very much like a statement which was added for debugging purpose and was unintentionally left. Signed-off-by: Nicolas Iooss Acked-by: James Carter --- libsepol/cil/src/cil_resolve_ast.c | 1 - 1 file changed, 1 deletion(-) diff --git a/libsepol/cil/src/cil_resolve_ast.c b/libsepol/cil/src/cil_resolve_ast.c index 0e07856133e5..47cdf0e7c0b9 100644 --- a/libsepol/cil/src/cil_resolve_ast.c +++ b/libsepol/cil/src/cil_resolve_ast.c @@ -1088,7 +1088,6 @@ int cil_resolve_roletransition(struct cil_tree_node *current, void *extra_args) node = NODE(result_datum); if (node->flavor != CIL_ROLE) { rc = SEPOL_ERR; - printf("%i\n", node->flavor); cil_log(CIL_ERR, "roletransition must result in a role, but %s is a %s\n", roletrans->result_str, cil_node_to_string(node)); goto exit; } From patchwork Sun Mar 14 20:16:49 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Nicolas Iooss X-Patchwork-Id: 12137961 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.8 required=3.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5AFC5C433E9 for ; Sun, 14 Mar 2021 20:19:30 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 2534A64EB7 for ; Sun, 14 Mar 2021 20:19:30 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233988AbhCNUSX (ORCPT ); Sun, 14 Mar 2021 16:18:23 -0400 Received: from mx1.polytechnique.org ([129.104.30.34]:48312 "EHLO mx1.polytechnique.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233886AbhCNURv (ORCPT ); Sun, 14 Mar 2021 16:17:51 -0400 Received: from localhost.localdomain (85-168-38-217.rev.numericable.fr [85.168.38.217]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ssl.polytechnique.org (Postfix) with ESMTPSA id C862D5646B0 for ; Sun, 14 Mar 2021 21:17:49 +0100 (CET) From: Nicolas Iooss To: selinux@vger.kernel.org Subject: [PATCH 4/6] libsepol/cil: replace printf with proper cil_tree_log Date: Sun, 14 Mar 2021 21:16:49 +0100 Message-Id: <20210314201651.474432-4-nicolas.iooss@m4x.org> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20210314201651.474432-1-nicolas.iooss@m4x.org> References: <20210314201651.474432-1-nicolas.iooss@m4x.org> MIME-Version: 1.0 X-AV-Checked: ClamAV using ClamSMTP at svoboda.polytechnique.org (Sun Mar 14 21:17:50 2021 +0100 (CET)) X-Org-Mail: nicolas.iooss.2010@polytechnique.org Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org All functions of the CIL compiler use cil_log or cil_tree_log to report errors, but in two places which still uses printf. Replace these printf invocation with cil_tree_log. Signed-off-by: Nicolas Iooss Acked-by: James Carter --- libsepol/cil/src/cil_resolve_ast.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libsepol/cil/src/cil_resolve_ast.c b/libsepol/cil/src/cil_resolve_ast.c index 47cdf0e7c0b9..2ea106d63505 100644 --- a/libsepol/cil/src/cil_resolve_ast.c +++ b/libsepol/cil/src/cil_resolve_ast.c @@ -2497,7 +2497,7 @@ int cil_resolve_in(struct cil_tree_node *current, void *extra_args) rc = cil_copy_ast(db, current, block_node); if (rc != SEPOL_OK) { - printf("Failed to copy in, rc: %d\n", rc); + cil_tree_log(current, CIL_ERR, "Failed to copy in-statement"); goto exit; } @@ -2788,7 +2788,7 @@ int cil_resolve_call1(struct cil_tree_node *current, void *extra_args) macro_node = NODE(macro_datum); if (macro_node->flavor != CIL_MACRO) { - printf("Failed to resolve %s to a macro\n", new_call->macro_str); + cil_tree_log(current, CIL_ERR, "Failed to resolve %s to a macro", new_call->macro_str); rc = SEPOL_ERR; goto exit; } From patchwork Sun Mar 14 20:16:50 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Nicolas Iooss X-Patchwork-Id: 12137965 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.8 required=3.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6F7D4C4332B for ; Sun, 14 Mar 2021 20:19:30 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 3B2A764EBD for ; Sun, 14 Mar 2021 20:19:30 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233760AbhCNUSY (ORCPT ); Sun, 14 Mar 2021 16:18:24 -0400 Received: from mx1.polytechnique.org ([129.104.30.34]:49232 "EHLO mx1.polytechnique.