-
Notifications
You must be signed in to change notification settings - Fork 360
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
libsemanage: Support overriding Makefile RANLIB #14
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
fishilico
added a commit
to fishilico/selinux
that referenced
this pull request
Feb 4, 2021
OSS-Fuzz found a Null-dereference READ in the CIL compiler when trying to compile the following policy: (macro m((name n))) (call m(())) When calling the macro, the name (in variable "pc") is NULL, which triggers a NULL pointer dereference when using it as a key in __cil_insert_name(). The stack trace is: #0 0x7f4662655a85 in __strlen_avx2 (/usr/lib/libc.so.6+0x162a85) SELinuxProject#1 0x556d0b6d150c in __interceptor_strlen.part.0 (/selinux/libsepol/fuzz/fuzz-secilc+0x44850c) SELinuxProject#2 0x556d0ba74ed6 in symhash /selinux/libsepol/src/symtab.c:22:9 SELinuxProject#3 0x556d0b9ef50d in hashtab_search /selinux/libsepol/src/hashtab.c:186:11 SELinuxProject#4 0x556d0b928e1f in cil_symtab_get_datum /selinux/libsepol/src/../cil/src/cil_symtab.c:121:37 SELinuxProject#5 0x556d0b8f28f4 in __cil_insert_name /selinux/libsepol/src/../cil/src/cil_resolve_ast.c:96:2 SELinuxProject#6 0x556d0b908184 in cil_resolve_call1 /selinux/libsepol/src/../cil/src/cil_resolve_ast.c:2835:12 SELinuxProject#7 0x556d0b91b404 in __cil_resolve_ast_node /selinux/libsepol/src/../cil/src/cil_resolve_ast.c SELinuxProject#8 0x556d0b91380f in __cil_resolve_ast_node_helper /selinux/libsepol/src/../cil/src/cil_resolve_ast.c:3773:7 SELinuxProject#9 0x556d0b932230 in cil_tree_walk_core /selinux/libsepol/src/../cil/src/cil_tree.c:263:9 SELinuxProject#10 0x556d0b932230 in cil_tree_walk /selinux/libsepol/src/../cil/src/cil_tree.c:307:7 SELinuxProject#11 0x556d0b932326 in cil_tree_walk_core /selinux/libsepol/src/../cil/src/cil_tree.c:275:9 SELinuxProject#12 0x556d0b932326 in cil_tree_walk /selinux/libsepol/src/../cil/src/cil_tree.c:307:7 SELinuxProject#13 0x556d0b911189 in cil_resolve_ast /selinux/libsepol/src/../cil/src/cil_resolve_ast.c:3941:8 SELinuxProject#14 0x556d0b798729 in cil_compile /selinux/libsepol/src/../cil/src/cil.c:550:7 Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28544 Signed-off-by: Nicolas Iooss <[email protected]>
fishilico
added a commit
to fishilico/selinux
that referenced
this pull request
Feb 5, 2021
OSS-Fuzz found a Null-dereference READ in the CIL compiler when trying to compile the following policy: (macro m((name n))) (call m(())) When calling the macro, the name (in variable "pc") is NULL, which triggers a NULL pointer dereference when using it as a key in __cil_insert_name(). The stack trace is: #0 0x7f4662655a85 in __strlen_avx2 (/usr/lib/libc.so.6+0x162a85) SELinuxProject#1 0x556d0b6d150c in __interceptor_strlen.part.0 (/selinux/libsepol/fuzz/fuzz-secilc+0x44850c) SELinuxProject#2 0x556d0ba74ed6 in symhash /selinux/libsepol/src/symtab.c:22:9 SELinuxProject#3 0x556d0b9ef50d in hashtab_search /selinux/libsepol/src/hashtab.c:186:11 SELinuxProject#4 0x556d0b928e1f in cil_symtab_get_datum /selinux/libsepol/src/../cil/src/cil_symtab.c:121:37 SELinuxProject#5 0x556d0b8f28f4 in __cil_insert_name /selinux/libsepol/src/../cil/src/cil_resolve_ast.c:96:2 SELinuxProject#6 0x556d0b908184 in cil_resolve_call1 /selinux/libsepol/src/../cil/src/cil_resolve_ast.c:2835:12 SELinuxProject#7 0x556d0b91b404 in __cil_resolve_ast_node /selinux/libsepol/src/../cil/src/cil_resolve_ast.c SELinuxProject#8 0x556d0b91380f in __cil_resolve_ast_node_helper /selinux/libsepol/src/../cil/src/cil_resolve_ast.c:3773:7 SELinuxProject#9 0x556d0b932230 in cil_tree_walk_core /selinux/libsepol/src/../cil/src/cil_tree.c:263:9 SELinuxProject#10 0x556d0b932230 in cil_tree_walk /selinux/libsepol/src/../cil/src/cil_tree.c:307:7 SELinuxProject#11 0x556d0b932326 in cil_tree_walk_core /selinux/libsepol/src/../cil/src/cil_tree.c:275:9 SELinuxProject#12 0x556d0b932326 in cil_tree_walk /selinux/libsepol/src/../cil/src/cil_tree.c:307:7 SELinuxProject#13 0x556d0b911189 in cil_resolve_ast /selinux/libsepol/src/../cil/src/cil_resolve_ast.c:3941:8 SELinuxProject#14 0x556d0b798729 in cil_compile /selinux/libsepol/src/../cil/src/cil.c:550:7 Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28544 Signed-off-by: Nicolas Iooss <[email protected]>
fishilico
added a commit
to fishilico/selinux
that referenced
this pull request
Feb 5, 2021
OSS-Fuzz found a Null-dereference READ in the CIL compiler when trying to compile the following policy: (macro m((name n))) (call m(())) When calling the macro, the name (in variable "pc") is NULL, which triggers a NULL pointer dereference when using it as a key in __cil_insert_name(). The stack trace is: #0 0x7f4662655a85 in __strlen_avx2 (/usr/lib/libc.so.6+0x162a85) SELinuxProject#1 0x556d0b6d150c in __interceptor_strlen.part.0 (/selinux/libsepol/fuzz/fuzz-secilc+0x44850c) SELinuxProject#2 0x556d0ba74ed6 in symhash /selinux/libsepol/src/symtab.c:22:9 SELinuxProject#3 0x556d0b9ef50d in hashtab_search /selinux/libsepol/src/hashtab.c:186:11 SELinuxProject#4 0x556d0b928e1f in cil_symtab_get_datum /selinux/libsepol/src/../cil/src/cil_symtab.c:121:37 SELinuxProject#5 0x556d0b8f28f4 in __cil_insert_name /selinux/libsepol/src/../cil/src/cil_resolve_ast.c:96:2 SELinuxProject#6 0x556d0b908184 in cil_resolve_call1 /selinux/libsepol/src/../cil/src/cil_resolve_ast.c:2835:12 SELinuxProject#7 0x556d0b91b404 in __cil_resolve_ast_node /selinux/libsepol/src/../cil/src/cil_resolve_ast.c SELinuxProject#8 0x556d0b91380f in __cil_resolve_ast_node_helper /selinux/libsepol/src/../cil/src/cil_resolve_ast.c:3773:7 SELinuxProject#9 0x556d0b932230 in cil_tree_walk_core /selinux/libsepol/src/../cil/src/cil_tree.c:263:9 SELinuxProject#10 0x556d0b932230 in cil_tree_walk /selinux/libsepol/src/../cil/src/cil_tree.c:307:7 SELinuxProject#11 0x556d0b932326 in cil_tree_walk_core /selinux/libsepol/src/../cil/src/cil_tree.c:275:9 SELinuxProject#12 0x556d0b932326 in cil_tree_walk /selinux/libsepol/src/../cil/src/cil_tree.c:307:7 SELinuxProject#13 0x556d0b911189 in cil_resolve_ast /selinux/libsepol/src/../cil/src/cil_resolve_ast.c:3941:8 SELinuxProject#14 0x556d0b798729 in cil_compile /selinux/libsepol/src/../cil/src/cil.c:550:7 Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28544 Signed-off-by: Nicolas Iooss <[email protected]>
fishilico
added a commit
to fishilico/selinux
that referenced
this pull request
Feb 16, 2021
OSS-Fuzz found a Null-dereference READ in the CIL compiler when trying to compile the following policy: (macro m((name n))) (call m(())) When calling the macro, the name (in variable "pc") is NULL, which triggers a NULL pointer dereference when using it as a key in __cil_insert_name(). The stack trace is: #0 0x7f4662655a85 in __strlen_avx2 (/usr/lib/libc.so.6+0x162a85) SELinuxProject#1 0x556d0b6d150c in __interceptor_strlen.part.0 (/selinux/libsepol/fuzz/fuzz-secilc+0x44850c) SELinuxProject#2 0x556d0ba74ed6 in symhash /selinux/libsepol/src/symtab.c:22:9 SELinuxProject#3 0x556d0b9ef50d in hashtab_search /selinux/libsepol/src/hashtab.c:186:11 SELinuxProject#4 0x556d0b928e1f in cil_symtab_get_datum /selinux/libsepol/src/../cil/src/cil_symtab.c:121:37 SELinuxProject#5 0x556d0b8f28f4 in __cil_insert_name /selinux/libsepol/src/../cil/src/cil_resolve_ast.c:96:2 SELinuxProject#6 0x556d0b908184 in cil_resolve_call1 /selinux/libsepol/src/../cil/src/cil_resolve_ast.c:2835:12 SELinuxProject#7 0x556d0b91b404 in __cil_resolve_ast_node /selinux/libsepol/src/../cil/src/cil_resolve_ast.c SELinuxProject#8 0x556d0b91380f in __cil_resolve_ast_node_helper /selinux/libsepol/src/../cil/src/cil_resolve_ast.c:3773:7 SELinuxProject#9 0x556d0b932230 in cil_tree_walk_core /selinux/libsepol/src/../cil/src/cil_tree.c:263:9 SELinuxProject#10 0x556d0b932230 in cil_tree_walk /selinux/libsepol/src/../cil/src/cil_tree.c:307:7 SELinuxProject#11 0x556d0b932326 in cil_tree_walk_core /selinux/libsepol/src/../cil/src/cil_tree.c:275:9 SELinuxProject#12 0x556d0b932326 in cil_tree_walk /selinux/libsepol/src/../cil/src/cil_tree.c:307:7 SELinuxProject#13 0x556d0b911189 in cil_resolve_ast /selinux/libsepol/src/../cil/src/cil_resolve_ast.c:3941:8 SELinuxProject#14 0x556d0b798729 in cil_compile /selinux/libsepol/src/../cil/src/cil.c:550:7 Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28544 Signed-off-by: Nicolas Iooss <[email protected]>
jwcart2
pushed a commit
that referenced
this pull request
Feb 16, 2021
OSS-Fuzz found a Null-dereference READ in the CIL compiler when trying to compile the following policy: (macro m((name n))) (call m(())) When calling the macro, the name (in variable "pc") is NULL, which triggers a NULL pointer dereference when using it as a key in __cil_insert_name(). The stack trace is: #0 0x7f4662655a85 in __strlen_avx2 (/usr/lib/libc.so.6+0x162a85) #1 0x556d0b6d150c in __interceptor_strlen.part.0 (/selinux/libsepol/fuzz/fuzz-secilc+0x44850c) #2 0x556d0ba74ed6 in symhash /selinux/libsepol/src/symtab.c:22:9 #3 0x556d0b9ef50d in hashtab_search /selinux/libsepol/src/hashtab.c:186:11 #4 0x556d0b928e1f in cil_symtab_get_datum /selinux/libsepol/src/../cil/src/cil_symtab.c:121:37 #5 0x556d0b8f28f4 in __cil_insert_name /selinux/libsepol/src/../cil/src/cil_resolve_ast.c:96:2 #6 0x556d0b908184 in cil_resolve_call1 /selinux/libsepol/src/../cil/src/cil_resolve_ast.c:2835:12 #7 0x556d0b91b404 in __cil_resolve_ast_node /selinux/libsepol/src/../cil/src/cil_resolve_ast.c #8 0x556d0b91380f in __cil_resolve_ast_node_helper /selinux/libsepol/src/../cil/src/cil_resolve_ast.c:3773:7 #9 0x556d0b932230 in cil_tree_walk_core /selinux/libsepol/src/../cil/src/cil_tree.c:263:9 #10 0x556d0b932230 in cil_tree_walk /selinux/libsepol/src/../cil/src/cil_tree.c:307:7 #11 0x556d0b932326 in cil_tree_walk_core /selinux/libsepol/src/../cil/src/cil_tree.c:275:9 #12 0x556d0b932326 in cil_tree_walk /selinux/libsepol/src/../cil/src/cil_tree.c:307:7 #13 0x556d0b911189 in cil_resolve_ast /selinux/libsepol/src/../cil/src/cil_resolve_ast.c:3941:8 #14 0x556d0b798729 in cil_compile /selinux/libsepol/src/../cil/src/cil.c:550:7 Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28544 Signed-off-by: Nicolas Iooss <[email protected]>
cgzones
added a commit
to cgzones/selinux
that referenced
this pull request
Oct 7, 2021
Limit the maximum length of read sizes, like string length of module version and name or keys and number of symtab entries. This avoids the fuzzer to report oom events for huge allocations (it also improves the number of executions per seconds of the fuzzer). This change only affects the fuzzer build. ==15211== ERROR: libFuzzer: out-of-memory (malloc(3115956666)) To change the out-of-memory limit use -rss_limit_mb=<N> #0 0x52dc61 in __sanitizer_print_stack_trace (./out/binpolicy-fuzzer+0x52dc61) SELinuxProject#1 0x475618 in fuzzer::PrintStackTrace() fuzzer.o SELinuxProject#2 0x458855 in fuzzer::Fuzzer::HandleMalloc(unsigned long) fuzzer.o SELinuxProject#3 0x45876a in fuzzer::MallocHook(void const volatile*, unsigned long) fuzzer.o SELinuxProject#4 0x534557 in __sanitizer::RunMallocHooks(void const*, unsigned long) (./out/binpolicy-fuzzer+0x534557) SELinuxProject#5 0x4aa7d7 in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) (./out/binpolicy-fuzzer+0x4aa7d7) SELinuxProject#6 0x4aa143 in __asan::asan_malloc(unsigned long, __sanitizer::BufferedStackTrace*) (./out/binpolicy-fuzzer+0x4aa143) SELinuxProject#7 0x5259cb in malloc (./out/binpolicy-fuzzer+0x5259cb) SELinuxProject#8 0x59d307 in str_read ./libsepol/src/services.c:1746:8 SELinuxProject#9 0x585b97 in perm_read ./libsepol/src/policydb.c:2063:5 SELinuxProject#10 0x581f8a in common_read ./libsepol/src/policydb.c:2119:7 SELinuxProject#11 0x576681 in policydb_read ./libsepol/src/policydb.c:4417:8 SELinuxProject#12 0x55a214 in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:26:6 SELinuxProject#13 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o SELinuxProject#14 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o SELinuxProject#15 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o SELinuxProject#16 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2) SELinuxProject#17 0x7fe1ec88a7ec in __libc_start_main csu/../csu/libc-start.c:332:16 SELinuxProject#18 0x423689 in _start (./out/binpolicy-fuzzer+0x423689) ==13584== ERROR: libFuzzer: out-of-memory (malloc(2560137369)) To change the out-of-memory limit use -rss_limit_mb=<N> #0 0x52dc61 in __sanitizer_print_stack_trace (./out/binpolicy-fuzzer+0x52dc61) SELinuxProject#1 0x475618 in fuzzer::PrintStackTrace() fuzzer.o SELinuxProject#2 0x458855 in fuzzer::Fuzzer::HandleMalloc(unsigned long) fuzzer.o SELinuxProject#3 0x45876a in fuzzer::MallocHook(void const volatile*, unsigned long) fuzzer.o SELinuxProject#4 0x534557 in __sanitizer::RunMallocHooks(void const*, unsigned long) (./out/binpolicy-fuzzer+0x534557) SELinuxProject#5 0x4aa7d7 in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) (./out/binpolicy-fuzzer+0x4aa7d7) SELinuxProject#6 0x4aa143 in __asan::asan_malloc(unsigned long, __sanitizer::BufferedStackTrace*) (./out/binpolicy-fuzzer+0x4aa143) SELinuxProject#7 0x5259cb in malloc (./out/binpolicy-fuzzer+0x5259cb) SELinuxProject#8 0x581cc4 in common_read ./libsepol/src/policydb.c:2108:8 SELinuxProject#9 0x576681 in policydb_read ./libsepol/src/policydb.c:4409:8 SELinuxProject#10 0x55a214 in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:26:6 SELinuxProject#11 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o SELinuxProject#12 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o SELinuxProject#13 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o SELinuxProject#14 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2) SELinuxProject#15 0x7fa6431787ec in __libc_start_main csu/../csu/libc-start.c:332:16 SELinuxProject#16 0x423689 in _start (./out/binpolicy-fuzzer+0x423689) ==12683== ERROR: libFuzzer: out-of-memory (malloc(2526451450)) To change the out-of-memory limit use -rss_limit_mb=<N> #0 0x52dc61 in __sanitizer_print_stack_trace (./out/binpolicy-fuzzer+0x52dc61) SELinuxProject#1 0x475618 in fuzzer::PrintStackTrace() fuzzer.o SELinuxProject#2 0x458855 in fuzzer::Fuzzer::HandleMalloc(unsigned long) fuzzer.o SELinuxProject#3 0x45876a in fuzzer::MallocHook(void const volatile*, unsigned long) fuzzer.o SELinuxProject#4 0x534557 in __sanitizer::RunMallocHooks(void const*, unsigned long) (./out/binpolicy-fuzzer+0x534557) SELinuxProject#5 0x4aa7d7 in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) (./out/binpolicy-fuzzer+0x4aa7d7) SELinuxProject#6 0x4aa143 in __asan::asan_malloc(unsigned long, __sanitizer::BufferedStackTrace*) (./out/binpolicy-fuzzer+0x4aa143) SELinuxProject#7 0x5259cb in malloc (./out/binpolicy-fuzzer+0x5259cb) SELinuxProject#8 0x575f8a in policydb_read ./libsepol/src/policydb.c:4356:18 SELinuxProject#9 0x55a214 in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:26:6 SELinuxProject#10 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o SELinuxProject#11 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o SELinuxProject#12 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o SELinuxProject#13 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2) SELinuxProject#14 0x7fa737b377ec in __libc_start_main csu/../csu/libc-start.c:332:16 SELinuxProject#15 0x423689 in _start (./out/binpolicy-fuzzer+0x423689) Signed-off-by: Christian Göttsche <[email protected]>
cgzones
added a commit
to cgzones/selinux
that referenced
this pull request
Oct 7, 2021
Add checks for invalid read sizes from a binary policy to guard allocations. In the fuzzer build the value will also be bounded to avoid oom reports. ==29857== ERROR: libFuzzer: out-of-memory (malloc(17179868160)) To change the out-of-memory limit use -rss_limit_mb=<N> #0 0x52dc61 in __sanitizer_print_stack_trace (./out/binpolicy-fuzzer+0x52dc61) SELinuxProject#1 0x475618 in fuzzer::PrintStackTrace() fuzzer.o SELinuxProject#2 0x458855 in fuzzer::Fuzzer::HandleMalloc(unsigned long) fuzzer.o SELinuxProject#3 0x45876a in fuzzer::MallocHook(void const volatile*, unsigned long) fuzzer.o SELinuxProject#4 0x534557 in __sanitizer::RunMallocHooks(void const*, unsigned long) (./out/binpolicy-fuzzer+0x534557) SELinuxProject#5 0x4aa7d7 in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) (./out/binpolicy-fuzzer+0x4aa7d7) SELinuxProject#6 0x4aa143 in __asan::asan_malloc(unsigned long, __sanitizer::BufferedStackTrace*) (./out/binpolicy-fuzzer+0x4aa143) SELinuxProject#7 0x5259cb in malloc (./out/binpolicy-fuzzer+0x5259cb) SELinuxProject#8 0x580b5d in mallocarray ./libsepol/src/./private.h:93:9 SELinuxProject#9 0x57c2ed in scope_read ./libsepol/src/policydb.c:4120:7 SELinuxProject#10 0x576b0d in policydb_read ./libsepol/src/policydb.c:4462:9 SELinuxProject#11 0x55a214 in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:26:6 SELinuxProject#12 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o SELinuxProject#13 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o SELinuxProject#14 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o SELinuxProject#15 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2) SELinuxProject#16 0x7ffad6e107ec in __libc_start_main csu/../csu/libc-start.c:332:16 SELinuxProject#17 0x423689 in _start (./out/binpolicy-fuzzer+0x423689) ==19462== ERROR: libFuzzer: out-of-memory (malloc(18253611008)) To change the out-of-memory limit use -rss_limit_mb=<N> #0 0x52dc61 in __sanitizer_print_stack_trace (./out/binpolicy-fuzzer+0x52dc61) SELinuxProject#1 0x475618 in fuzzer::PrintStackTrace() fuzzer.o SELinuxProject#2 0x458855 in fuzzer::Fuzzer::HandleMalloc(unsigned long) fuzzer.o SELinuxProject#3 0x45876a in fuzzer::MallocHook(void const volatile*, unsigned long) fuzzer.o SELinuxProject#4 0x534557 in __sanitizer::RunMallocHooks(void const*, unsigned long) (./out/binpolicy-fuzzer+0x534557) SELinuxProject#5 0x4aa7d7 in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) (./out/binpolicy-fuzzer+0x4aa7d7) SELinuxProject#6 0x4aa999 in __asan::asan_calloc(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*) (./out/binpolicy-fuzzer+0x4aa999) SELinuxProject#7 0x525b63 in __interceptor_calloc (./out/binpolicy-fuzzer+0x525b63) SELinuxProject#8 0x570938 in policydb_index_others ./libsepol/src/policydb.c:1245:6 SELinuxProject#9 0x5771f3 in policydb_read ./src/policydb.c:4481:6 SELinuxProject#10 0x55a214 in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:26:6 SELinuxProject#11 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o SELinuxProject#12 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o SELinuxProject#13 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o SELinuxProject#14 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2) SELinuxProject#15 0x7f4d933157ec in __libc_start_main csu/../csu/libc-start.c:332:16 SELinuxProject#16 0x423689 in _start (./out/binpolicy-fuzzer+0x423689) Signed-off-by: Christian Göttsche <[email protected]>
