From patchwork Thu Dec 7 16:53:19 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Christian_G=C3=B6ttsche?= X-Patchwork-Id: 13483666 X-Patchwork-Delegate: plautrba@redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=googlemail.com header.i=@googlemail.com header.b="Prm84jT6" Received: from mail-ed1-x52f.google.com (mail-ed1-x52f.google.com [IPv6:2a00:1450:4864:20::52f]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id DD9F81704 for ; Thu, 7 Dec 2023 08:53:27 -0800 (PST) Received: by mail-ed1-x52f.google.com with SMTP id 4fb4d7f45d1cf-54dcfca54e0so1130220a12.1 for ; Thu, 07 Dec 2023 08:53:27 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20230601; t=1701968006; x=1702572806; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:from:to:cc:subject:date:message-id:reply-to; bh=DYJX8rbnHUVlWgN4hVuJTqWt7cSG1tCoTM2aUHd6lZs=; b=Prm84jT6kxXTWlW/yFKwoe6vnyt5KZvNFyqfJYJHs3sOex5ejvG9YPTHn2KqK2eu3l tC4xclpQS4obO7IVJrEAk0pQDvJ+8pbGEVXsT7Wp5QHC7AIF09txzTHH9pyYWUdyqea2 n61TxIQNoPXjdU717Opa7pX6h8OwXB/AcClOVfR1/Urq7R+r7woyGuhZbNxq13ScM7ov ZV2FRNuwWgyVJ1Pln59h9rCJYEougNq982WsDbAcEzrO4uNtBZoSuOFpFqX6MyISM6n6 m/aNcRQ1bdVjX+lp8zz3cMGqAivnWG3mWwfKcJG2csfngBe+krMj7VRZJpmSyk6NQE/n Dbwg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1701968006; x=1702572806; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=DYJX8rbnHUVlWgN4hVuJTqWt7cSG1tCoTM2aUHd6lZs=; b=nAclYJRF5is8Rr1R50oqJCR9xqw8L5sVuAnwKIB2ok12P+IqvokTliX+7oNh80wz6c ztVZTy9IsKNU2OafVMsCG5vL/kZg7h7OR8r2TzUlsDZPcEV0p+HX7mMq7uVGeMzEbM1X b+BPO61U3CN5lxkUSSGBrexXjgArg2Axxou8cuOe4hVv4UzYv70tffLgrtb9KmvD9Ox9 L+hHNsiUiaGKxeh53rbCGNZNJLBGeQZemKC6p6ixGRDIUPXHNcIzEdKAr9Rrmkhd3k2Y bck33fBAuuXkq5Rf9z0zRF4c5wCH5ICkiWD6mahsJ5tEZQF3dRCjhbMIQm03w7TZMV7t cj9g== X-Gm-Message-State: AOJu0YxfA+G4RSDbk0csuiefP1iq2rn/4XnRDZ8qTrzHHxMwPD+yiLRt WDrM+3qJx32cW2DXIpI48h0x95rTVrA= X-Google-Smtp-Source: AGHT+IGfnlf8cJXjqM1Je7pmLzYEzp4RFz1H1was6mAN8hJt6HvcobM/wlFZVs07zVPHknStWNtn5w== X-Received: by 2002:a17:906:454:b0:a1c:566d:fe50 with SMTP id e20-20020a170906045400b00a1c566dfe50mr2116187eja.47.1701968006111; Thu, 07 Dec 2023 08:53:26 -0800 (PST) Received: from debian_development.DebianHome (dynamic-077-010-172-210.77.10.pool.telefonica.de. [77.10.172.210]) by smtp.gmail.com with ESMTPSA id jg13-20020a170907970d00b009fcb10eecb2sm1030276ejc.84.2023.12.07.08.53.25 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 07 Dec 2023 08:53:25 -0800 (PST) From: =?utf-8?q?Christian_G=C3=B6ttsche?= To: selinux@vger.kernel.org Subject: [RFC PATCH] libsepol: validate permission identifier length Date: Thu, 7 Dec 2023 17:53:19 +0100 Message-ID: <20231207165319.63889-1-cgzones@googlemail.com> X-Mailer: git-send-email 2.43.0 Precedence: bulk X-Mailing-List: selinux@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Limit the maximum length of permission identifiers. Otherwise formatting an access vector might fail in the common used helper sepol_av_to_string(). The current longest permission within the Reference Policy is x_application_data { paste_after_confirm } with a length of 19. Reported-by: oss-fuzz (issue 64832) Signed-off-by: Christian Göttsche --- The oss-fuzz issue got closed by the latest fuzzer updates (due to unrelated changes that invalid the current reproducer), but the issue is still valid. --- libsepol/src/policydb_validate.c | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/libsepol/src/policydb_validate.c b/libsepol/src/policydb_validate.c index bd8e9f8f..72681120 100644 --- a/libsepol/src/policydb_validate.c +++ b/libsepol/src/policydb_validate.c @@ -366,12 +366,30 @@ bad: return -1; } +static int validate_permission_wrapper(hashtab_key_t k, __attribute__((unused)) hashtab_datum_t d, void *args) +{ + sepol_handle_t *handle = args; + const char *name = k; + size_t len = strlen(name); + + if (len == 0 || len >= 32) + goto bad; + + return 0; + +bad: + ERR(handle, "Invalid permission"); + return -1; +} + static int validate_common_datum(sepol_handle_t *handle, const common_datum_t *common, validate_t flavors[]) { if (validate_value(common->s.value, &flavors[SYM_COMMONS])) goto bad; if (common->permissions.table->nel == 0 || common->permissions.nprim > PERM_SYMTAB_SIZE) goto bad; + if (hashtab_map(common->permissions.table, validate_permission_wrapper, handle)) + goto bad; return 0; @@ -395,6 +413,8 @@ static int validate_class_datum(sepol_handle_t *handle, const class_datum_t *cla goto bad; if (class->permissions.nprim > PERM_SYMTAB_SIZE) goto bad; + if (hashtab_map(class->permissions.table, validate_permission_wrapper, handle)) + goto bad; if (validate_constraint_nodes(handle, class->permissions.nprim, class->constraints, flavors)) goto bad; if (validate_constraint_nodes(handle, 0, class->validatetrans, flavors))