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233959AbhCNURw (ORCPT ); Sun, 14 Mar 2021 16:17:52 -0400 Received: from localhost.localdomain (85-168-38-217.rev.numericable.fr [85.168.38.217]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ssl.polytechnique.org (Postfix) with ESMTPSA id EACCD5646B0 for ; Sun, 14 Mar 2021 21:17:50 +0100 (CET) From: Nicolas Iooss To: selinux@vger.kernel.org Subject: [PATCH 5/6] libsepol/cil: fix NULL pointer dereference in __cil_insert_name Date: Sun, 14 Mar 2021 21:16:50 +0100 Message-Id: <20210314201651.474432-5-nicolas.iooss@m4x.org> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20210314201651.474432-1-nicolas.iooss@m4x.org> References: <20210314201651.474432-1-nicolas.iooss@m4x.org> MIME-Version: 1.0 X-AV-Checked: ClamAV using ClamSMTP at svoboda.polytechnique.org (Sun Mar 14 21:17:51 2021 +0100 (CET)) X-Org-Mail: nicolas.iooss.2010@polytechnique.org Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org OSS-Fuzz found a Null-dereference in __cil_insert_name when trying to compile the following policy: (macro MACRO () (classmap CLASS (PERM)) (type TYPE) (typetransition TYPE TYPE CLASS "name" TYPE) ) (call MACRO) When using a macro with no argument, macro->params is NULL and cil_list_for_each(item, macro->params) dereferenced a NULL pointer. Fix this by checking that macro->params is not NULL before using it. Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28565 Signed-off-by: Nicolas Iooss Acked-by: James Carter --- libsepol/cil/src/cil_resolve_ast.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libsepol/cil/src/cil_resolve_ast.c b/libsepol/cil/src/cil_resolve_ast.c index 2ea106d63505..63beed9230b9 100644 --- a/libsepol/cil/src/cil_resolve_ast.c +++ b/libsepol/cil/src/cil_resolve_ast.c @@ -82,7 +82,7 @@ static struct cil_name * __cil_insert_name(struct cil_db *db, hashtab_key_t key, } else if (parent->flavor == CIL_MACRO) { macro = parent->data; } - if (macro != NULL) { + if (macro != NULL && macro->params != NULL) { struct cil_list_item *item; cil_list_for_each(item, macro->params) { if (((struct cil_param*)item->data)->str == key) { From patchwork Sun Mar 14 20:16:51 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Nicolas Iooss X-Patchwork-Id: 12137969 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.8 required=3.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id A2A3FC4332E for ; Sun, 14 Mar 2021 20:19:30 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 7E6AC64EBD for ; Sun, 14 Mar 2021 20:19:30 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233959AbhCNUSZ (ORCPT ); Sun, 14 Mar 2021 16:18:25 -0400 Received: from mx1.polytechnique.org ([129.104.30.34]:48312 "EHLO mx1.polytechnique.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233985AbhCNURx (ORCPT ); Sun, 14 Mar 2021 16:17:53 -0400 Received: from localhost.localdomain (85-168-38-217.rev.numericable.fr [85.168.38.217]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ssl.polytechnique.org (Postfix) with ESMTPSA id 665A05646B4 for ; Sun, 14 Mar 2021 21:17:52 +0100 (CET) From: Nicolas Iooss To: selinux@vger.kernel.org Subject: [PATCH 6/6] libsepol/cil: do not leak avrulex_ioctl_table memory when an error occurs Date: Sun, 14 Mar 2021 21:16:51 +0100 Message-Id: <20210314201651.474432-6-nicolas.iooss@m4x.org> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20210314201651.474432-1-nicolas.iooss@m4x.org> References: <20210314201651.474432-1-nicolas.iooss@m4x.org> MIME-Version: 1.0 X-AV-Checked: ClamAV using ClamSMTP at svoboda.polytechnique.org (Sun Mar 14 21:17:52 2021 +0100 (CET)) X-Org-Mail: nicolas.iooss.2010@polytechnique.org Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org OSS-Fuzz found a memory leak when trying to compile the following policy: (class CLASS (PERM ioctl)) (classorder (CLASS)) (sid SID) (sidorder (SID)) (user USER) (role ROLE) (type TYPE) (category CAT) (categoryorder (CAT)) (sensitivity SENS) (sensitivityorder (SENS)) (sensitivitycategory SENS (CAT)) (allow TYPE self (CLASS (PERM))) (roletype