cgzones
added a commit
to cgzones/selinux
that referenced
this pull request
Oct 7, 2021
Limit the maximum length of read sizes, like string length of module version and name or keys and number of symtab entries. This avoids the fuzzer to report oom events for huge allocations (it also improves the number of executions per seconds of the fuzzer). This change only affects the fuzzer build. ==15211== ERROR: libFuzzer: out-of-memory (malloc(3115956666)) To change the out-of-memory limit use -rss_limit_mb=<N> #0 0x52dc61 in __sanitizer_print_stack_trace (./out/binpolicy-fuzzer+0x52dc61) SELinuxProject#1 0x475618 in fuzzer::PrintStackTrace() fuzzer.o SELinuxProject#2 0x458855 in fuzzer::Fuzzer::HandleMalloc(unsigned long) fuzzer.o SELinuxProject#3 0x45876a in fuzzer::MallocHook(void const volatile*, unsigned long) fuzzer.o SELinuxProject#4 0x534557 in __sanitizer::RunMallocHooks(void const*, unsigned long) (./out/binpolicy-fuzzer+0x534557) SELinuxProject#5 0x4aa7d7 in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) (./out/binpolicy-fuzzer+0x4aa7d7) SELinuxProject#6 0x4aa143 in __asan::asan_malloc(unsigned long, __sanitizer::BufferedStackTrace*) (./out/binpolicy-fuzzer+0x4aa143) SELinuxProject#7 0x5259cb in malloc (./out/binpolicy-fuzzer+0x5259cb) SELinuxProject#8 0x59d307 in str_read ./libsepol/src/services.c:1746:8 SELinuxProject#9 0x585b97 in perm_read ./libsepol/src/policydb.c:2063:5 SELinuxProject#10 0x581f8a in common_read ./libsepol/src/policydb.c:2119:7 SELinuxProject#11 0x576681 in policydb_read ./libsepol/src/policydb.c:4417:8 SELinuxProject#12 0x55a214 in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:26:6 SELinuxProject#13 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o SELinuxProject#14 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o SELinuxProject#15 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o SELinuxProject#16 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2) SELinuxProject#17 0x7fe1ec88a7ec in __libc_start_main csu/../csu/libc-start.c:332:16 SELinuxProject#18 0x423689 in _start (./out/binpolicy-fuzzer+0x423689) ==13584== ERROR: libFuzzer: out-of-memory (malloc(2560137369)) To change the out-of-memory limit use -rss_limit_mb=<N> #0 0x52dc61 in __sanitizer_print_stack_trace (./out/binpolicy-fuzzer+0x52dc61) SELinuxProject#1 0x475618 in fuzzer::PrintStackTrace() fuzzer.o SELinuxProject#2 0x458855 in fuzzer::Fuzzer::HandleMalloc(unsigned long) fuzzer.o SELinuxProject#3 0x45876a in fuzzer::MallocHook(void const volatile*, unsigned long) fuzzer.o SELinuxProject#4 0x534557 in __sanitizer::RunMallocHooks(void const*, unsigned long) (./out/binpolicy-fuzzer+0x534557) SELinuxProject#5 0x4aa7d7 in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) (./out/binpolicy-fuzzer+0x4aa7d7) SELinuxProject#6 0x4aa143 in __asan::asan_malloc(unsigned long, __sanitizer::BufferedStackTrace*) (./out/binpolicy-fuzzer+0x4aa143) SELinuxProject#7 0x5259cb in malloc (./out/binpolicy-fuzzer+0x5259cb) SELinuxProject#8 0x581cc4 in common_read ./libsepol/src/policydb.c:2108:8 SELinuxProject#9 0x576681 in policydb_read ./libsepol/src/policydb.c:4409:8 SELinuxProject#10 0x55a214 in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:26:6 SELinuxProject#11 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o SELinuxProject#12 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o SELinuxProject#13 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o SELinuxProject#14 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2) SELinuxProject#15 0x7fa6431787ec in __libc_start_main csu/../csu/libc-start.c:332:16 SELinuxProject#16 0x423689 in _start (./out/binpolicy-fuzzer+0x423689) ==12683== ERROR: libFuzzer: out-of-memory (malloc(2526451450)) To change the out-of-memory limit use -rss_limit_mb=<N> #0 0x52dc61 in __sanitizer_print_stack_trace (./out/binpolicy-fuzzer+0x52dc61) SELinuxProject#1 0x475618 in fuzzer::PrintStackTrace() fuzzer.o SELinuxProject#2 0x458855 in fuzzer::Fuzzer::HandleMalloc(unsigned long) fuzzer.o SELinuxProject#3 0x45876a in fuzzer::MallocHook(void const volatile*, unsigned long) fuzzer.o SELinuxProject#4 0x534557 in __sanitizer::RunMallocHooks(void const*, unsigned long) (./out/binpolicy-fuzzer+0x534557) SELinuxProject#5 0x4aa7d7 in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) (./out/binpolicy-fuzzer+0x4aa7d7) SELinuxProject#6 0x4aa143 in __asan::asan_malloc(unsigned long, __sanitizer::BufferedStackTrace*) (./out/binpolicy-fuzzer+0x4aa143) SELinuxProject#7 0x5259cb in malloc (./out/binpolicy-fuzzer+0x5259cb) SELinuxProject#8 0x575f8a in policydb_read ./libsepol/src/policydb.c:4356:18 SELinuxProject#9 0x55a214 in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:26:6 SELinuxProject#10 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o SELinuxProject#11 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o SELinuxProject#12 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o SELinuxProject#13 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2) SELinuxProject#14 0x7fa737b377ec in __libc_start_main csu/../csu/libc-start.c:332:16 SELinuxProject#15 0x423689 in _start (./out/binpolicy-fuzzer+0x423689) Signed-off-by: Christian Göttsche <[email protected]>
cgzones
added a commit
to cgzones/selinux
that referenced
this pull request
Oct 7, 2021
Add checks for invalid read sizes from a binary policy to guard allocations. In the fuzzer build the value will also be bounded to avoid oom reports. ==29857== ERROR: libFuzzer: out-of-memory (malloc(17179868160)) To change the out-of-memory limit use -rss_limit_mb=<N> #0 0x52dc61 in __sanitizer_print_stack_trace (./out/binpolicy-fuzzer+0x52dc61) SELinuxProject#1 0x475618 in fuzzer::PrintStackTrace() fuzzer.o SELinuxProject#2 0x458855 in fuzzer::Fuzzer::HandleMalloc(unsigned long) fuzzer.o SELinuxProject#3 0x45876a in fuzzer::MallocHook(void const volatile*, unsigned long) fuzzer.o SELinuxProject#4 0x534557 in __sanitizer::RunMallocHooks(void const*, unsigned long) (./out/binpolicy-fuzzer+0x534557) SELinuxProject#5 0x4aa7d7 in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) (./out/binpolicy-fuzzer+0x4aa7d7) SELinuxProject#6 0x4aa143 in __asan::asan_malloc(unsigned long, __sanitizer::BufferedStackTrace*) (./out/binpolicy-fuzzer+0x4aa143) SELinuxProject#7 0x5259cb in malloc (./out/binpolicy-fuzzer+0x5259cb) SELinuxProject#8 0x580b5d in mallocarray ./libsepol/src/./private.h:93:9 SELinuxProject#9 0x57c2ed in scope_read ./libsepol/src/policydb.c:4120:7 SELinuxProject#10 0x576b0d in policydb_read ./libsepol/src/policydb.c:4462:9 SELinuxProject#11 0x55a214 in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:26:6 SELinuxProject#12 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o SELinuxProject#13 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o SELinuxProject#14 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o SELinuxProject#15 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2) SELinuxProject#16 0x7ffad6e107ec in __libc_start_main csu/../csu/libc-start.c:332:16 SELinuxProject#17 0x423689 in _start (./out/binpolicy-fuzzer+0x423689) ==19462== ERROR: libFuzzer: out-of-memory (malloc(18253611008)) To change the out-of-memory limit use -rss_limit_mb=<N> #0 0x52dc61 in __sanitizer_print_stack_trace (./out/binpolicy-fuzzer+0x52dc61) SELinuxProject#1 0x475618 in fuzzer::PrintStackTrace() fuzzer.o SELinuxProject#2 0x458855 in fuzzer::Fuzzer::HandleMalloc(unsigned long) fuzzer.o SELinuxProject#3 0x45876a in fuzzer::MallocHook(void const volatile*, unsigned long) fuzzer.o SELinuxProject#4 0x534557 in __sanitizer::RunMallocHooks(void const*, unsigned long) (./out/binpolicy-fuzzer+0x534557) SELinuxProject#5 0x4aa7d7 in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) (./out/binpolicy-fuzzer+0x4aa7d7) SELinuxProject#6 0x4aa999 in __asan::asan_calloc(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*) (./out/binpolicy-fuzzer+0x4aa999) SELinuxProject#7 0x525b63 in __interceptor_calloc (./out/binpolicy-fuzzer+0x525b63) SELinuxProject#8 0x570938 in policydb_index_others ./libsepol/src/policydb.c:1245:6 SELinuxProject#9 0x5771f3 in policydb_read ./src/policydb.c:4481:6 SELinuxProject#10 0x55a214 in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:26:6 SELinuxProject#11 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o SELinuxProject#12 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o SELinuxProject#13 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o SELinuxProject#14 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2) SELinuxProject#15 0x7f4d933157ec in __libc_start_main csu/../csu/libc-start.c:332:16 SELinuxProject#16 0x423689 in _start (./out/binpolicy-fuzzer+0x423689) Signed-off-by: Christian Göttsche <[email protected]>
cgzones
added a commit
to cgzones/selinux
that referenced
this pull request
Oct 7, 2021
Add checks for invalid read sizes from a binary policy to guard allocations. In the fuzzer build the value will also be bounded to avoid oom reports. ==29857== ERROR: libFuzzer: out-of-memory (malloc(17179868160)) To change the out-of-memory limit use -rss_limit_mb=<N> #0 0x52dc61 in __sanitizer_print_stack_trace (./out/binpolicy-fuzzer+0x52dc61) SELinuxProject#1 0x475618 in fuzzer::PrintStackTrace() fuzzer.o SELinuxProject#2 0x458855 in fuzzer::Fuzzer::HandleMalloc(unsigned long) fuzzer.o SELinuxProject#3 0x45876a in fuzzer::MallocHook(void const volatile*, unsigned long) fuzzer.o SELinuxProject#4 0x534557 in __sanitizer::RunMallocHooks(void const*, unsigned long) (./out/binpolicy-fuzzer+0x534557) SELinuxProject#5 0x4aa7d7 in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) (./out/binpolicy-fuzzer+0x4aa7d7) SELinuxProject#6 0x4aa143 in __asan::asan_malloc(unsigned long, __sanitizer::BufferedStackTrace*) (./out/binpolicy-fuzzer+0x4aa143) SELinuxProject#7 0x5259cb in malloc (./out/binpolicy-fuzzer+0x5259cb) SELinuxProject#8 0x580b5d in mallocarray ./libsepol/src/./private.h:93:9 SELinuxProject#9 0x57c2ed in scope_read ./libsepol/src/policydb.c:4120:7 SELinuxProject#10 0x576b0d in policydb_read ./libsepol/src/policydb.c:4462:9 SELinuxProject#11 0x55a214 in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:26:6 SELinuxProject#12 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o SELinuxProject#13 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o SELinuxProject#14 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o SELinuxProject#15 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2) SELinuxProject#16 0x7ffad6e107ec in __libc_start_main csu/../csu/libc-start.c:332:16 SELinuxProject#17 0x423689 in _start (./out/binpolicy-fuzzer+0x423689) ==19462== ERROR: libFuzzer: out-of-memory (malloc(18253611008)) To change the out-of-memory limit use -rss_limit_mb=<N> #0 0x52dc61 in __sanitizer_print_stack_trace (./out/binpolicy-fuzzer+0x52dc61) SELinuxProject#1 0x475618 in fuzzer::PrintStackTrace() fuzzer.o SELinuxProject#2 0x458855 in fuzzer::Fuzzer::HandleMalloc(unsigned long) fuzzer.o SELinuxProject#3 0x45876a in fuzzer::MallocHook(void const volatile*, unsigned long) fuzzer.o SELinuxProject#4 0x534557 in __sanitizer::RunMallocHooks(void const*, unsigned long) (./out/binpolicy-fuzzer+0x534557) SELinuxProject#5 0x4aa7d7 in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) (./out/binpolicy-fuzzer+0x4aa7d7) SELinuxProject#6 0x4aa999 in __asan::asan_calloc(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*) (./out/binpolicy-fuzzer+0x4aa999) SELinuxProject#7 0x525b63 in __interceptor_calloc (./out/binpolicy-fuzzer+0x525b63) SELinuxProject#8 0x570938 in policydb_index_others ./libsepol/src/policydb.c:1245:6 SELinuxProject#9 0x5771f3 in policydb_read ./src/policydb.c:4481:6 SELinuxProject#10 0x55a214 in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:26:6 SELinuxProject#11 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o SELinuxProject#12 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o SELinuxProject#13 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o SELinuxProject#14 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2) SELinuxProject#15 0x7f4d933157ec in __libc_start_main csu/../csu/libc-start.c:332:16 SELinuxProject#16 0x423689 in _start (./out/binpolicy-fuzzer+0x423689) Signed-off-by: Christian Göttsche <[email protected]>
cgzones
added a commit
to cgzones/selinux
that referenced
this pull request
Oct 7, 2021
Add checks for invalid read sizes from a binary policy to guard allocations. In the fuzzer build the value will also be bounded to avoid oom reports. ==29857== ERROR: libFuzzer: out-of-memory (malloc(17179868160)) To change the out-of-memory limit use -rss_limit_mb=<N> #0 0x52dc61 in __sanitizer_print_stack_trace (./out/binpolicy-fuzzer+0x52dc61) SELinuxProject#1 0x475618 in fuzzer::PrintStackTrace() fuzzer.o SELinuxProject#2 0x458855 in fuzzer::Fuzzer::HandleMalloc(unsigned long) fuzzer.o SELinuxProject#3 0x45876a in fuzzer::MallocHook(void const volatile*, unsigned long) fuzzer.o SELinuxProject#4 0x534557 in __sanitizer::RunMallocHooks(void const*, unsigned long) (./out/binpolicy-fuzzer+0x534557) SELinuxProject#5 0x4aa7d7 in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) (./out/binpolicy-fuzzer+0x4aa7d7) SELinuxProject#6 0x4aa143 in __asan::asan_malloc(unsigned long, __sanitizer::BufferedStackTrace*) (./out/binpolicy-fuzzer+0x4aa143) SELinuxProject#7 0x5259cb in malloc (./out/binpolicy-fuzzer+0x5259cb) SELinuxProject#8 0x580b5d in mallocarray ./libsepol/src/./private.h:93:9 SELinuxProject#9 0x57c2ed in scope_read ./libsepol/src/policydb.c:4120:7 SELinuxProject#10 0x576b0d in policydb_read ./libsepol/src/policydb.c:4462:9 SELinuxProject#11 0x55a214 in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:26:6 SELinuxProject#12 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o SELinuxProject#13 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o SELinuxProject#14 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o SELinuxProject#15 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2) SELinuxProject#16 0x7ffad6e107ec in __libc_start_main csu/../csu/libc-start.c:332:16 SELinuxProject#17 0x423689 in _start (./out/binpolicy-fuzzer+0x423689) ==19462== ERROR: libFuzzer: out-of-memory (malloc(18253611008)) To change the out-of-memory limit use -rss_limit_mb=<N> #0 0x52dc61 in __sanitizer_print_stack_trace (./out/binpolicy-fuzzer+0x52dc61) SELinuxProject#1 0x475618 in fuzzer::PrintStackTrace() fuzzer.o SELinuxProject#2 0x458855 in fuzzer::Fuzzer::HandleMalloc(unsigned long) fuzzer.o SELinuxProject#3 0x45876a in fuzzer::MallocHook(void const volatile*, unsigned long) fuzzer.o SELinuxProject#4 0x534557 in __sanitizer::RunMallocHooks(void const*, unsigned long) (./out/binpolicy-fuzzer+0x534557) SELinuxProject#5 0x4aa7d7 in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) (./out/binpolicy-fuzzer+0x4aa7d7) SELinuxProject#6 0x4aa999 in __asan::asan_calloc(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*) (./out/binpolicy-fuzzer+0x4aa999) SELinuxProject#7 0x525b63 in __interceptor_calloc (./out/binpolicy-fuzzer+0x525b63) SELinuxProject#8 0x570938 in policydb_index_others ./libsepol/src/policydb.c:1245:6 SELinuxProject#9 0x5771f3 in policydb_read ./src/policydb.c:4481:6 SELinuxProject#10 0x55a214 in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:26:6 SELinuxProject#11 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o SELinuxProject#12 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o SELinuxProject#13 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o SELinuxProject#14 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2) SELinuxProject#15 0x7f4d933157ec in __libc_start_main csu/../csu/libc-start.c:332:16 SELinuxProject#16 0x423689 in _start (./out/binpolicy-fuzzer+0x423689) Signed-off-by: Christian Göttsche <[email protected]>
cgzones
added a commit
to cgzones/selinux
that referenced
this pull request
Oct 8, 2021
Limit the maximum length of read sizes, like string length of module version and name or keys and number of symtab entries. This avoids the fuzzer to report oom events for huge allocations (it also improves the number of executions per seconds of the fuzzer). This change only affects the fuzzer build. ==15211== ERROR: libFuzzer: out-of-memory (malloc(3115956666)) To change the out-of-memory limit use -rss_limit_mb=<N> #0 0x52dc61 in __sanitizer_print_stack_trace (./out/binpolicy-fuzzer+0x52dc61) SELinuxProject#1 0x475618 in fuzzer::PrintStackTrace() fuzzer.o SELinuxProject#2 0x458855 in fuzzer::Fuzzer::HandleMalloc(unsigned long) fuzzer.o SELinuxProject#3 0x45876a in fuzzer::MallocHook(void const volatile*, unsigned long) fuzzer.o SELinuxProject#4 0x534557 in __sanitizer::RunMallocHooks(void const*, unsigned long) (./out/binpolicy-fuzzer+0x534557) SELinuxProject#5 0x4aa7d7 in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) (./out/binpolicy-fuzzer+0x4aa7d7) SELinuxProject#6 0x4aa143 in __asan::asan_malloc(unsigned long, __sanitizer::BufferedStackTrace*) (./out/binpolicy-fuzzer+0x4aa143) SELinuxProject#7 0x5259cb in malloc (./out/binpolicy-fuzzer+0x5259cb) SELinuxProject#8 0x59d307 in str_read ./libsepol/src/services.c:1746:8 SELinuxProject#9 0x585b97 in perm_read ./libsepol/src/policydb.c:2063:5 SELinuxProject#10 0x581f8a in common_read ./libsepol/src/policydb.c:2119:7 SELinuxProject#11 0x576681 in policydb_read ./libsepol/src/policydb.c:4417:8 SELinuxProject#12 0x55a214 in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:26:6 SELinuxProject#13 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o SELinuxProject#14 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o SELinuxProject#15 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o SELinuxProject#16 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2) SELinuxProject#17 0x7fe1ec88a7ec in __libc_start_main csu/../csu/libc-start.c:332:16 SELinuxProject#18 0x423689 in _start (./out/binpolicy-fuzzer+0x423689) ==13584== ERROR: libFuzzer: out-of-memory (malloc(2560137369)) To change the out-of-memory limit use -rss_limit_mb=<N> #0 0x52dc61 in __sanitizer_print_stack_trace (./out/binpolicy-fuzzer+0x52dc61) SELinuxProject#1 0x475618 in fuzzer::PrintStackTrace() fuzzer.o SELinuxProject#2 0x458855 in fuzzer::Fuzzer::HandleMalloc(unsigned long) fuzzer.o SELinuxProject#3 0x45876a in fuzzer::MallocHook(void const volatile*, unsigned long) fuzzer.o SELinuxProject#4 0x534557 in __sanitizer::RunMallocHooks(void const*, unsigned long) (./out/binpolicy-fuzzer+0x534557) SELinuxProject#5 0x4aa7d7 in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) (./out/binpolicy-fuzzer+0x4aa7d7) SELinuxProject#6 0x4aa143 in __asan::asan_malloc(unsigned long, __sanitizer::BufferedStackTrace*) (./out/binpolicy-fuzzer+0x4aa143) SELinuxProject#7 0x5259cb in malloc (./out/binpolicy-fuzzer+0x5259cb) SELinuxProject#8 0x581cc4 in common_read ./libsepol/src/policydb.c:2108:8 SELinuxProject#9 0x576681 in policydb_read ./libsepol/src/policydb.c:4409:8 SELinuxProject#10 0x55a214 in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:26:6 SELinuxProject#11 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o SELinuxProject#12 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o SELinuxProject#13 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o SELinuxProject#14 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2) SELinuxProject#15 0x7fa6431787ec in __libc_start_main csu/../csu/libc-start.c:332:16 SELinuxProject#16 0x423689 in _start (./out/binpolicy-fuzzer+0x423689) ==12683== ERROR: libFuzzer: out-of-memory (malloc(2526451450)) To change the out-of-memory limit use -rss_limit_mb=<N> #0 0x52dc61 in __sanitizer_print_stack_trace (./out/binpolicy-fuzzer+0x52dc61) SELinuxProject#1 0x475618 in fuzzer::PrintStackTrace() fuzzer.o SELinuxProject#2 0x458855 in fuzzer::Fuzzer::HandleMalloc(unsigned long) fuzzer.o SELinuxProject#3 0x45876a in fuzzer::MallocHook(void const volatile*, unsigned long) fuzzer.o SELinuxProject#4 0x534557 in __sanitizer::RunMallocHooks(void const*, unsigned long) (./out/binpolicy-fuzzer+0x534557) SELinuxProject#5 0x4aa7d7 in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) (./out/binpolicy-fuzzer+0x4aa7d7) SELinuxProject#6 0x4aa143 in __asan::asan_malloc(unsigned long, __sanitizer::BufferedStackTrace*) (./out/binpolicy-fuzzer+0x4aa143) SELinuxProject#7 0x5259cb in malloc (./out/binpolicy-fuzzer+0x5259cb) SELinuxProject#8 0x575f8a in policydb_read ./libsepol/src/policydb.c:4356:18 SELinuxProject#9 0x55a214 in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:26:6 SELinuxProject#10 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o SELinuxProject#11 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o SELinuxProject#12 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o SELinuxProject#13 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2) SELinuxProject#14 0x7fa737b377ec in __libc_start_main csu/../csu/libc-start.c:332:16 SELinuxProject#15 0x423689 in _start (./out/binpolicy-fuzzer+0x423689) Signed-off-by: Christian Göttsche <[email protected]>
cgzones
added a commit
to cgzones/selinux
that referenced
this pull request
Oct 8, 2021
Add checks for invalid read sizes from a binary policy to guard allocations. In the fuzzer build the value will also be bounded to avoid oom reports. ==29857== ERROR: libFuzzer: out-of-memory (malloc(17179868160)) To change the out-of-memory limit use -rss_limit_mb=<N> #0 0x52dc61 in __sanitizer_print_stack_trace (./out/binpolicy-fuzzer+0x52dc61) SELinuxProject#1 0x475618 in fuzzer::PrintStackTrace() fuzzer.o SELinuxProject#2 0x458855 in fuzzer::Fuzzer::HandleMalloc(unsigned long) fuzzer.o SELinuxProject#3 0x45876a in fuzzer::MallocHook(void const volatile*, unsigned long) fuzzer.o SELinuxProject#4 0x534557 in __sanitizer::RunMallocHooks(void const*, unsigned long) (./out/binpolicy-fuzzer+0x534557) SELinuxProject#5 0x4aa7d7 in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) (./out/binpolicy-fuzzer+0x4aa7d7) SELinuxProject#6 0x4aa143 in __asan::asan_malloc(unsigned long, __sanitizer::BufferedStackTrace*) (./out/binpolicy-fuzzer+0x4aa143) SELinuxProject#7 0x5259cb in malloc (./out/binpolicy-fuzzer+0x5259cb) SELinuxProject#8 0x580b5d in mallocarray ./libsepol/src/./private.h:93:9 SELinuxProject#9 0x57c2ed in scope_read ./libsepol/src/policydb.c:4120:7 SELinuxProject#10 0x576b0d in policydb_read ./libsepol/src/policydb.c:4462:9 SELinuxProject#11 0x55a214 in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:26:6 SELinuxProject#12 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o SELinuxProject#13 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o SELinuxProject#14 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o SELinuxProject#15 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2) SELinuxProject#16 0x7ffad6e107ec in __libc_start_main csu/../csu/libc-start.c:332:16 SELinuxProject#17 0x423689 in _start (./out/binpolicy-fuzzer+0x423689) ==19462== ERROR: libFuzzer: out-of-memory (malloc(18253611008)) To change the out-of-memory limit use -rss_limit_mb=<N> #0 0x52dc61 in __sanitizer_print_stack_trace (./out/binpolicy-fuzzer+0x52dc61) SELinuxProject#1 0x475618 in fuzzer::PrintStackTrace() fuzzer.o SELinuxProject#2 0x458855 in fuzzer::Fuzzer::HandleMalloc(unsigned long) fuzzer.o SELinuxProject#3 0x45876a in fuzzer::MallocHook(void const volatile*, unsigned long) fuzzer.o SELinuxProject#4 0x534557 in __sanitizer::RunMallocHooks(void const*, unsigned long) (./out/binpolicy-fuzzer+0x534557) SELinuxProject#5 0x4aa7d7 in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) (./out/binpolicy-fuzzer+0x4aa7d7) SELinuxProject#6 0x4aa999 in __asan::asan_calloc(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*) (./out/binpolicy-fuzzer+0x4aa999) SELinuxProject#7 0x525b63 in __interceptor_calloc (./out/binpolicy-fuzzer+0x525b63) SELinuxProject#8 0x570938 in policydb_index_others ./libsepol/src/policydb.c:1245:6 SELinuxProject#9 0x5771f3 in policydb_read ./src/policydb.c:4481:6 SELinuxProject#10 0x55a214 in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:26:6 SELinuxProject#11 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o SELinuxProject#12 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o SELinuxProject#13 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o SELinuxProject#14 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2) SELinuxProject#15 0x7f4d933157ec in __libc_start_main csu/../csu/libc-start.c:332:16 SELinuxProject#16 0x423689 in _start (./out/binpolicy-fuzzer+0x423689) Signed-off-by: Christian Göttsche <[email protected]>
cgzones
added a commit
to cgzones/selinux
that referenced
this pull request
Oct 9, 2021
Limit the maximum length of read sizes, like string length of module version and name or keys and number of symtab entries. This avoids the fuzzer to report oom events for huge allocations (it also improves the number of executions per seconds of the fuzzer). This change only affects the fuzzer build. ==15211== ERROR: libFuzzer: out-of-memory (malloc(3115956666)) To change the out-of-memory limit use -rss_limit_mb=<N> #0 0x52dc61 in __sanitizer_print_stack_trace (./out/binpolicy-fuzzer+0x52dc61) SELinuxProject#1 0x475618 in fuzzer::PrintStackTrace() fuzzer.o SELinuxProject#2 0x458855 in fuzzer::Fuzzer::HandleMalloc(unsigned long) fuzzer.o SELinuxProject#3 0x45876a in fuzzer::MallocHook(void const volatile*, unsigned long) fuzzer.o SELinuxProject#4 0x534557 in __sanitizer::RunMallocHooks(void const*, unsigned long) (./out/binpolicy-fuzzer+0x534557) SELinuxProject#5 0x4aa7d7 in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) (./out/binpolicy-fuzzer+0x4aa7d7) SELinuxProject#6 0x4aa143 in __asan::asan_malloc(unsigned long, __sanitizer::BufferedStackTrace*) (./out/binpolicy-fuzzer+0x4aa143) SELinuxProject#7 0x5259cb in malloc (./out/binpolicy-fuzzer+0x5259cb) SELinuxProject#8 0x59d307 in str_read ./libsepol/src/services.c:1746:8 SELinuxProject#9 0x585b97 in perm_read ./libsepol/src/policydb.c:2063:5 SELinuxProject#10 0x581f8a in common_read ./libsepol/src/policydb.c:2119:7 SELinuxProject#11 0x576681 in policydb_read ./libsepol/src/policydb.c:4417:8 SELinuxProject#12 0x55a214 in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:26:6 SELinuxProject#13 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o SELinuxProject#14 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o SELinuxProject#15 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o SELinuxProject#16 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2) SELinuxProject#17 0x7fe1ec88a7ec in __libc_start_main csu/../csu/libc-start.c:332:16 SELinuxProject#18 0x423689 in _start (./out/binpolicy-fuzzer+0x423689) ==13584== ERROR: libFuzzer: out-of-memory (malloc(2560137369)) To change the out-of-memory limit use -rss_limit_mb=<N> #0 0x52dc61 in __sanitizer_print_stack_trace (./out/binpolicy-fuzzer+0x52dc61) SELinuxProject#1 0x475618 in fuzzer::PrintStackTrace() fuzzer.o SELinuxProject#2 0x458855 in fuzzer::Fuzzer::HandleMalloc(unsigned long) fuzzer.o SELinuxProject#3 0x45876a in fuzzer::MallocHook(void const volatile*, unsigned long) fuzzer.o SELinuxProject#4 0x534557 in __sanitizer::RunMallocHooks(void const*, unsigned long) (./out/binpolicy-fuzzer+0x534557) SELinuxProject#5 0x4aa7d7 in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) (./out/binpolicy-fuzzer+0x4aa7d7) SELinuxProject#6 0x4aa143 in __asan::asan_malloc(unsigned long, __sanitizer::BufferedStackTrace*) (./out/binpolicy-fuzzer+0x4aa143) SELinuxProject#7 0x5259cb in malloc (./out/binpolicy-fuzzer+0x5259cb) SELinuxProject#8 0x581cc4 in common_read ./libsepol/src/policydb.c:2108:8 SELinuxProject#9 0x576681 in policydb_read ./libsepol/src/policydb.c:4409:8 SELinuxProject#10 0x55a214 in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:26:6 SELinuxProject#11 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o SELinuxProject#12 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o SELinuxProject#13 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o SELinuxProject#14 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2) SELinuxProject#15 0x7fa6431787ec in __libc_start_main csu/../csu/libc-start.c:332:16 SELinuxProject#16 0x423689 in _start (./out/binpolicy-fuzzer+0x423689) ==12683== ERROR: libFuzzer: out-of-memory (malloc(2526451450)) To change the out-of-memory limit use -rss_limit_mb=<N> #0 0x52dc61 in __sanitizer_print_stack_trace (./out/binpolicy-fuzzer+0x52dc61) SELinuxProject#1 0x475618 in fuzzer::PrintStackTrace() fuzzer.o SELinuxProject#2 0x458855 in fuzzer::Fuzzer::HandleMalloc(unsigned long) fuzzer.o SELinuxProject#3 0x45876a in fuzzer::MallocHook(void const volatile*, unsigned long) fuzzer.o SELinuxProject#4 0x534557 in __sanitizer::RunMallocHooks(void const*, unsigned long) (./out/binpolicy-fuzzer+0x534557) SELinuxProject#5 0x4aa7d7 in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) (./out/binpolicy-fuzzer+0x4aa7d7) SELinuxProject#6 0x4aa143 in __asan::asan_malloc(unsigned long, __sanitizer::BufferedStackTrace*) (./out/binpolicy-fuzzer+0x4aa143) SELinuxProject#7 0x5259cb in malloc (./out/binpolicy-fuzzer+0x5259cb) SELinuxProject#8 0x575f8a in policydb_read ./libsepol/src/policydb.c:4356:18 SELinuxProject#9 0x55a214 in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:26:6 SELinuxProject#10 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o SELinuxProject#11 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o SELinuxProject#12 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o SELinuxProject#13 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2) SELinuxProject#14 0x7fa737b377ec in __libc_start_main csu/../csu/libc-start.c:332:16 SELinuxProject#15 0x423689 in _start (./out/binpolicy-fuzzer+0x423689) Signed-off-by: Christian Göttsche <[email protected]>
cgzones
added a commit
to cgzones/selinux
that referenced
this pull request
Oct 9, 2021
Add checks for invalid read sizes from a binary policy to guard allocations. In the fuzzer build the value will also be bounded to avoid oom reports. ==29857== ERROR: libFuzzer: out-of-memory (malloc(17179868160)) To change the out-of-memory limit use -rss_limit_mb=<N> #0 0x52dc61 in __sanitizer_print_stack_trace (./out/binpolicy-fuzzer+0x52dc61) SELinuxProject#1 0x475618 in fuzzer::PrintStackTrace() fuzzer.o SELinuxProject#2 0x458855 in fuzzer::Fuzzer::HandleMalloc(unsigned long) fuzzer.o SELinuxProject#3 0x45876a in fuzzer::MallocHook(void const volatile*, unsigned long) fuzzer.o SELinuxProject#4 0x534557 in __sanitizer::RunMallocHooks(void const*, unsigned long) (./out/binpolicy-fuzzer+0x534557) SELinuxProject#5 0x4aa7d7 in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) (./out/binpolicy-fuzzer+0x4aa7d7) SELinuxProject#6 0x4aa143 in __asan::asan_malloc(unsigned long, __sanitizer::BufferedStackTrace*) (./out/binpolicy-fuzzer+0x4aa143) SELinuxProject#7 0x5259cb in malloc (./out/binpolicy-fuzzer+0x5259cb) SELinuxProject#8 0x580b5d in mallocarray ./libsepol/src/./private.h:93:9 SELinuxProject#9 0x57c2ed in scope_read ./libsepol/src/policydb.c:4120:7 SELinuxProject#10 0x576b0d in policydb_read ./libsepol/src/policydb.c:4462:9 SELinuxProject#11 0x55a214 in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:26:6 SELinuxProject#12 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o SELinuxProject#13 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o SELinuxProject#14 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o SELinuxProject#15 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2) SELinuxProject#16 0x7ffad6e107ec in __libc_start_main csu/../csu/libc-start.c:332:16 SELinuxProject#17 0x423689 in _start (./out/binpolicy-fuzzer+0x423689) ==19462== ERROR: libFuzzer: out-of-memory (malloc(18253611008)) To change the out-of-memory limit use -rss_limit_mb=<N> #0 0x52dc61 in __sanitizer_print_stack_trace (./out/binpolicy-fuzzer+0x52dc61) SELinuxProject#1 0x475618 in fuzzer::PrintStackTrace() fuzzer.o SELinuxProject#2 0x458855 in fuzzer::Fuzzer::HandleMalloc(unsigned long) fuzzer.o SELinuxProject#3 0x45876a in fuzzer::MallocHook(void const volatile*, unsigned long) fuzzer.o SELinuxProject#4 0x534557 in __sanitizer::RunMallocHooks(void const*, unsigned long) (./out/binpolicy-fuzzer+0x534557) SELinuxProject#5 0x4aa7d7 in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) (./out/binpolicy-fuzzer+0x4aa7d7) SELinuxProject#6 0x4aa999 in __asan::asan_calloc(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*) (./out/binpolicy-fuzzer+0x4aa999) SELinuxProject#7 0x525b63 in __interceptor_calloc (./out/binpolicy-fuzzer+0x525b63) SELinuxProject#8 0x570938 in policydb_index_others ./libsepol/src/policydb.c:1245:6 SELinuxProject#9 0x5771f3 in policydb_read ./src/policydb.c:4481:6 SELinuxProject#10 0x55a214 in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:26:6 SELinuxProject#11 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o SELinuxProject#12 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o SELinuxProject#13 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o SELinuxProject#14 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2) SELinuxProject#15 0x7f4d933157ec in __libc_start_main csu/../csu/libc-start.c:332:16 SELinuxProject#16 0x423689 in _start (./out/binpolicy-fuzzer+0x423689) Signed-off-by: Christian Göttsche <[email protected]>