ROLE TYPE) (userrole USER ROLE) (userlevel USER (SENS)) (userrange USER ((SENS)(SENS (CAT)))) (sidcontext SID (USER ROLE TYPE ((SENS)(SENS)))) (permissionx ioctl_test (ioctl CLASS (and (range 0x1600 0x19FF) (not (range 0x1750 0x175F))))) (allowx TYPE TYPE ioctl_test) (boolean BOOLEAN false) (booleanif (not (xor (eq BOOLEAN BOOLEAN) (and (not (xor (eq BOOLEAN BOOLEAN) (and (not (xor (eq BOOLEAN BOOLEAN) (and (not (xor (eq BOOLEAN BOOLEAN) (and (not (xor (eq BOOLEAN BOOLEAN) (and (not (xor (eq BOOLEAN BOOLEAN) (and (not (xor (eq BOOLEAN BOOLEAN) (and (not (xor (eq BOOLEAN BOOLEAN) (and (not (xor (eq BOOLEAN BOOLEAN) (and (not (xor (eq BOOLEAN BOOLEAN) (and (not (xor (eq BOOLEAN BOOLEAN) (and (not (xor (eq BOOLEAN BOOLEAN) (and (not (xor (eq BOOLEAN BOOLEAN) (and (not (xor (eq BOOLEAN BOOLEAN) (and (not (xor (eq BOOLEAN BOOLEAN) (and (not (xor (eq BOOLEAN BOOLEAN) (and (not (xor (eq BOOLEAN BOOLEAN) (and (not (xor (eq BOOLEAN BOOLEAN) (and (not (xor (eq BOOLEAN BOOLEAN) (and (not (xor (eq BOOLEAN BOOLEAN) (and (not (xor (eq BOOLEAN BOOLEAN) (and (not (xor (eq BOOLEAN BOOLEAN) (and (not (xor (eq BOOLEAN BOOLEAN) (and (not (xor (eq BOOLEAN BOOLEAN) (and (not (xor (eq BOOLEAN BOOLEAN) (and (not (xor (eq BOOLEAN BOOLEAN) (and (not (xor (eq BOOLEAN BOOLEAN) (and (not (xor (eq BOOLEAN BOOLEAN) (and (not (xor (eq BOOLEAN BOOLEAN) (and (not (xor (eq BOOLEAN BOOLEAN) (and (not (xor (eq BOOLEAN BOOLEAN) (and (not (xor (eq BOOLEAN BOOLEAN) (and (not (xor (eq BOOLEAN BOOLEAN) (and (not (xor (eq BOOLEAN BOOLEAN) (and (not (xor (eq BOOLEAN BOOLEAN) (and (not (xor (eq BOOLEAN BOOLEAN) (and (not (xor (eq BOOLEAN BOOLEAN) (and (eq BOOLEAN BOOLEAN) BOOLEAN ) ) ) BOOLEAN ) ) ) BOOLEAN ) ) ) BOOLEAN ) ) ) BOOLEAN ) ) ) BOOLEAN ) ) ) BOOLEAN ) ) ) BOOLEAN ) ) ) BOOLEAN ) ) ) BOOLEAN ) ) ) BOOLEAN ) ) ) BOOLEAN ) ) ) BOOLEAN ) ) ) BOOLEAN ) ) ) BOOLEAN ) ) ) BOOLEAN ) ) ) BOOLEAN ) ) ) BOOLEAN ) ) ) BOOLEAN ) ) ) BOOLEAN ) ) ) BOOLEAN ) ) ) BOOLEAN ) ) ) BOOLEAN ) ) ) BOOLEAN ) ) ) BOOLEAN ) ) ) BOOLEAN ) ) ) BOOLEAN ) ) ) BOOLEAN ) ) ) BOOLEAN ) ) ) BOOLEAN ) ) ) BOOLEAN ) ) ) BOOLEAN ) ) ) BOOLEAN ) ) ) BOOLEAN ) ) ) BOOLEAN ) ) ) BOOLEAN ) ) ) BOOLEAN ) ) ) (true (allow TYPE TYPE (CLASS (PERM))) ) ) When the CIL compiler reports "Conditional expression exceeded max allowable depth" because of the loooooong expression in the booleanif statement, cil_binary_create_allocated_pdb returns without freeing the memory which was allocated to store the keys and values of hash table avrulex_ioctl_table. Fix this by moving the freeing logic to a dedicated destructor function and calling it in the exit block of cil_binary_create_allocated_pdb. Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28618 Signed-off-by: Nicolas Iooss Acked-by: James Carter --- libsepol/cil/src/cil_binary.c | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/libsepol/cil/src/cil_binary.c b/libsepol/cil/src/cil_binary.c index f80d84679f85..18532aad9801 100644 --- a/libsepol/cil/src/cil_binary.c +++ b/libsepol/cil/src/cil_binary.c @@ -1668,14 +1668,6 @@ exit: } cil_list_destroy(&xperms_list, CIL_FALSE); } - - // hashtab_t does not have a way to free keys or datum since it doesn't - // know what they are. We won't need the keys/datum after this function, so - // clean them up here. - free(avtab_key); - ebitmap_destroy(datum); - free(datum); - return rc; } @@ -1885,6 +1877,15 @@ exit: return rc; } +static int __cil_avrulex_ioctl_destroy(hashtab_key_t k, hashtab_datum_t datum, __attribute__((unused)) void *args) +{ + free(k); + ebitmap_destroy(datum); + free(datum); + + return SEPOL_OK; +} + int __cil_cond_to_policydb_helper(struct cil_tree_node *node, __attribute__((unused)) uint32_t *finished, void *extra_args) { int rc; @@ -5037,6 +5038,7 @@ int cil_binary_create_allocated_pdb(const struct cil_db *db, sepol_policydb_t *p exit: hashtab_destroy(role_trans_table); + hashtab_map(avrulex_ioctl_table, __cil_avrulex_ioctl_destroy, NULL); hashtab_destroy(avrulex_ioctl_table); free(type_value_to_cil); free(class_value_to_cil);