cgzones
added a commit
to cgzones/selinux
that referenced
this pull request
Oct 9, 2021
Check if the sid value is saturated to guard dependent allocations. ==19967== ERROR: libFuzzer: out-of-memory (malloc(7784628224)) #0 0x52dc61 in __sanitizer_print_stack_trace (./out/binpolicy-fuzzer+0x52dc61) SELinuxProject#1 0x475618 in fuzzer::PrintStackTrace() fuzzer.o SELinuxProject#2 0x458855 in fuzzer::Fuzzer::HandleMalloc(unsigned long) fuzzer.o SELinuxProject#3 0x45876a in fuzzer::MallocHook(void const volatile*, unsigned long) fuzzer.o SELinuxProject#4 0x534557 in __sanitizer::RunMallocHooks(void const*, unsigned long) (./out/binpolicy-fuzzer+0x534557) SELinuxProject#5 0x4aa7d7 in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) (./out/binpolicy-fuzzer+0x4aa7d7) SELinuxProject#6 0x4aabe3 in __asan::Allocator::Reallocate(void*, unsigned long, __sanitizer::BufferedStackTrace*) (./out/binpolicy-fuzzer+0x4aabe3) SELinuxProject#7 0x4aaa32 in __asan::asan_reallocarray(void*, unsigned long, unsigned long, __sanitizer::BufferedStackTrace*) (./out/binpolicy-fuzzer+0x4aaa32) SELinuxProject#8 0x525f8e in __interceptor_reallocarray (./out/binpolicy-fuzzer+0x525f8e) SELinuxProject#9 0x5ebad3 in strs_add_at_index ./libsepol/src/kernel_to_common.c:224:9 SELinuxProject#10 0x5680eb in write_sids_to_conf ./libsepol/src/kernel_to_conf.c:466:8 SELinuxProject#11 0x55c1c0 in write_sid_decl_rules_to_conf ./libsepol/src/kernel_to_conf.c:498:8 SELinuxProject#12 0x55ad36 in sepol_kernel_policydb_to_conf ./libsepol/src/kernel_to_conf.c:3083:7 SELinuxProject#13 0x55a34f in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:38:9 SELinuxProject#14 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o SELinuxProject#15 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o SELinuxProject#16 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o SELinuxProject#17 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2) SELinuxProject#18 0x7f085ac657ec in __libc_start_main csu/../csu/libc-start.c:332:16 SELinuxProject#19 0x423689 in _start (./out/binpolicy-fuzzer+0x423689) Signed-off-by: Christian Göttsche <[email protected]>
cgzones
added a commit
to cgzones/selinux
that referenced
this pull request
Oct 9, 2021
==91274==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f60b0afe8c6 bp 0x7ffd42edc990 sp 0x7ffd42edc148 T0) ==91274==The signal is caused by a READ memory access. ==91274==Hint: address points to the zero page. #0 0x7f60b0afe8c6 string/../sysdeps/x86_64/multiarch/../strlen.S:120 SELinuxProject#1 0x4bd128 in __interceptor_strlen (./out/binpolicy-fuzzer+0x4bd128) SELinuxProject#2 0x5eb387 in create_str_helper ./libsepol/src/kernel_to_common.c:69:10 SELinuxProject#3 0x5eb11e in create_str ./libsepol/src/kernel_to_common.c:99:8 SELinuxProject#4 0x56ad7b in context_to_str ./libsepol/src/kernel_to_conf.c:2408:9 SELinuxProject#5 0x56a717 in write_sid_context_rules_to_conf ./libsepol/src/kernel_to_conf.c:2441:9 SELinuxProject#6 0x55b26c in write_selinux_isid_rules_to_conf ./libsepol/src/kernel_to_conf.c:2476:9 SELinuxProject#7 0x55b26c in sepol_kernel_policydb_to_conf ./libsepol/src/kernel_to_conf.c:3206:8 SELinuxProject#8 0x55a34f in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:38:9 SELinuxProject#9 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o SELinuxProject#10 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o SELinuxProject#11 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o SELinuxProject#12 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2) SELinuxProject#13 0x7f60b0a887ec in __libc_start_main csu/../csu/libc-start.c:332:16 SELinuxProject#14 0x423689 in _start (./out/binpolicy-fuzzer+0x423689) Signed-off-by: Christian Göttsche <[email protected]>
cgzones
added a commit
to cgzones/selinux
that referenced
this pull request
Oct 11, 2021
Limit the maximum length of read sizes, like string length of module version and name or keys and number of symtab entries. This avoids the fuzzer to report oom events for huge allocations (it also improves the number of executions per seconds of the fuzzer). This change only affects the fuzzer build. ==15211== ERROR: libFuzzer: out-of-memory (malloc(3115956666)) To change the out-of-memory limit use -rss_limit_mb=<N> #0 0x52dc61 in __sanitizer_print_stack_trace (./out/binpolicy-fuzzer+0x52dc61) SELinuxProject#1 0x475618 in fuzzer::PrintStackTrace() fuzzer.o SELinuxProject#2 0x458855 in fuzzer::Fuzzer::HandleMalloc(unsigned long) fuzzer.o SELinuxProject#3 0x45876a in fuzzer::MallocHook(void const volatile*, unsigned long) fuzzer.o SELinuxProject#4 0x534557 in __sanitizer::RunMallocHooks(void const*, unsigned long) (./out/binpolicy-fuzzer+0x534557) SELinuxProject#5 0x4aa7d7 in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) (./out/binpolicy-fuzzer+0x4aa7d7) SELinuxProject#6 0x4aa143 in __asan::asan_malloc(unsigned long, __sanitizer::BufferedStackTrace*) (./out/binpolicy-fuzzer+0x4aa143) SELinuxProject#7 0x5259cb in malloc (./out/binpolicy-fuzzer+0x5259cb) SELinuxProject#8 0x59d307 in str_read ./libsepol/src/services.c:1746:8 SELinuxProject#9 0x585b97 in perm_read ./libsepol/src/policydb.c:2063:5 SELinuxProject#10 0x581f8a in common_read ./libsepol/src/policydb.c:2119:7 SELinuxProject#11 0x576681 in policydb_read ./libsepol/src/policydb.c:4417:8 SELinuxProject#12 0x55a214 in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:26:6 SELinuxProject#13 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o SELinuxProject#14 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o SELinuxProject#15 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o SELinuxProject#16 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2) SELinuxProject#17 0x7fe1ec88a7ec in __libc_start_main csu/../csu/libc-start.c:332:16 SELinuxProject#18 0x423689 in _start (./out/binpolicy-fuzzer+0x423689) ==13584== ERROR: libFuzzer: out-of-memory (malloc(2560137369)) To change the out-of-memory limit use -rss_limit_mb=<N> #0 0x52dc61 in __sanitizer_print_stack_trace (./out/binpolicy-fuzzer+0x52dc61) SELinuxProject#1 0x475618 in fuzzer::PrintStackTrace() fuzzer.o SELinuxProject#2 0x458855 in fuzzer::Fuzzer::HandleMalloc(unsigned long) fuzzer.o SELinuxProject#3 0x45876a in fuzzer::MallocHook(void const volatile*, unsigned long) fuzzer.o SELinuxProject#4 0x534557 in __sanitizer::RunMallocHooks(void const*, unsigned long) (./out/binpolicy-fuzzer+0x534557) SELinuxProject#5 0x4aa7d7 in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) (./out/binpolicy-fuzzer+0x4aa7d7) SELinuxProject#6 0x4aa143 in __asan::asan_malloc(unsigned long, __sanitizer::BufferedStackTrace*) (./out/binpolicy-fuzzer+0x4aa143) SELinuxProject#7 0x5259cb in malloc (./out/binpolicy-fuzzer+0x5259cb) SELinuxProject#8 0x581cc4 in common_read ./libsepol/src/policydb.c:2108:8 SELinuxProject#9 0x576681 in policydb_read ./libsepol/src/policydb.c:4409:8 SELinuxProject#10 0x55a214 in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:26:6 SELinuxProject#11 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o SELinuxProject#12 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o SELinuxProject#13 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o SELinuxProject#14 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2) SELinuxProject#15 0x7fa6431787ec in __libc_start_main csu/../csu/libc-start.c:332:16 SELinuxProject#16 0x423689 in _start (./out/binpolicy-fuzzer+0x423689) ==12683== ERROR: libFuzzer: out-of-memory (malloc(2526451450)) To change the out-of-memory limit use -rss_limit_mb=<N> #0 0x52dc61 in __sanitizer_print_stack_trace (./out/binpolicy-fuzzer+0x52dc61) SELinuxProject#1 0x475618 in fuzzer::PrintStackTrace() fuzzer.o SELinuxProject#2 0x458855 in fuzzer::Fuzzer::HandleMalloc(unsigned long) fuzzer.o SELinuxProject#3 0x45876a in fuzzer::MallocHook(void const volatile*, unsigned long) fuzzer.o SELinuxProject#4 0x534557 in __sanitizer::RunMallocHooks(void const*, unsigned long) (./out/binpolicy-fuzzer+0x534557) SELinuxProject#5 0x4aa7d7 in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) (./out/binpolicy-fuzzer+0x4aa7d7) SELinuxProject#6 0x4aa143 in __asan::asan_malloc(unsigned long, __sanitizer::BufferedStackTrace*) (./out/binpolicy-fuzzer+0x4aa143) SELinuxProject#7 0x5259cb in malloc (./out/binpolicy-fuzzer+0x5259cb) SELinuxProject#8 0x575f8a in policydb_read ./libsepol/src/policydb.c:4356:18 SELinuxProject#9 0x55a214 in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:26:6 SELinuxProject#10 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o SELinuxProject#11 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o SELinuxProject#12 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o SELinuxProject#13 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2) SELinuxProject#14 0x7fa737b377ec in __libc_start_main csu/../csu/libc-start.c:332:16 SELinuxProject#15 0x423689 in _start (./out/binpolicy-fuzzer+0x423689) Signed-off-by: Christian Göttsche <[email protected]>
cgzones
added a commit
to cgzones/selinux
that referenced
this pull request
Oct 11, 2021
Add checks for invalid read sizes from a binary policy to guard allocations. In the fuzzer build the value will also be bounded to avoid oom reports. ==29857== ERROR: libFuzzer: out-of-memory (malloc(17179868160)) To change the out-of-memory limit use -rss_limit_mb=<N> #0 0x52dc61 in __sanitizer_print_stack_trace (./out/binpolicy-fuzzer+0x52dc61) SELinuxProject#1 0x475618 in fuzzer::PrintStackTrace() fuzzer.o SELinuxProject#2 0x458855 in fuzzer::Fuzzer::HandleMalloc(unsigned long) fuzzer.o SELinuxProject#3 0x45876a in fuzzer::MallocHook(void const volatile*, unsigned long) fuzzer.o SELinuxProject#4 0x534557 in __sanitizer::RunMallocHooks(void const*, unsigned long) (./out/binpolicy-fuzzer+0x534557) SELinuxProject#5 0x4aa7d7 in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) (./out/binpolicy-fuzzer+0x4aa7d7) SELinuxProject#6 0x4aa143 in __asan::asan_malloc(unsigned long, __sanitizer::BufferedStackTrace*) (./out/binpolicy-fuzzer+0x4aa143) SELinuxProject#7 0x5259cb in malloc (./out/binpolicy-fuzzer+0x5259cb) SELinuxProject#8 0x580b5d in mallocarray ./libsepol/src/./private.h:93:9 SELinuxProject#9 0x57c2ed in scope_read ./libsepol/src/policydb.c:4120:7 SELinuxProject#10 0x576b0d in policydb_read ./libsepol/src/policydb.c:4462:9 SELinuxProject#11 0x55a214 in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:26:6 SELinuxProject#12 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o SELinuxProject#13 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o SELinuxProject#14 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o SELinuxProject#15 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2) SELinuxProject#16 0x7ffad6e107ec in __libc_start_main csu/../csu/libc-start.c:332:16 SELinuxProject#17 0x423689 in _start (./out/binpolicy-fuzzer+0x423689) ==19462== ERROR: libFuzzer: out-of-memory (malloc(18253611008)) To change the out-of-memory limit use -rss_limit_mb=<N> #0 0x52dc61 in __sanitizer_print_stack_trace (./out/binpolicy-fuzzer+0x52dc61) SELinuxProject#1 0x475618 in fuzzer::PrintStackTrace() fuzzer.o SELinuxProject#2 0x458855 in fuzzer::Fuzzer::HandleMalloc(unsigned long) fuzzer.o SELinuxProject#3 0x45876a in fuzzer::MallocHook(void const volatile*, unsigned long) fuzzer.o SELinuxProject#4 0x534557 in __sanitizer::RunMallocHooks(void const*, unsigned long) (./out/binpolicy-fuzzer+0x534557) SELinuxProject#5 0x4aa7d7 in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) (./out/binpolicy-fuzzer+0x4aa7d7) SELinuxProject#6 0x4aa999 in __asan::asan_calloc(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*) (./out/binpolicy-fuzzer+0x4aa999) SELinuxProject#7 0x525b63 in __interceptor_calloc (./out/binpolicy-fuzzer+0x525b63) SELinuxProject#8 0x570938 in policydb_index_others ./libsepol/src/policydb.c:1245:6 SELinuxProject#9 0x5771f3 in policydb_read ./src/policydb.c:4481:6 SELinuxProject#10 0x55a214 in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:26:6 SELinuxProject#11 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o SELinuxProject#12 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o SELinuxProject#13 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o SELinuxProject#14 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2) SELinuxProject#15 0x7f4d933157ec in __libc_start_main csu/../csu/libc-start.c:332:16 SELinuxProject#16 0x423689 in _start (./out/binpolicy-fuzzer+0x423689) Signed-off-by: Christian Göttsche <[email protected]>
cgzones
added a commit
to cgzones/selinux
that referenced
this pull request
Oct 11, 2021
Check if the sid value is saturated to guard dependent allocations. ==19967== ERROR: libFuzzer: out-of-memory (malloc(7784628224)) #0 0x52dc61 in __sanitizer_print_stack_trace (./out/binpolicy-fuzzer+0x52dc61) SELinuxProject#1 0x475618 in fuzzer::PrintStackTrace() fuzzer.o SELinuxProject#2 0x458855 in fuzzer::Fuzzer::HandleMalloc(unsigned long) fuzzer.o SELinuxProject#3 0x45876a in fuzzer::MallocHook(void const volatile*, unsigned long) fuzzer.o SELinuxProject#4 0x534557 in __sanitizer::RunMallocHooks(void const*, unsigned long) (./out/binpolicy-fuzzer+0x534557) SELinuxProject#5 0x4aa7d7 in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) (./out/binpolicy-fuzzer+0x4aa7d7) SELinuxProject#6 0x4aabe3 in __asan::Allocator::Reallocate(void*, unsigned long, __sanitizer::BufferedStackTrace*) (./out/binpolicy-fuzzer+0x4aabe3) SELinuxProject#7 0x4aaa32 in __asan::asan_reallocarray(void*, unsigned long, unsigned long, __sanitizer::BufferedStackTrace*) (./out/binpolicy-fuzzer+0x4aaa32) SELinuxProject#8 0x525f8e in __interceptor_reallocarray (./out/binpolicy-fuzzer+0x525f8e) SELinuxProject#9 0x5ebad3 in strs_add_at_index ./libsepol/src/kernel_to_common.c:224:9 SELinuxProject#10 0x5680eb in write_sids_to_conf ./libsepol/src/kernel_to_conf.c:466:8 SELinuxProject#11 0x55c1c0 in write_sid_decl_rules_to_conf ./libsepol/src/kernel_to_conf.c:498:8 SELinuxProject#12 0x55ad36 in sepol_kernel_policydb_to_conf ./libsepol/src/kernel_to_conf.c:3083:7 SELinuxProject#13 0x55a34f in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:38:9 SELinuxProject#14 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o SELinuxProject#15 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o SELinuxProject#16 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o SELinuxProject#17 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2) SELinuxProject#18 0x7f085ac657ec in __libc_start_main csu/../csu/libc-start.c:332:16 SELinuxProject#19 0x423689 in _start (./out/binpolicy-fuzzer+0x423689) Signed-off-by: Christian Göttsche <[email protected]>
cgzones
added a commit
to cgzones/selinux
that referenced
this pull request
Oct 11, 2021
==91274==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f60b0afe8c6 bp 0x7ffd42edc990 sp 0x7ffd42edc148 T0) ==91274==The signal is caused by a READ memory access. ==91274==Hint: address points to the zero page. #0 0x7f60b0afe8c6 string/../sysdeps/x86_64/multiarch/../strlen.S:120 SELinuxProject#1 0x4bd128 in __interceptor_strlen (./out/binpolicy-fuzzer+0x4bd128) SELinuxProject#2 0x5eb387 in create_str_helper ./libsepol/src/kernel_to_common.c:69:10 SELinuxProject#3 0x5eb11e in create_str ./libsepol/src/kernel_to_common.c:99:8 SELinuxProject#4 0x56ad7b in context_to_str ./libsepol/src/kernel_to_conf.c:2408:9 SELinuxProject#5 0x56a717 in write_sid_context_rules_to_conf ./libsepol/src/kernel_to_conf.c:2441:9 SELinuxProject#6 0x55b26c in write_selinux_isid_rules_to_conf ./libsepol/src/kernel_to_conf.c:2476:9 SELinuxProject#7 0x55b26c in sepol_kernel_policydb_to_conf ./libsepol/src/kernel_to_conf.c:3206:8 SELinuxProject#8 0x55a34f in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:38:9 SELinuxProject#9 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o SELinuxProject#10 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o SELinuxProject#11 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o SELinuxProject#12 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2) SELinuxProject#13 0x7f60b0a887ec in __libc_start_main csu/../csu/libc-start.c:332:16 SELinuxProject#14 0x423689 in _start (./out/binpolicy-fuzzer+0x423689) Signed-off-by: Christian Göttsche <[email protected]>
fishilico
pushed a commit
to fishilico/selinux
that referenced
this pull request
Oct 11, 2021
Limit the maximum length of read sizes, like string length of module version and name or keys and number of symtab entries. This avoids the fuzzer to report oom events for huge allocations (it also improves the number of executions per seconds of the fuzzer). This change only affects the fuzzer build. ==15211== ERROR: libFuzzer: out-of-memory (malloc(3115956666)) To change the out-of-memory limit use -rss_limit_mb=<N> #0 0x52dc61 in __sanitizer_print_stack_trace (./out/binpolicy-fuzzer+0x52dc61) SELinuxProject#1 0x475618 in fuzzer::PrintStackTrace() fuzzer.o SELinuxProject#2 0x458855 in fuzzer::Fuzzer::HandleMalloc(unsigned long) fuzzer.o SELinuxProject#3 0x45876a in fuzzer::MallocHook(void const volatile*, unsigned long) fuzzer.o SELinuxProject#4 0x534557 in __sanitizer::RunMallocHooks(void const*, unsigned long) (./out/binpolicy-fuzzer+0x534557) SELinuxProject#5 0x4aa7d7 in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) (./out/binpolicy-fuzzer+0x4aa7d7) SELinuxProject#6 0x4aa143 in __asan::asan_malloc(unsigned long, __sanitizer::BufferedStackTrace*) (./out/binpolicy-fuzzer+0x4aa143) SELinuxProject#7 0x5259cb in malloc (./out/binpolicy-fuzzer+0x5259cb) SELinuxProject#8 0x59d307 in str_read ./libsepol/src/services.c:1746:8 SELinuxProject#9 0x585b97 in perm_read ./libsepol/src/policydb.c:2063:5 SELinuxProject#10 0x581f8a in common_read ./libsepol/src/policydb.c:2119:7 SELinuxProject#11 0x576681 in policydb_read ./libsepol/src/policydb.c:4417:8 SELinuxProject#12 0x55a214 in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:26:6 SELinuxProject#13 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o SELinuxProject#14 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o SELinuxProject#15 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o SELinuxProject#16 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2) SELinuxProject#17 0x7fe1ec88a7ec in __libc_start_main csu/../csu/libc-start.c:332:16 SELinuxProject#18 0x423689 in _start (./out/binpolicy-fuzzer+0x423689) ==13584== ERROR: libFuzzer: out-of-memory (malloc(2560137369)) To change the out-of-memory limit use -rss_limit_mb=<N> #0 0x52dc61 in __sanitizer_print_stack_trace (./out/binpolicy-fuzzer+0x52dc61) SELinuxProject#1 0x475618 in fuzzer::PrintStackTrace() fuzzer.o SELinuxProject#2 0x458855 in fuzzer::Fuzzer::HandleMalloc(unsigned long) fuzzer.o SELinuxProject#3 0x45876a in fuzzer::MallocHook(void const volatile*, unsigned long) fuzzer.o SELinuxProject#4 0x534557 in __sanitizer::RunMallocHooks(void const*, unsigned long) (./out/binpolicy-fuzzer+0x534557) SELinuxProject#5 0x4aa7d7 in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) (./out/binpolicy-fuzzer+0x4aa7d7) SELinuxProject#6 0x4aa143 in __asan::asan_malloc(unsigned long, __sanitizer::BufferedStackTrace*) (./out/binpolicy-fuzzer+0x4aa143) SELinuxProject#7 0x5259cb in malloc (./out/binpolicy-fuzzer+0x5259cb) SELinuxProject#8 0x581cc4 in common_read ./libsepol/src/policydb.c:2108:8 SELinuxProject#9 0x576681 in policydb_read ./libsepol/src/policydb.c:4409:8 SELinuxProject#10 0x55a214 in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:26:6 SELinuxProject#11 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o SELinuxProject#12 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o SELinuxProject#13 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o SELinuxProject#14 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2) SELinuxProject#15 0x7fa6431787ec in __libc_start_main csu/../csu/libc-start.c:332:16 SELinuxProject#16 0x423689 in _start (./out/binpolicy-fuzzer+0x423689) ==12683== ERROR: libFuzzer: out-of-memory (malloc(2526451450)) To change the out-of-memory limit use -rss_limit_mb=<N> #0 0x52dc61 in __sanitizer_print_stack_trace (./out/binpolicy-fuzzer+0x52dc61) SELinuxProject#1 0x475618 in fuzzer::PrintStackTrace() fuzzer.o SELinuxProject#2 0x458855 in fuzzer::Fuzzer::HandleMalloc(unsigned long) fuzzer.o SELinuxProject#3 0x45876a in fuzzer::MallocHook(void const volatile*, unsigned long) fuzzer.o SELinuxProject#4 0x534557 in __sanitizer::RunMallocHooks(void const*, unsigned long) (./out/binpolicy-fuzzer+0x534557) SELinuxProject#5 0x4aa7d7 in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) (./out/binpolicy-fuzzer+0x4aa7d7) SELinuxProject#6 0x4aa143 in __asan::asan_malloc(unsigned long, __sanitizer::BufferedStackTrace*) (./out/binpolicy-fuzzer+0x4aa143) SELinuxProject#7 0x5259cb in malloc (./out/binpolicy-fuzzer+0x5259cb) SELinuxProject#8 0x575f8a in policydb_read ./libsepol/src/policydb.c:4356:18 SELinuxProject#9 0x55a214 in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:26:6 SELinuxProject#10 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o SELinuxProject#11 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o SELinuxProject#12 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o SELinuxProject#13 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2) SELinuxProject#14 0x7fa737b377ec in __libc_start_main csu/../csu/libc-start.c:332:16 SELinuxProject#15 0x423689 in _start (./out/binpolicy-fuzzer+0x423689) Signed-off-by: Christian Göttsche <[email protected]>
fishilico
pushed a commit
to fishilico/selinux
that referenced
this pull request
Oct 11, 2021
Add checks for invalid read sizes from a binary policy to guard allocations. In the fuzzer build the value will also be bounded to avoid oom reports. ==29857== ERROR: libFuzzer: out-of-memory (malloc(17179868160)) To change the out-of-memory limit use -rss_limit_mb=<N> #0 0x52dc61 in __sanitizer_print_stack_trace (./out/binpolicy-fuzzer+0x52dc61) SELinuxProject#1 0x475618 in fuzzer::PrintStackTrace() fuzzer.o SELinuxProject#2 0x458855 in fuzzer::Fuzzer::HandleMalloc(unsigned long) fuzzer.o SELinuxProject#3 0x45876a in fuzzer::MallocHook(void const volatile*, unsigned long) fuzzer.o SELinuxProject#4 0x534557 in __sanitizer::RunMallocHooks(void const*, unsigned long) (./out/binpolicy-fuzzer+0x534557) SELinuxProject#5 0x4aa7d7 in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) (./out/binpolicy-fuzzer+0x4aa7d7) SELinuxProject#6 0x4aa143 in __asan::asan_malloc(unsigned long, __sanitizer::BufferedStackTrace*) (./out/binpolicy-fuzzer+0x4aa143) SELinuxProject#7 0x5259cb in malloc (./out/binpolicy-fuzzer+0x5259cb) SELinuxProject#8 0x580b5d in mallocarray ./libsepol/src/./private.h:93:9 SELinuxProject#9 0x57c2ed in scope_read ./libsepol/src/policydb.c:4120:7 SELinuxProject#10 0x576b0d in policydb_read ./libsepol/src/policydb.c:4462:9 SELinuxProject#11 0x55a214 in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:26:6 SELinuxProject#12 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o SELinuxProject#13 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o SELinuxProject#14 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o SELinuxProject#15 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2) SELinuxProject#16 0x7ffad6e107ec in __libc_start_main csu/../csu/libc-start.c:332:16 SELinuxProject#17 0x423689 in _start (./out/binpolicy-fuzzer+0x423689) ==19462== ERROR: libFuzzer: out-of-memory (malloc(18253611008)) To change the out-of-memory limit use -rss_limit_mb=<N> #0 0x52dc61 in __sanitizer_print_stack_trace (./out/binpolicy-fuzzer+0x52dc61) SELinuxProject#1 0x475618 in fuzzer::PrintStackTrace() fuzzer.o SELinuxProject#2 0x458855 in fuzzer::Fuzzer::HandleMalloc(unsigned long) fuzzer.o SELinuxProject#3 0x45876a in fuzzer::MallocHook(void const volatile*, unsigned long) fuzzer.o SELinuxProject#4 0x534557 in __sanitizer::RunMallocHooks(void const*, unsigned long) (./out/binpolicy-fuzzer+0x534557) SELinuxProject#5 0x4aa7d7 in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) (./out/binpolicy-fuzzer+0x4aa7d7) SELinuxProject#6 0x4aa999 in __asan::asan_calloc(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*) (./out/binpolicy-fuzzer+0x4aa999) SELinuxProject#7 0x525b63 in __interceptor_calloc (./out/binpolicy-fuzzer+0x525b63) SELinuxProject#8 0x570938 in policydb_index_others ./libsepol/src/policydb.c:1245:6 SELinuxProject#9 0x5771f3 in policydb_read ./src/policydb.c:4481:6 SELinuxProject#10 0x55a214 in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:26:6 SELinuxProject#11 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o SELinuxProject#12 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o SELinuxProject#13 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o SELinuxProject#14 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2) SELinuxProject#15 0x7f4d933157ec in __libc_start_main csu/../csu/libc-start.c:332:16 SELinuxProject#16 0x423689 in _start (./out/binpolicy-fuzzer+0x423689) Signed-off-by: Christian Göttsche <[email protected]>
fishilico
pushed a commit
to fishilico/selinux
that referenced
this pull request
Oct 11, 2021
Check if the sid value is saturated to guard dependent allocations. ==19967== ERROR: libFuzzer: out-of-memory (malloc(7784628224)) #0 0x52dc61 in __sanitizer_print_stack_trace (./out/binpolicy-fuzzer+0x52dc61) SELinuxProject#1 0x475618 in fuzzer::PrintStackTrace() fuzzer.o SELinuxProject#2 0x458855 in fuzzer::Fuzzer::HandleMalloc(unsigned long) fuzzer.o SELinuxProject#3 0x45876a in fuzzer::MallocHook(void const volatile*, unsigned long) fuzzer.o SELinuxProject#4 0x534557 in __sanitizer::RunMallocHooks(void const*, unsigned long) (./out/binpolicy-fuzzer+0x534557) SELinuxProject#5 0x4aa7d7 in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) (./out/binpolicy-fuzzer+0x4aa7d7) SELinuxProject#6 0x4aabe3 in __asan::Allocator::Reallocate(void*, unsigned long, __sanitizer::BufferedStackTrace*) (./out/binpolicy-fuzzer+0x4aabe3) SELinuxProject#7 0x4aaa32 in __asan::asan_reallocarray(void*, unsigned long, unsigned long, __sanitizer::BufferedStackTrace*) (./out/binpolicy-fuzzer+0x4aaa32) SELinuxProject#8 0x525f8e in __interceptor_reallocarray (./out/binpolicy-fuzzer+0x525f8e) SELinuxProject#9 0x5ebad3 in strs_add_at_index ./libsepol/src/kernel_to_common.c:224:9 SELinuxProject#10 0x5680eb in write_sids_to_conf ./libsepol/src/kernel_to_conf.c:466:8 SELinuxProject#11 0x55c1c0 in write_sid_decl_rules_to_conf ./libsepol/src/kernel_to_conf.c:498:8 SELinuxProject#12 0x55ad36 in sepol_kernel_policydb_to_conf ./libsepol/src/kernel_to_conf.c:3083:7 SELinuxProject#13 0x55a34f in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:38:9 SELinuxProject#14 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o SELinuxProject#15 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o SELinuxProject#16 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o SELinuxProject#17 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2) SELinuxProject#18 0x7f085ac657ec in __libc_start_main csu/../csu/libc-start.c:332:16 SELinuxProject#19 0x423689 in _start (./out/binpolicy-fuzzer+0x423689) Signed-off-by: Christian Göttsche <[email protected]>
fishilico
pushed a commit
to fishilico/selinux
that referenced
this pull request
Oct 11, 2021
==91274==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f60b0afe8c6 bp 0x7ffd42edc990 sp 0x7ffd42edc148 T0) ==91274==The signal is caused by a READ memory access. ==91274==Hint: address points to the zero page. #0 0x7f60b0afe8c6 string/../sysdeps/x86_64/multiarch/../strlen.S:120 SELinuxProject#1 0x4bd128 in __interceptor_strlen (./out/binpolicy-fuzzer+0x4bd128) SELinuxProject#2 0x5eb387 in create_str_helper ./libsepol/src/kernel_to_common.c:69:10 SELinuxProject#3 0x5eb11e in create_str ./libsepol/src/kernel_to_common.c:99:8 SELinuxProject#4 0x56ad7b in context_to_str ./libsepol/src/kernel_to_conf.c:2408:9 SELinuxProject#5 0x56a717 in write_sid_context_rules_to_conf ./libsepol/src/kernel_to_conf.c:2441:9 SELinuxProject#6 0x55b26c in write_selinux_isid_rules_to_conf ./libsepol/src/kernel_to_conf.c:2476:9 SELinuxProject#7 0x55b26c in sepol_kernel_policydb_to_conf ./libsepol/src/kernel_to_conf.c:3206:8 SELinuxProject#8 0x55a34f in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:38:9 SELinuxProject#9 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o SELinuxProject#10 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o SELinuxProject#11 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o SELinuxProject#12 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2) SELinuxProject#13 0x7f60b0a887ec in __libc_start_main csu/../csu/libc-start.c:332:16 SELinuxProject#14 0x423689 in _start (./out/binpolicy-fuzzer+0x423689) Signed-off-by: Christian Göttsche <[email protected]>
fishilico
pushed a commit
to fishilico/selinux
that referenced
this pull request
Oct 16, 2021
Limit the maximum length of read sizes, like string length of module version and name or keys and number of symtab entries. This avoids the fuzzer to report oom events for huge allocations (it also improves the number of executions per seconds of the fuzzer). This change only affects the fuzzer build. ==15211== ERROR: libFuzzer: out-of-memory (malloc(3115956666)) To change the out-of-memory limit use -rss_limit_mb=<N> #0 0x52dc61 in __sanitizer_print_stack_trace (./out/binpolicy-fuzzer+0x52dc61) SELinuxProject#1 0x475618 in fuzzer::PrintStackTrace() fuzzer.o SELinuxProject#2 0x458855 in fuzzer::Fuzzer::HandleMalloc(unsigned long) fuzzer.o SELinuxProject#3 0x45876a in fuzzer::MallocHook(void const volatile*, unsigned long) fuzzer.o SELinuxProject#4 0x534557 in __sanitizer::RunMallocHooks(void const*, unsigned long) (./out/binpolicy-fuzzer+0x534557) SELinuxProject#5 0x4aa7d7 in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) (./out/binpolicy-fuzzer+0x4aa7d7) SELinuxProject#6 0x4aa143 in __asan::asan_malloc(unsigned long, __sanitizer::BufferedStackTrace*) (./out/binpolicy-fuzzer+0x4aa143) SELinuxProject#7 0x5259cb in malloc (./out/binpolicy-fuzzer+0x5259cb) SELinuxProject#8 0x59d307 in str_read ./libsepol/src/services.c:1746:8 SELinuxProject#9 0x585b97 in perm_read ./libsepol/src/policydb.c:2063:5 SELinuxProject#10 0x581f8a in common_read ./libsepol/src/policydb.c:2119:7 SELinuxProject#11 0x576681 in policydb_read ./libsepol/src/policydb.c:4417:8 SELinuxProject#12 0x55a214 in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:26:6 SELinuxProject#13 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o SELinuxProject#14 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o SELinuxProject#15 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o SELinuxProject#16 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2) SELinuxProject#17 0x7fe1ec88a7ec in __libc_start_main csu/../csu/libc-start.c:332:16 SELinuxProject#18 0x423689 in _start (./out/binpolicy-fuzzer+0x423689) ==13584== ERROR: libFuzzer: out-of-memory (malloc(2560137369)) To change the out-of-memory limit use -rss_limit_mb=<N> #0 0x52dc61 in __sanitizer_print_stack_trace (./out/binpolicy-fuzzer+0x52dc61) SELinuxProject#1 0x475618 in fuzzer::PrintStackTrace() fuzzer.o SELinuxProject#2 0x458855 in fuzzer::Fuzzer::HandleMalloc(unsigned long) fuzzer.o SELinuxProject#3 0x45876a in fuzzer::MallocHook(void const volatile*, unsigned long) fuzzer.o SELinuxProject#4 0x534557 in __sanitizer::RunMallocHooks(void const*, unsigned long) (./out/binpolicy-fuzzer+0x534557) SELinuxProject#5 0x4aa7d7 in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) (./out/binpolicy-fuzzer+0x4aa7d7) SELinuxProject#6 0x4aa143 in __asan::asan_malloc(unsigned long, __sanitizer::BufferedStackTrace*) (./out/binpolicy-fuzzer+0x4aa143) SELinuxProject#7 0x5259cb in malloc (./out/binpolicy-fuzzer+0x5259cb) SELinuxProject#8 0x581cc4 in common_read ./libsepol/src/policydb.c:2108:8 SELinuxProject#9 0x576681 in policydb_read ./libsepol/src/policydb.c:4409:8 SELinuxProject#10 0x55a214 in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:26:6 SELinuxProject#11 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o SELinuxProject#12 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o SELinuxProject#13 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o SELinuxProject#14 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2) SELinuxProject#15 0x7fa6431787ec in __libc_start_main csu/../csu/libc-start.c:332:16 SELinuxProject#16 0x423689 in _start (./out/binpolicy-fuzzer+0x423689) ==12683== ERROR: libFuzzer: out-of-memory (malloc(2526451450)) To change the out-of-memory limit use -rss_limit_mb=<N> #0 0x52dc61 in __sanitizer_print_stack_trace (./out/binpolicy-fuzzer+0x52dc61) SELinuxProject#1 0x475618 in fuzzer::PrintStackTrace() fuzzer.o SELinuxProject#2 0x458855 in fuzzer::Fuzzer::HandleMalloc(unsigned long) fuzzer.o SELinuxProject#3 0x45876a in fuzzer::MallocHook(void const volatile*, unsigned long) fuzzer.o SELinuxProject#4 0x534557 in __sanitizer::RunMallocHooks(void const*, unsigned long) (./out/binpolicy-fuzzer+0x534557) SELinuxProject#5 0x4aa7d7 in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) (./out/binpolicy-fuzzer+0x4aa7d7) SELinuxProject#6 0x4aa143 in __asan::asan_malloc(unsigned long, __sanitizer::BufferedStackTrace*) (./out/binpolicy-fuzzer+0x4aa143) SELinuxProject#7 0x5259cb in malloc (./out/binpolicy-fuzzer+0x5259cb) SELinuxProject#8 0x575f8a in policydb_read ./libsepol/src/policydb.c:4356:18 SELinuxProject#9 0x55a214 in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:26:6 SELinuxProject#10 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o SELinuxProject#11 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o SELinuxProject#12 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o SELinuxProject#13 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2) SELinuxProject#14 0x7fa737b377ec in __libc_start_main csu/../csu/libc-start.c:332:16 SELinuxProject#15 0x423689 in _start (./out/binpolicy-fuzzer+0x423689) Signed-off-by: Christian Göttsche <[email protected]>
fishilico
pushed a commit
to fishilico/selinux
that referenced
this pull request
Oct 16, 2021
Add checks for invalid read sizes from a binary policy to guard allocations. In the fuzzer build the value will also be bounded to avoid oom reports. ==29857== ERROR: libFuzzer: out-of-memory (malloc(17179868160)) To change the out-of-memory limit use -rss_limit_mb=<N> #0 0x52dc61 in __sanitizer_print_stack_trace (./out/binpolicy-fuzzer+0x52dc61) SELinuxProject#1 0x475618 in fuzzer::PrintStackTrace() fuzzer.o SELinuxProject#2 0x458855 in fuzzer::Fuzzer::HandleMalloc(unsigned long) fuzzer.o SELinuxProject#3 0x45876a in fuzzer::MallocHook(void const volatile*, unsigned long) fuzzer.o SELinuxProject#4 0x534557 in __sanitizer::RunMallocHooks(void const*, unsigned long) (./out/binpolicy-fuzzer+0x534557) SELinuxProject#5 0x4aa7d7 in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) (./out/binpolicy-fuzzer+0x4aa7d7) SELinuxProject#6 0x4aa143 in __asan::asan_malloc(unsigned long, __sanitizer::BufferedStackTrace*) (./out/binpolicy-fuzzer+0x4aa143) SELinuxProject#7 0x5259cb in malloc (./out/binpolicy-fuzzer+0x5259cb) SELinuxProject#8 0x580b5d in mallocarray ./libsepol/src/./private.h:93:9 SELinuxProject#9 0x57c2ed in scope_read ./libsepol/src/policydb.c:4120:7 SELinuxProject#10 0x576b0d in policydb_read ./libsepol/src/policydb.c:4462:9 SELinuxProject#11 0x55a214 in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:26:6 SELinuxProject#12 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o SELinuxProject#13 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o SELinuxProject#14 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o SELinuxProject#15 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2) SELinuxProject#16 0x7ffad6e107ec in __libc_start_main csu/../csu/libc-start.c:332:16 SELinuxProject#17 0x423689 in _start (./out/binpolicy-fuzzer+0x423689) ==19462== ERROR: libFuzzer: out-of-memory (malloc(18253611008)) To change the out-of-memory limit use -rss_limit_mb=<N> #0 0x52dc61 in __sanitizer_print_stack_trace (./out/binpolicy-fuzzer+0x52dc61) SELinuxProject#1 0x475618 in fuzzer::PrintStackTrace() fuzzer.o SELinuxProject#2 0x458855 in fuzzer::Fuzzer::HandleMalloc(unsigned long) fuzzer.o SELinuxProject#3 0x45876a in fuzzer::MallocHook(void const volatile*, unsigned long) fuzzer.o SELinuxProject#4 0x534557 in __sanitizer::RunMallocHooks(void const*, unsigned long) (./out/binpolicy-fuzzer+0x534557) SELinuxProject#5 0x4aa7d7 in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) (./out/binpolicy-fuzzer+0x4aa7d7) SELinuxProject#6 0x4aa999 in __asan::asan_calloc(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*) (./out/binpolicy-fuzzer+0x4aa999) SELinuxProject#7 0x525b63 in __interceptor_calloc (./out/binpolicy-fuzzer+0x525b63) SELinuxProject#8 0x570938 in policydb_index_others ./libsepol/src/policydb.c:1245:6 SELinuxProject#9 0x5771f3 in policydb_read ./src/policydb.c:4481:6 SELinuxProject#10 0x55a214 in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:26:6 SELinuxProject#11 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o SELinuxProject#12 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o SELinuxProject#13 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o SELinuxProject#14 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2) SELinuxProject#15 0x7f4d933157ec in __libc_start_main csu/../csu/libc-start.c:332:16 SELinuxProject#16 0x423689 in _start (./out/binpolicy-fuzzer+0x423689) Signed-off-by: Christian Göttsche <[email protected]>
cgzones
added a commit
to cgzones/selinux
that referenced
this pull request
Oct 21, 2021
Check if the sid value is saturated to guard dependent allocations. ==19967== ERROR: libFuzzer: out-of-memory (malloc(7784628224)) #0 0x52dc61 in __sanitizer_print_stack_trace (./out/binpolicy-fuzzer+0x52dc61) SELinuxProject#1 0x475618 in fuzzer::PrintStackTrace() fuzzer.o SELinuxProject#2 0x458855 in fuzzer::Fuzzer::HandleMalloc(unsigned long) fuzzer.o SELinuxProject#3 0x45876a in fuzzer::MallocHook(void const volatile*, unsigned long) fuzzer.o SELinuxProject#4 0x534557 in __sanitizer::RunMallocHooks(void const*, unsigned long) (./out/binpolicy-fuzzer+0x534557) SELinuxProject#5 0x4aa7d7 in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) (./out/binpolicy-fuzzer+0x4aa7d7) SELinuxProject#6 0x4aabe3 in __asan::Allocator::Reallocate(void*, unsigned long, __sanitizer::BufferedStackTrace*) (./out/binpolicy-fuzzer+0x4aabe3) SELinuxProject#7 0x4aaa32 in __asan::asan_reallocarray(void*, unsigned long, unsigned long, __sanitizer::BufferedStackTrace*) (./out/binpolicy-fuzzer+0x4aaa32) SELinuxProject#8 0x525f8e in __interceptor_reallocarray (./out/binpolicy-fuzzer+0x525f8e) SELinuxProject#9 0x5ebad3 in strs_add_at_index ./libsepol/src/kernel_to_common.c:224:9 SELinuxProject#10 0x5680eb in write_sids_to_conf ./libsepol/src/kernel_to_conf.c:466:8 SELinuxProject#11 0x55c1c0 in write_sid_decl_rules_to_conf ./libsepol/src/kernel_to_conf.c:498:8 SELinuxProject#12 0x55ad36 in sepol_kernel_policydb_to_conf ./libsepol/src/kernel_to_conf.c:3083:7 SELinuxProject#13 0x55a34f in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:38:9 SELinuxProject#14 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o SELinuxProject#15 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o SELinuxProject#16 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o SELinuxProject#17 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2) SELinuxProject#18 0x7f085ac657ec in __libc_start_main csu/../csu/libc-start.c:332:16 SELinuxProject#19 0x423689 in _start (./out/binpolicy-fuzzer+0x423689) Signed-off-by: Christian Göttsche <[email protected]>
cgzones
added a commit
to cgzones/selinux
that referenced
this pull request
Oct 21, 2021
Check the literal contexts in ocontext statements are defined. ==91274==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f60b0afe8c6 bp 0x7ffd42edc990 sp 0x7ffd42edc148 T0) ==91274==The signal is caused by a READ memory access. ==91274==Hint: address points to the zero page. #0 0x7f60b0afe8c6 string/../sysdeps/x86_64/multiarch/../strlen.S:120 SELinuxProject#1 0x4bd128 in __interceptor_strlen (./out/binpolicy-fuzzer+0x4bd128) SELinuxProject#2 0x5eb387 in create_str_helper ./libsepol/src/kernel_to_common.c:69:10 SELinuxProject#3 0x5eb11e in create_str ./libsepol/src/kernel_to_common.c:99:8 SELinuxProject#4 0x56ad7b in context_to_str ./libsepol/src/kernel_to_conf.c:2408:9 SELinuxProject#5 0x56a717 in write_sid_context_rules_to_conf ./libsepol/src/kernel_to_conf.c:2441:9 SELinuxProject#6 0x55b26c in write_selinux_isid_rules_to_conf ./libsepol/src/kernel_to_conf.c:2476:9 SELinuxProject#7 0x55b26c in sepol_kernel_policydb_to_conf ./libsepol/src/kernel_to_conf.c:3206:8 SELinuxProject#8 0x55a34f in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:38:9 SELinuxProject#9 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o SELinuxProject#10 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o SELinuxProject#11 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o SELinuxProject#12 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2) SELinuxProject#13 0x7f60b0a887ec in __libc_start_main csu/../csu/libc-start.c:332:16 SELinuxProject#14 0x423689 in _start (./out/binpolicy-fuzzer+0x423689) Signed-off-by: Christian Göttsche <[email protected]> --- v2: also check in base modules Signed-off-by: Christian Göttsche <[email protected]>
cgzones
added a commit
to cgzones/selinux
that referenced
this pull request
Oct 21, 2021
Check the literal contexts in ocontext statements are defined. ==91274==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f60b0afe8c6 bp 0x7ffd42edc990 sp 0x7ffd42edc148 T0) ==91274==The signal is caused by a READ memory access. ==91274==Hint: address points to the zero page. #0 0x7f60b0afe8c6 string/../sysdeps/x86_64/multiarch/../strlen.S:120 SELinuxProject#1 0x4bd128 in __interceptor_strlen (./out/binpolicy-fuzzer+0x4bd128) SELinuxProject#2 0x5eb387 in create_str_helper ./libsepol/src/kernel_to_common.c:69:10 SELinuxProject#3 0x5eb11e in create_str ./libsepol/src/kernel_to_common.c:99:8 SELinuxProject#4 0x56ad7b in context_to_str ./libsepol/src/kernel_to_conf.c:2408:9 SELinuxProject#5 0x56a717 in write_sid_context_rules_to_conf ./libsepol/src/kernel_to_conf.c:2441:9 SELinuxProject#6 0x55b26c in write_selinux_isid_rules_to_conf ./libsepol/src/kernel_to_conf.c:2476:9 SELinuxProject#7 0x55b26c in sepol_kernel_policydb_to_conf ./libsepol/src/kernel_to_conf.c:3206:8 SELinuxProject#8 0x55a34f in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:38:9 SELinuxProject#9 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o SELinuxProject#10 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o SELinuxProject#11 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o SELinuxProject#12 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2) SELinuxProject#13 0x7f60b0a887ec in __libc_start_main csu/../csu/libc-start.c:332:16 SELinuxProject#14 0x423689 in _start (./out/binpolicy-fuzzer+0x423689) Signed-off-by: Christian Göttsche <[email protected]> --- v2: also check in base modules Signed-off-by: Christian Göttsche <[email protected]>
cgzones
added a commit
to cgzones/selinux
that referenced
this pull request
Oct 21, 2021
Check the literal contexts in ocontext statements are defined. ==91274==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f60b0afe8c6 bp 0x7ffd42edc990 sp 0x7ffd42edc148 T0) ==91274==The signal is caused by a READ memory access. ==91274==Hint: address points to the zero page. #0 0x7f60b0afe8c6 string/../sysdeps/x86_64/multiarch/../strlen.S:120 SELinuxProject#1 0x4bd128 in __interceptor_strlen (./out/binpolicy-fuzzer+0x4bd128) SELinuxProject#2 0x5eb387 in create_str_helper ./libsepol/src/kernel_to_common.c:69:10 SELinuxProject#3 0x5eb11e in create_str ./libsepol/src/kernel_to_common.c:99:8 SELinuxProject#4 0x56ad7b in context_to_str ./libsepol/src/kernel_to_conf.c:2408:9 SELinuxProject#5 0x56a717 in write_sid_context_rules_to_conf ./libsepol/src/kernel_to_conf.c:2441:9 SELinuxProject#6 0x55b26c in write_selinux_isid_rules_to_conf ./libsepol/src/kernel_to_conf.c:2476:9 SELinuxProject#7 0x55b26c in sepol_kernel_policydb_to_conf ./libsepol/src/kernel_to_conf.c:3206:8 SELinuxProject#8 0x55a34f in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:38:9 SELinuxProject#9 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o SELinuxProject#10 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o SELinuxProject#11 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o SELinuxProject#12 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2) SELinuxProject#13 0x7f60b0a887ec in __libc_start_main csu/../csu/libc-start.c:332:16 SELinuxProject#14 0x423689 in _start (./out/binpolicy-fuzzer+0x423689) Signed-off-by: Christian Göttsche <[email protected]> --- v2: also check in base modules Signed-off-by: Christian Göttsche <[email protected]>
cgzones
added a commit
to cgzones/selinux
that referenced
this pull request
Nov 5, 2021
Limit the maximum length of read sizes, like string length of module version and name or keys and number of symtab entries. This avoids the fuzzer to report oom events for huge allocations (it also improves the number of executions per seconds of the fuzzer). This change only affects the fuzzer build. ==15211== ERROR: libFuzzer: out-of-memory (malloc(3115956666)) To change the out-of-memory limit use -rss_limit_mb=<N> #0 0x52dc61 in __sanitizer_print_stack_trace (./out/binpolicy-fuzzer+0x52dc61) SELinuxProject#1 0x475618 in fuzzer::PrintStackTrace() fuzzer.o SELinuxProject#2 0x458855 in fuzzer::Fuzzer::HandleMalloc(unsigned long) fuzzer.o SELinuxProject#3 0x45876a in fuzzer::MallocHook(void const volatile*, unsigned long) fuzzer.o SELinuxProject#4 0x534557 in __sanitizer::RunMallocHooks(void const*, unsigned long) (./out/binpolicy-fuzzer+0x534557) SELinuxProject#5 0x4aa7d7 in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) (./out/binpolicy-fuzzer+0x4aa7d7) SELinuxProject#6 0x4aa143 in __asan::asan_malloc(unsigned long, __sanitizer::BufferedStackTrace*) (./out/binpolicy-fuzzer+0x4aa143) SELinuxProject#7 0x5259cb in malloc (./out/binpolicy-fuzzer+0x5259cb) SELinuxProject#8 0x59d307 in str_read ./libsepol/src/services.c:1746:8 SELinuxProject#9 0x585b97 in perm_read ./libsepol/src/policydb.c:2063:5 SELinuxProject#10 0x581f8a in common_read ./libsepol/src/policydb.c:2119:7 SELinuxProject#11 0x576681 in policydb_read ./libsepol/src/policydb.c:4417:8 SELinuxProject#12 0x55a214 in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:26:6 SELinuxProject#13 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o SELinuxProject#14 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o SELinuxProject#15 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o SELinuxProject#16 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2) SELinuxProject#17 0x7fe1ec88a7ec in __libc_start_main csu/../csu/libc-start.c:332:16 SELinuxProject#18 0x423689 in _start (./out/binpolicy-fuzzer+0x423689) ==12683== ERROR: libFuzzer: out-of-memory (malloc(2526451450)) To change the out-of-memory limit use -rss_limit_mb=<N> #0 0x52dc61 in __sanitizer_print_stack_trace (./out/binpolicy-fuzzer+0x52dc61) SELinuxProject#1 0x475618 in fuzzer::PrintStackTrace() fuzzer.o SELinuxProject#2 0x458855 in fuzzer::Fuzzer::HandleMalloc(unsigned long) fuzzer.o SELinuxProject#3 0x45876a in fuzzer::MallocHook(void const volatile*, unsigned long) fuzzer.o SELinuxProject#4 0x534557 in __sanitizer::RunMallocHooks(void const*, unsigned long) (./out/binpolicy-fuzzer+0x534557) SELinuxProject#5 0x4aa7d7 in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) (./out/binpolicy-fuzzer+0x4aa7d7) SELinuxProject#6 0x4aa143 in __asan::asan_malloc(unsigned long, __sanitizer::BufferedStackTrace*) (./out/binpolicy-fuzzer+0x4aa143) SELinuxProject#7 0x5259cb in malloc (./out/binpolicy-fuzzer+0x5259cb) SELinuxProject#8 0x575f8a in policydb_read ./libsepol/src/policydb.c:4356:18 SELinuxProject#9 0x55a214 in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:26:6 SELinuxProject#10 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o SELinuxProject#11 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o SELinuxProject#12 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o SELinuxProject#13 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2) SELinuxProject#14 0x7fa737b377ec in __libc_start_main csu/../csu/libc-start.c:332:16 SELinuxProject#15 0x423689 in _start (./out/binpolicy-fuzzer+0x423689) Signed-off-by: Christian Göttsche <[email protected]>
cgzones
added a commit
to cgzones/selinux
that referenced
this pull request
Nov 5, 2021
Add checks for invalid read sizes from a binary policy to guard allocations. The common and class permission counts needs to be limited more strict otherwise a too high count of common or class permissions can lead to permission values with a too high value, which can lead to overflows in shift operations. In the fuzzer build the value will also be bounded to avoid oom reports. ==29857== ERROR: libFuzzer: out-of-memory (malloc(17179868160)) To change the out-of-memory limit use -rss_limit_mb=<N> #0 0x52dc61 in __sanitizer_print_stack_trace (./out/binpolicy-fuzzer+0x52dc61) SELinuxProject#1 0x475618 in fuzzer::PrintStackTrace() fuzzer.o SELinuxProject#2 0x458855 in fuzzer::Fuzzer::HandleMalloc(unsigned long) fuzzer.o SELinuxProject#3 0x45876a in fuzzer::MallocHook(void const volatile*, unsigned long) fuzzer.o SELinuxProject#4 0x534557 in __sanitizer::RunMallocHooks(void const*, unsigned long) (./out/binpolicy-fuzzer+0x534557) SELinuxProject#5 0x4aa7d7 in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) (./out/binpolicy-fuzzer+0x4aa7d7) SELinuxProject#6 0x4aa143 in __asan::asan_malloc(unsigned long, __sanitizer::BufferedStackTrace*) (./out/binpolicy-fuzzer+0x4aa143) SELinuxProject#7 0x5259cb in malloc (./out/binpolicy-fuzzer+0x5259cb) SELinuxProject#8 0x580b5d in mallocarray ./libsepol/src/./private.h:93:9 SELinuxProject#9 0x57c2ed in scope_read ./libsepol/src/policydb.c:4120:7 SELinuxProject#10 0x576b0d in policydb_read ./libsepol/src/policydb.c:4462:9 SELinuxProject#11 0x55a214 in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:26:6 SELinuxProject#12 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o SELinuxProject#13 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o SELinuxProject#14 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o SELinuxProject#15 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2) SELinuxProject#16 0x7ffad6e107ec in __libc_start_main csu/../csu/libc-start.c:332:16 SELinuxProject#17 0x423689 in _start (./out/binpolicy-fuzzer+0x423689) ==19462== ERROR: libFuzzer: out-of-memory (malloc(18253611008)) To change the out-of-memory limit use -rss_limit_mb=<N> #0 0x52dc61 in __sanitizer_print_stack_trace (./out/binpolicy-fuzzer+0x52dc61) SELinuxProject#1 0x475618 in fuzzer::PrintStackTrace() fuzzer.o SELinuxProject#2 0x458855 in fuzzer::Fuzzer::HandleMalloc(unsigned long) fuzzer.o SELinuxProject#3 0x45876a in fuzzer::MallocHook(void const volatile*, unsigned long) fuzzer.o SELinuxProject#4 0x534557 in __sanitizer::RunMallocHooks(void const*, unsigned long) (./out/binpolicy-fuzzer+0x534557) SELinuxProject#5 0x4aa7d7 in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) (./out/binpolicy-fuzzer+0x4aa7d7) SELinuxProject#6 0x4aa999 in __asan::asan_calloc(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*) (./out/binpolicy-fuzzer+0x4aa999) SELinuxProject#7 0x525b63 in __interceptor_calloc (./out/binpolicy-fuzzer+0x525b63) SELinuxProject#8 0x570938 in policydb_index_others ./libsepol/src/policydb.c:1245:6 SELinuxProject#9 0x5771f3 in policydb_read ./src/policydb.c:4481:6 SELinuxProject#10 0x55a214 in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:26:6 SELinuxProject#11 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o SELinuxProject#12 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o SELinuxProject#13 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o SELinuxProject#14 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2) SELinuxProject#15 0x7f4d933157ec in __libc_start_main csu/../csu/libc-start.c:332:16 SELinuxProject#16 0x423689 in _start (./out/binpolicy-fuzzer+0x423689) Signed-off-by: Christian Göttsche <[email protected]>
cgzones
added a commit
to cgzones/selinux
that referenced
this pull request
Nov 5, 2021
Check if the sid value is saturated to guard dependent allocations. ==19967== ERROR: libFuzzer: out-of-memory (malloc(7784628224)) #0 0x52dc61 in __sanitizer_print_stack_trace (./out/binpolicy-fuzzer+0x52dc61) SELinuxProject#1 0x475618 in fuzzer::PrintStackTrace() fuzzer.o SELinuxProject#2 0x458855 in fuzzer::Fuzzer::HandleMalloc(unsigned long) fuzzer.o SELinuxProject#3 0x45876a in fuzzer::MallocHook(void const volatile*, unsigned long) fuzzer.o SELinuxProject#4 0x534557 in __sanitizer::RunMallocHooks(void const*, unsigned long) (./out/binpolicy-fuzzer+0x534557) SELinuxProject#5 0x4aa7d7 in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) (./out/binpolicy-fuzzer+0x4aa7d7) SELinuxProject#6 0x4aabe3 in __asan::Allocator::Reallocate(void*, unsigned long, __sanitizer::BufferedStackTrace*) (./out/binpolicy-fuzzer+0x4aabe3) SELinuxProject#7 0x4aaa32 in __asan::asan_reallocarray(void*, unsigned long, unsigned long, __sanitizer::BufferedStackTrace*) (./out/binpolicy-fuzzer+0x4aaa32) SELinuxProject#8 0x525f8e in __interceptor_reallocarray (./out/binpolicy-fuzzer+0x525f8e) SELinuxProject#9 0x5ebad3 in strs_add_at_index ./libsepol/src/kernel_to_common.c:224:9 SELinuxProject#10 0x5680eb in write_sids_to_conf ./libsepol/src/kernel_to_conf.c:466:8 SELinuxProject#11 0x55c1c0 in write_sid_decl_rules_to_conf ./libsepol/src/kernel_to_conf.c:498:8 SELinuxProject#12 0x55ad36 in sepol_kernel_policydb_to_conf ./libsepol/src/kernel_to_conf.c:3083:7 SELinuxProject#13 0x55a34f in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:38:9 SELinuxProject#14 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o SELinuxProject#15 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o SELinuxProject#16 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o SELinuxProject#17 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2) SELinuxProject#18 0x7f085ac657ec in __libc_start_main csu/../csu/libc-start.c:332:16 SELinuxProject#19 0x423689 in _start (./out/binpolicy-fuzzer+0x423689) Signed-off-by: Christian Göttsche <[email protected]>
cgzones
added a commit
to cgzones/selinux
that referenced
this pull request
Nov 5, 2021
Check the literal contexts in ocontext statements are defined. ==91274==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f60b0afe8c6 bp 0x7ffd42edc990 sp 0x7ffd42edc148 T0) ==91274==The signal is caused by a READ memory access. ==91274==Hint: address points to the zero page. #0 0x7f60b0afe8c6 string/../sysdeps/x86_64/multiarch/../strlen.S:120 SELinuxProject#1 0x4bd128 in __interceptor_strlen (./out/binpolicy-fuzzer+0x4bd128) SELinuxProject#2 0x5eb387 in create_str_helper ./libsepol/src/kernel_to_common.c:69:10 SELinuxProject#3 0x5eb11e in create_str ./libsepol/src/kernel_to_common.c:99:8 SELinuxProject#4 0x56ad7b in context_to_str ./libsepol/src/kernel_to_conf.c:2408:9 SELinuxProject#5 0x56a717 in write_sid_context_rules_to_conf ./libsepol/src/kernel_to_conf.c:2441:9 SELinuxProject#6 0x55b26c in write_selinux_isid_rules_to_conf ./libsepol/src/kernel_to_conf.c:2476:9 SELinuxProject#7 0x55b26c in sepol_kernel_policydb_to_conf ./libsepol/src/kernel_to_conf.c:3206:8 SELinuxProject#8 0x55a34f in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:38:9 SELinuxProject#9 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o SELinuxProject#10 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o SELinuxProject#11 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o SELinuxProject#12 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2) SELinuxProject#13 0x7f60b0a887ec in __libc_start_main csu/../csu/libc-start.c:332:16 SELinuxProject#14 0x423689 in _start (./out/binpolicy-fuzzer+0x423689) Signed-off-by: Christian Göttsche <[email protected]> --- v2: also check in base modules Signed-off-by: Christian Göttsche <[email protected]>
fishilico
pushed a commit
to fishilico/selinux
that referenced
this pull request
Nov 8, 2021
Limit the maximum length of read sizes, like string length of module version and name or keys and number of symtab entries. This avoids the fuzzer to report oom events for huge allocations (it also improves the number of executions per seconds of the fuzzer). This change only affects the fuzzer build. ==15211== ERROR: libFuzzer: out-of-memory (malloc(3115956666)) To change the out-of-memory limit use -rss_limit_mb=<N> #0 0x52dc61 in __sanitizer_print_stack_trace (./out/binpolicy-fuzzer+0x52dc61) SELinuxProject#1 0x475618 in fuzzer::PrintStackTrace() fuzzer.o SELinuxProject#2 0x458855 in fuzzer::Fuzzer::HandleMalloc(unsigned long) fuzzer.o SELinuxProject#3 0x45876a in fuzzer::MallocHook(void const volatile*, unsigned long) fuzzer.o SELinuxProject#4 0x534557 in __sanitizer::RunMallocHooks(void const*, unsigned long) (./out/binpolicy-fuzzer+0x534557) SELinuxProject#5 0x4aa7d7 in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) (./out/binpolicy-fuzzer+0x4aa7d7) SELinuxProject#6 0x4aa143 in __asan::asan_malloc(unsigned long, __sanitizer::BufferedStackTrace*) (./out/binpolicy-fuzzer+0x4aa143) SELinuxProject#7 0x5259cb in malloc (./out/binpolicy-fuzzer+0x5259cb) SELinuxProject#8 0x59d307 in str_read ./libsepol/src/services.c:1746:8 SELinuxProject#9 0x585b97 in perm_read ./libsepol/src/policydb.c:2063:5 SELinuxProject#10 0x581f8a in common_read ./libsepol/src/policydb.c:2119:7 SELinuxProject#11 0x576681 in policydb_read ./libsepol/src/policydb.c:4417:8 SELinuxProject#12 0x55a214 in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:26:6 SELinuxProject#13 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o SELinuxProject#14 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o SELinuxProject#15 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o SELinuxProject#16 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2) SELinuxProject#17 0x7fe1ec88a7ec in __libc_start_main csu/../csu/libc-start.c:332:16 SELinuxProject#18 0x423689 in _start (./out/binpolicy-fuzzer+0x423689) ==12683== ERROR: libFuzzer: out-of-memory (malloc(2526451450)) To change the out-of-memory limit use -rss_limit_mb=<N> #0 0x52dc61 in __sanitizer_print_stack_trace (./out/binpolicy-fuzzer+0x52dc61) SELinuxProject#1 0x475618 in fuzzer::PrintStackTrace() fuzzer.o SELinuxProject#2 0x458855 in fuzzer::Fuzzer::HandleMalloc(unsigned long) fuzzer.o SELinuxProject#3 0x45876a in fuzzer::MallocHook(void const volatile*, unsigned long) fuzzer.o SELinuxProject#4 0x534557 in __sanitizer::RunMallocHooks(void const*, unsigned long) (./out/binpolicy-fuzzer+0x534557) SELinuxProject#5 0x4aa7d7 in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) (./out/binpolicy-fuzzer+0x4aa7d7) SELinuxProject#6 0x4aa143 in __asan::asan_malloc(unsigned long, __sanitizer::BufferedStackTrace*) (./out/binpolicy-fuzzer+0x4aa143) SELinuxProject#7 0x5259cb in malloc (./out/binpolicy-fuzzer+0x5259cb) SELinuxProject#8 0x575f8a in policydb_read ./libsepol/src/policydb.c:4356:18 SELinuxProject#9 0x55a214 in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:26:6 SELinuxProject#10 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o SELinuxProject#11 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o SELinuxProject#12 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o SELinuxProject#13 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2) SELinuxProject#14 0x7fa737b377ec in __libc_start_main csu/../csu/libc-start.c:332:16 SELinuxProject#15 0x423689 in _start (./out/binpolicy-fuzzer+0x423689) Signed-off-by: Christian Göttsche <[email protected]>
fishilico
pushed a commit
to fishilico/selinux
that referenced
this pull request
Nov 8, 2021
Add checks for invalid read sizes from a binary policy to guard allocations. The common and class permission counts needs to be limited more strict otherwise a too high count of common or class permissions can lead to permission values with a too high value, which can lead to overflows in shift operations. In the fuzzer build the value will also be bounded to avoid oom reports. ==29857== ERROR: libFuzzer: out-of-memory (malloc(17179868160)) To change the out-of-memory limit use -rss_limit_mb=<N> #0 0x52dc61 in __sanitizer_print_stack_trace (./out/binpolicy-fuzzer+0x52dc61) SELinuxProject#1 0x475618 in fuzzer::PrintStackTrace() fuzzer.o SELinuxProject#2 0x458855 in fuzzer::Fuzzer::HandleMalloc(unsigned long) fuzzer.o SELinuxProject#3 0x45876a in fuzzer::MallocHook(void const volatile*, unsigned long) fuzzer.o SELinuxProject#4 0x534557 in __sanitizer::RunMallocHooks(void const*, unsigned long) (./out/binpolicy-fuzzer+0x534557) SELinuxProject#5 0x4aa7d7 in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) (./out/binpolicy-fuzzer+0x4aa7d7) SELinuxProject#6 0x4aa143 in __asan::asan_malloc(unsigned long, __sanitizer::BufferedStackTrace*) (./out/binpolicy-fuzzer+0x4aa143) SELinuxProject#7 0x5259cb in malloc (./out/binpolicy-fuzzer+0x5259cb) SELinuxProject#8 0x580b5d in mallocarray ./libsepol/src/./private.h:93:9 SELinuxProject#9 0x57c2ed in scope_read ./libsepol/src/policydb.c:4120:7 SELinuxProject#10 0x576b0d in policydb_read ./libsepol/src/policydb.c:4462:9 SELinuxProject#11 0x55a214 in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:26:6 SELinuxProject#12 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o SELinuxProject#13 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o SELinuxProject#14 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o SELinuxProject#15 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2) SELinuxProject#16 0x7ffad6e107ec in __libc_start_main csu/../csu/libc-start.c:332:16 SELinuxProject#17 0x423689 in _start (./out/binpolicy-fuzzer+0x423689) ==19462== ERROR: libFuzzer: out-of-memory (malloc(18253611008)) To change the out-of-memory limit use -rss_limit_mb=<N> #0 0x52dc61 in __sanitizer_print_stack_trace (./out/binpolicy-fuzzer+0x52dc61) SELinuxProject#1 0x475618 in fuzzer::PrintStackTrace() fuzzer.o SELinuxProject#2 0x458855 in fuzzer::Fuzzer::HandleMalloc(unsigned long) fuzzer.o SELinuxProject#3 0x45876a in fuzzer::MallocHook(void const volatile*, unsigned long) fuzzer.o SELinuxProject#4 0x534557 in __sanitizer::RunMallocHooks(void const*, unsigned long) (./out/binpolicy-fuzzer+0x534557) SELinuxProject#5 0x4aa7d7 in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) (./out/binpolicy-fuzzer+0x4aa7d7) SELinuxProject#6 0x4aa999 in __asan::asan_calloc(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*) (./out/binpolicy-fuzzer+0x4aa999) SELinuxProject#7 0x525b63 in __interceptor_calloc (./out/binpolicy-fuzzer+0x525b63) SELinuxProject#8 0x570938 in policydb_index_others ./libsepol/src/policydb.c:1245:6 SELinuxProject#9 0x5771f3 in policydb_read ./src/policydb.c:4481:6 SELinuxProject#10 0x55a214 in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:26:6 SELinuxProject#11 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o SELinuxProject#12 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o SELinuxProject#13 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o SELinuxProject#14 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2) SELinuxProject#15 0x7f4d933157ec in __libc_start_main csu/../csu/libc-start.c:332:16 SELinuxProject#16 0x423689 in _start (./out/binpolicy-fuzzer+0x423689) Signed-off-by: Christian Göttsche <[email protected]>
fishilico
pushed a commit
to fishilico/selinux
that referenced
this pull request
Nov 8, 2021
Check if the sid value is saturated to guard dependent allocations. ==19967== ERROR: libFuzzer: out-of-memory (malloc(7784628224)) #0 0x52dc61 in __sanitizer_print_stack_trace (./out/binpolicy-fuzzer+0x52dc61) SELinuxProject#1 0x475618 in fuzzer::PrintStackTrace() fuzzer.o SELinuxProject#2 0x458855 in fuzzer::Fuzzer::HandleMalloc(unsigned long) fuzzer.o SELinuxProject#3 0x45876a in fuzzer::MallocHook(void const volatile*, unsigned long) fuzzer.o SELinuxProject#4 0x534557 in __sanitizer::RunMallocHooks(void const*, unsigned long) (./out/binpolicy-fuzzer+0x534557) SELinuxProject#5 0x4aa7d7 in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) (./out/binpolicy-fuzzer+0x4aa7d7) SELinuxProject#6 0x4aabe3 in __asan::Allocator::Reallocate(void*, unsigned long, __sanitizer::BufferedStackTrace*) (./out/binpolicy-fuzzer+0x4aabe3) SELinuxProject#7 0x4aaa32 in __asan::asan_reallocarray(void*, unsigned long, unsigned long, __sanitizer::BufferedStackTrace*) (./out/binpolicy-fuzzer+0x4aaa32) SELinuxProject#8 0x525f8e in __interceptor_reallocarray (./out/binpolicy-fuzzer+0x525f8e) SELinuxProject#9 0x5ebad3 in strs_add_at_index ./libsepol/src/kernel_to_common.c:224:9 SELinuxProject#10 0x5680eb in write_sids_to_conf ./libsepol/src/kernel_to_conf.c:466:8 SELinuxProject#11 0x55c1c0 in write_sid_decl_rules_to_conf ./libsepol/src/kernel_to_conf.c:498:8 SELinuxProject#12 0x55ad36 in sepol_kernel_policydb_to_conf ./libsepol/src/kernel_to_conf.c:3083:7 SELinuxProject#13 0x55a34f in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:38:9 SELinuxProject#14 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o SELinuxProject#15 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o SELinuxProject#16 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o SELinuxProject#17 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2) SELinuxProject#18 0x7f085ac657ec in __libc_start_main csu/../csu/libc-start.c:332:16 SELinuxProject#19 0x423689 in _start (./out/binpolicy-fuzzer+0x423689) Signed-off-by: Christian Göttsche <[email protected]>
fishilico
pushed a commit
to fishilico/selinux
that referenced
this pull request
Nov 8, 2021
Check the literal contexts in ocontext statements are defined. ==91274==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f60b0afe8c6 bp 0x7ffd42edc990 sp 0x7ffd42edc148 T0) ==91274==The signal is caused by a READ memory access. ==91274==Hint: address points to the zero page. #0 0x7f60b0afe8c6 string/../sysdeps/x86_64/multiarch/../strlen.S:120 SELinuxProject#1 0x4bd128 in __interceptor_strlen (./out/binpolicy-fuzzer+0x4bd128) SELinuxProject#2 0x5eb387 in create_str_helper ./libsepol/src/kernel_to_common.c:69:10 SELinuxProject#3 0x5eb11e in create_str ./libsepol/src/kernel_to_common.c:99:8 SELinuxProject#4 0x56ad7b in context_to_str ./libsepol/src/kernel_to_conf.c:2408:9 SELinuxProject#5 0x56a717 in write_sid_context_rules_to_conf ./libsepol/src/kernel_to_conf.c:2441:9 SELinuxProject#6 0x55b26c in write_selinux_isid_rules_to_conf ./libsepol/src/kernel_to_conf.c:2476:9 SELinuxProject#7 0x55b26c in sepol_kernel_policydb_to_conf ./libsepol/src/kernel_to_conf.c:3206:8 SELinuxProject#8 0x55a34f in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:38:9 SELinuxProject#9 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o SELinuxProject#10 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o SELinuxProject#11 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o SELinuxProject#12 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2) SELinuxProject#13 0x7f60b0a887ec in __libc_start_main csu/../csu/libc-start.c:332:16 SELinuxProject#14 0x423689 in _start (./out/binpolicy-fuzzer+0x423689) Signed-off-by: Christian Göttsche <[email protected]>
fishilico
pushed a commit
to fishilico/selinux
that referenced
this pull request
Nov 11, 2021
Limit the maximum length of read sizes, like string length of module version and name or keys and number of symtab entries. This avoids the fuzzer to report oom events for huge allocations (it also improves the number of executions per seconds of the fuzzer). This change only affects the fuzzer build. ==15211== ERROR: libFuzzer: out-of-memory (malloc(3115956666)) To change the out-of-memory limit use -rss_limit_mb=<N> #0 0x52dc61 in __sanitizer_print_stack_trace (./out/binpolicy-fuzzer+0x52dc61) SELinuxProject#1 0x475618 in fuzzer::PrintStackTrace() fuzzer.o SELinuxProject#2 0x458855 in fuzzer::Fuzzer::HandleMalloc(unsigned long) fuzzer.o SELinuxProject#3 0x45876a in fuzzer::MallocHook(void const volatile*, unsigned long) fuzzer.o SELinuxProject#4 0x534557 in __sanitizer::RunMallocHooks(void const*, unsigned long) (./out/binpolicy-fuzzer+0x534557) SELinuxProject#5 0x4aa7d7 in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) (./out/binpolicy-fuzzer+0x4aa7d7) SELinuxProject#6 0x4aa143 in __asan::asan_malloc(unsigned long, __sanitizer::BufferedStackTrace*) (./out/binpolicy-fuzzer+0x4aa143) SELinuxProject#7 0x5259cb in malloc (./out/binpolicy-fuzzer+0x5259cb) SELinuxProject#8 0x59d307 in str_read ./libsepol/src/services.c:1746:8 SELinuxProject#9 0x585b97 in perm_read ./libsepol/src/policydb.c:2063:5 SELinuxProject#10 0x581f8a in common_read ./libsepol/src/policydb.c:2119:7 SELinuxProject#11 0x576681 in policydb_read ./libsepol/src/policydb.c:4417:8 SELinuxProject#12 0x55a214 in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:26:6 SELinuxProject#13 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o SELinuxProject#14 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o SELinuxProject#15 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o SELinuxProject#16 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2) SELinuxProject#17 0x7fe1ec88a7ec in __libc_start_main csu/../csu/libc-start.c:332:16 SELinuxProject#18 0x423689 in _start (./out/binpolicy-fuzzer+0x423689) ==12683== ERROR: libFuzzer: out-of-memory (malloc(2526451450)) To change the out-of-memory limit use -rss_limit_mb=<N> #0 0x52dc61 in __sanitizer_print_stack_trace (./out/binpolicy-fuzzer+0x52dc61) SELinuxProject#1 0x475618 in fuzzer::PrintStackTrace() fuzzer.o SELinuxProject#2 0x458855 in fuzzer::Fuzzer::HandleMalloc(unsigned long) fuzzer.o SELinuxProject#3 0x45876a in fuzzer::MallocHook(void const volatile*, unsigned long) fuzzer.o SELinuxProject#4 0x534557 in __sanitizer::RunMallocHooks(void const*, unsigned long) (./out/binpolicy-fuzzer+0x534557) SELinuxProject#5 0x4aa7d7 in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) (./out/binpolicy-fuzzer+0x4aa7d7) SELinuxProject#6 0x4aa143 in __asan::asan_malloc(unsigned long, __sanitizer::BufferedStackTrace*) (./out/binpolicy-fuzzer+0x4aa143) SELinuxProject#7 0x5259cb in malloc (./out/binpolicy-fuzzer+0x5259cb) SELinuxProject#8 0x575f8a in policydb_read ./libsepol/src/policydb.c:4356:18 SELinuxProject#9 0x55a214 in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:26:6 SELinuxProject#10 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o SELinuxProject#11 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o SELinuxProject#12 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o SELinuxProject#13 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2) SELinuxProject#14 0x7fa737b377ec in __libc_start_main csu/../csu/libc-start.c:332:16 SELinuxProject#15 0x423689 in _start (./out/binpolicy-fuzzer+0x423689) Signed-off-by: Christian Göttsche <[email protected]>
fishilico
pushed a commit
to fishilico/selinux
that referenced
this pull request
Nov 11, 2021
Add checks for invalid read sizes from a binary policy to guard allocations. The common and class permission counts needs to be limited more strict otherwise a too high count of common or class permissions can lead to permission values with a too high value, which can lead to overflows in shift operations. In the fuzzer build the value will also be bounded to avoid oom reports. ==29857== ERROR: libFuzzer: out-of-memory (malloc(17179868160)) To change the out-of-memory limit use -rss_limit_mb=<N> #0 0x52dc61 in __sanitizer_print_stack_trace (./out/binpolicy-fuzzer+0x52dc61) SELinuxProject#1 0x475618 in fuzzer::PrintStackTrace() fuzzer.o SELinuxProject#2 0x458855 in fuzzer::Fuzzer::HandleMalloc(unsigned long) fuzzer.o SELinuxProject#3 0x45876a in fuzzer::MallocHook(void const volatile*, unsigned long) fuzzer.o SELinuxProject#4 0x534557 in __sanitizer::RunMallocHooks(void const*, unsigned long) (./out/binpolicy-fuzzer+0x534557) SELinuxProject#5 0x4aa7d7 in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) (./out/binpolicy-fuzzer+0x4aa7d7) SELinuxProject#6 0x4aa143 in __asan::asan_malloc(unsigned long, __sanitizer::BufferedStackTrace*) (./out/binpolicy-fuzzer+0x4aa143) SELinuxProject#7 0x5259cb in malloc (./out/binpolicy-fuzzer+0x5259cb) SELinuxProject#8 0x580b5d in mallocarray ./libsepol/src/./private.h:93:9 SELinuxProject#9 0x57c2ed in scope_read ./libsepol/src/policydb.c:4120:7 SELinuxProject#10 0x576b0d in policydb_read ./libsepol/src/policydb.c:4462:9 SELinuxProject#11 0x55a214 in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:26:6 SELinuxProject#12 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o SELinuxProject#13 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o SELinuxProject#14 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o SELinuxProject#15 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2) SELinuxProject#16 0x7ffad6e107ec in __libc_start_main csu/../csu/libc-start.c:332:16 SELinuxProject#17 0x423689 in _start (./out/binpolicy-fuzzer+0x423689) ==19462== ERROR: libFuzzer: out-of-memory (malloc(18253611008)) To change the out-of-memory limit use -rss_limit_mb=<N> #0 0x52dc61 in __sanitizer_print_stack_trace (./out/binpolicy-fuzzer+0x52dc61) SELinuxProject#1 0x475618 in fuzzer::PrintStackTrace() fuzzer.o SELinuxProject#2 0x458855 in fuzzer::Fuzzer::HandleMalloc(unsigned long) fuzzer.o SELinuxProject#3 0x45876a in fuzzer::MallocHook(void const volatile*, unsigned long) fuzzer.o SELinuxProject#4 0x534557 in __sanitizer::RunMallocHooks(void const*, unsigned long) (./out/binpolicy-fuzzer+0x534557) SELinuxProject#5 0x4aa7d7 in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) (./out/binpolicy-fuzzer+0x4aa7d7) SELinuxProject#6 0x4aa999 in __asan::asan_calloc(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*) (./out/binpolicy-fuzzer+0x4aa999) SELinuxProject#7 0x525b63 in __interceptor_calloc (./out/binpolicy-fuzzer+0x525b63) SELinuxProject#8 0x570938 in policydb_index_others ./libsepol/src/policydb.c:1245:6 SELinuxProject#9 0x5771f3 in policydb_read ./src/policydb.c:4481:6 SELinuxProject#10 0x55a214 in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:26:6 SELinuxProject#11 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o SELinuxProject#12 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o SELinuxProject#13 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o SELinuxProject#14 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2) SELinuxProject#15 0x7f4d933157ec in __libc_start_main csu/../csu/libc-start.c:332:16 SELinuxProject#16 0x423689 in _start (./out/binpolicy-fuzzer+0x423689) Signed-off-by: Christian Göttsche <[email protected]>
fishilico
pushed a commit
to fishilico/selinux
that referenced
this pull request
Nov 11, 2021
Check if the sid value is saturated to guard dependent allocations. ==19967== ERROR: libFuzzer: out-of-memory (malloc(7784628224)) #0 0x52dc61 in __sanitizer_print_stack_trace (./out/binpolicy-fuzzer+0x52dc61) SELinuxProject#1 0x475618 in fuzzer::PrintStackTrace() fuzzer.o SELinuxProject#2 0x458855 in fuzzer::Fuzzer::HandleMalloc(unsigned long) fuzzer.o SELinuxProject#3 0x45876a in fuzzer::MallocHook(void const volatile*, unsigned long) fuzzer.o SELinuxProject#4 0x534557 in __sanitizer::RunMallocHooks(void const*, unsigned long) (./out/binpolicy-fuzzer+0x534557) SELinuxProject#5 0x4aa7d7 in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) (./out/binpolicy-fuzzer+0x4aa7d7) SELinuxProject#6 0x4aabe3 in __asan::Allocator::Reallocate(void*, unsigned long, __sanitizer::BufferedStackTrace*) (./out/binpolicy-fuzzer+0x4aabe3) SELinuxProject#7 0x4aaa32 in __asan::asan_reallocarray(void*, unsigned long, unsigned long, __sanitizer::BufferedStackTrace*) (./out/binpolicy-fuzzer+0x4aaa32) SELinuxProject#8 0x525f8e in __interceptor_reallocarray (./out/binpolicy-fuzzer+0x525f8e) SELinuxProject#9 0x5ebad3 in strs_add_at_index ./libsepol/src/kernel_to_common.c:224:9 SELinuxProject#10 0x5680eb in write_sids_to_conf ./libsepol/src/kernel_to_conf.c:466:8 SELinuxProject#11 0x55c1c0 in write_sid_decl_rules_to_conf ./libsepol/src/kernel_to_conf.c:498:8 SELinuxProject#12 0x55ad36 in sepol_kernel_policydb_to_conf ./libsepol/src/kernel_to_conf.c:3083:7 SELinuxProject#13 0x55a34f in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:38:9 SELinuxProject#14 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o SELinuxProject#15 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o SELinuxProject#16 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o SELinuxProject#17 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2) SELinuxProject#18 0x7f085ac657ec in __libc_start_main csu/../csu/libc-start.c:332:16 SELinuxProject#19 0x423689 in _start (./out/binpolicy-fuzzer+0x423689) Signed-off-by: Christian Göttsche <[email protected]>
fishilico
pushed a commit
to fishilico/selinux
that referenced
this pull request
Nov 11, 2021
Check the literal contexts in ocontext statements are defined. ==91274==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f60b0afe8c6 bp 0x7ffd42edc990 sp 0x7ffd42edc148 T0) ==91274==The signal is caused by a READ memory access. ==91274==Hint: address points to the zero page. #0 0x7f60b0afe8c6 string/../sysdeps/x86_64/multiarch/../strlen.S:120 SELinuxProject#1 0x4bd128 in __interceptor_strlen (./out/binpolicy-fuzzer+0x4bd128) SELinuxProject#2 0x5eb387 in create_str_helper ./libsepol/src/kernel_to_common.c:69:10 SELinuxProject#3 0x5eb11e in create_str ./libsepol/src/kernel_to_common.c:99:8 SELinuxProject#4 0x56ad7b in context_to_str ./libsepol/src/kernel_to_conf.c:2408:9 SELinuxProject#5 0x56a717 in write_sid_context_rules_to_conf ./libsepol/src/kernel_to_conf.c:2441:9 SELinuxProject#6 0x55b26c in write_selinux_isid_rules_to_conf ./libsepol/src/kernel_to_conf.c:2476:9 SELinuxProject#7 0x55b26c in sepol_kernel_policydb_to_conf ./libsepol/src/kernel_to_conf.c:3206:8 SELinuxProject#8 0x55a34f in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:38:9 SELinuxProject#9 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o SELinuxProject#10 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o SELinuxProject#11 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o SELinuxProject#12 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2) SELinuxProject#13 0x7f60b0a887ec in __libc_start_main csu/../csu/libc-start.c:332:16 SELinuxProject#14 0x423689 in _start (./out/binpolicy-fuzzer+0x423689) Signed-off-by: Christian Göttsche <[email protected]>
cgzones
added a commit
to cgzones/selinux
that referenced
this pull request
Dec 9, 2021
Limit the maximum length of read sizes, like string length of module version and name or keys and number of symtab entries. This avoids the fuzzer to report oom events for huge allocations (it also improves the number of executions per seconds of the fuzzer). This change only affects the fuzzer build. ==15211== ERROR: libFuzzer: out-of-memory (malloc(3115956666)) To change the out-of-memory limit use -rss_limit_mb=<N> #0 0x52dc61 in __sanitizer_print_stack_trace (./out/binpolicy-fuzzer+0x52dc61) SELinuxProject#1 0x475618 in fuzzer::PrintStackTrace() fuzzer.o SELinuxProject#2 0x458855 in fuzzer::Fuzzer::HandleMalloc(unsigned long) fuzzer.o SELinuxProject#3 0x45876a in fuzzer::MallocHook(void const volatile*, unsigned long) fuzzer.o SELinuxProject#4 0x534557 in __sanitizer::RunMallocHooks(void const*, unsigned long) (./out/binpolicy-fuzzer+0x534557) SELinuxProject#5 0x4aa7d7 in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) (./out/binpolicy-fuzzer+0x4aa7d7) SELinuxProject#6 0x4aa143 in __asan::asan_malloc(unsigned long, __sanitizer::BufferedStackTrace*) (./out/binpolicy-fuzzer+0x4aa143) SELinuxProject#7 0x5259cb in malloc (./out/binpolicy-fuzzer+0x5259cb) SELinuxProject#8 0x59d307 in str_read ./libsepol/src/services.c:1746:8 SELinuxProject#9 0x585b97 in perm_read ./libsepol/src/policydb.c:2063:5 SELinuxProject#10 0x581f8a in common_read ./libsepol/src/policydb.c:2119:7 SELinuxProject#11 0x576681 in policydb_read ./libsepol/src/policydb.c:4417:8 SELinuxProject#12 0x55a214 in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:26:6 SELinuxProject#13 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o SELinuxProject#14 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o SELinuxProject#15 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o SELinuxProject#16 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2) SELinuxProject#17 0x7fe1ec88a7ec in __libc_start_main csu/../csu/libc-start.c:332:16 SELinuxProject#18 0x423689 in _start (./out/binpolicy-fuzzer+0x423689) ==12683== ERROR: libFuzzer: out-of-memory (malloc(2526451450)) To change the out-of-memory limit use -rss_limit_mb=<N> #0 0x52dc61 in __sanitizer_print_stack_trace (./out/binpolicy-fuzzer+0x52dc61) SELinuxProject#1 0x475618 in fuzzer::PrintStackTrace() fuzzer.o SELinuxProject#2 0x458855 in fuzzer::Fuzzer::HandleMalloc(unsigned long) fuzzer.o SELinuxProject#3 0x45876a in fuzzer::MallocHook(void const volatile*, unsigned long) fuzzer.o SELinuxProject#4 0x534557 in __sanitizer::RunMallocHooks(void const*, unsigned long) (./out/binpolicy-fuzzer+0x534557) SELinuxProject#5 0x4aa7d7 in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) (./out/binpolicy-fuzzer+0x4aa7d7) SELinuxProject#6 0x4aa143 in __asan::asan_malloc(unsigned long, __sanitizer::BufferedStackTrace*) (./out/binpolicy-fuzzer+0x4aa143) SELinuxProject#7 0x5259cb in malloc (./out/binpolicy-fuzzer+0x5259cb) SELinuxProject#8 0x575f8a in policydb_read ./libsepol/src/policydb.c:4356:18 SELinuxProject#9 0x55a214 in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:26:6 SELinuxProject#10 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o SELinuxProject#11 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o SELinuxProject#12 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o SELinuxProject#13 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2) SELinuxProject#14 0x7fa737b377ec in __libc_start_main csu/../csu/libc-start.c:332:16 SELinuxProject#15 0x423689 in _start (./out/binpolicy-fuzzer+0x423689) Signed-off-by: Christian Göttsche <[email protected]>
cgzones
added a commit
to cgzones/selinux
that referenced
this pull request
Dec 9, 2021
Add checks for invalid read sizes from a binary policy to guard allocations. The common and class permission counts needs to be limited more strict otherwise a too high count of common or class permissions can lead to permission values with a too high value, which can lead to overflows in shift operations. In the fuzzer build the value will also be bounded to avoid oom reports. ==29857== ERROR: libFuzzer: out-of-memory (malloc(17179868160)) To change the out-of-memory limit use -rss_limit_mb=<N> #0 0x52dc61 in __sanitizer_print_stack_trace (./out/binpolicy-fuzzer+0x52dc61) SELinuxProject#1 0x475618 in fuzzer::PrintStackTrace() fuzzer.o SELinuxProject#2 0x458855 in fuzzer::Fuzzer::HandleMalloc(unsigned long) fuzzer.o SELinuxProject#3 0x45876a in fuzzer::MallocHook(void const volatile*, unsigned long) fuzzer.o SELinuxProject#4 0x534557 in __sanitizer::RunMallocHooks(void const*, unsigned long) (./out/binpolicy-fuzzer+0x534557) SELinuxProject#5 0x4aa7d7 in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) (./out/binpolicy-fuzzer+0x4aa7d7) SELinuxProject#6 0x4aa143 in __asan::asan_malloc(unsigned long, __sanitizer::BufferedStackTrace*) (./out/binpolicy-fuzzer+0x4aa143) SELinuxProject#7 0x5259cb in malloc (./out/binpolicy-fuzzer+0x5259cb) SELinuxProject#8 0x580b5d in mallocarray ./libsepol/src/./private.h:93:9 SELinuxProject#9 0x57c2ed in scope_read ./libsepol/src/policydb.c:4120:7 SELinuxProject#10 0x576b0d in policydb_read ./libsepol/src/policydb.c:4462:9 SELinuxProject#11 0x55a214 in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:26:6 SELinuxProject#12 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o SELinuxProject#13 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o SELinuxProject#14 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o SELinuxProject#15 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2) SELinuxProject#16 0x7ffad6e107ec in __libc_start_main csu/../csu/libc-start.c:332:16 SELinuxProject#17 0x423689 in _start (./out/binpolicy-fuzzer+0x423689) ==19462== ERROR: libFuzzer: out-of-memory (malloc(18253611008)) To change the out-of-memory limit use -rss_limit_mb=<N> #0 0x52dc61 in __sanitizer_print_stack_trace (./out/binpolicy-fuzzer+0x52dc61) SELinuxProject#1 0x475618 in fuzzer::PrintStackTrace() fuzzer.o SELinuxProject#2 0x458855 in fuzzer::Fuzzer::HandleMalloc(unsigned long) fuzzer.o SELinuxProject#3 0x45876a in fuzzer::MallocHook(void const volatile*, unsigned long) fuzzer.o SELinuxProject#4 0x534557 in __sanitizer::RunMallocHooks(void const*, unsigned long) (./out/binpolicy-fuzzer+0x534557) SELinuxProject#5 0x4aa7d7 in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) (./out/binpolicy-fuzzer+0x4aa7d7) SELinuxProject#6 0x4aa999 in __asan::asan_calloc(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*) (./out/binpolicy-fuzzer+0x4aa999) SELinuxProject#7 0x525b63 in __interceptor_calloc (./out/binpolicy-fuzzer+0x525b63) SELinuxProject#8 0x570938 in policydb_index_others ./libsepol/src/policydb.c:1245:6 SELinuxProject#9 0x5771f3 in policydb_read ./src/policydb.c:4481:6 SELinuxProject#10 0x55a214 in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:26:6 SELinuxProject#11 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o SELinuxProject#12 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o SELinuxProject#13 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o SELinuxProject#14 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2) SELinuxProject#15 0x7f4d933157ec in __libc_start_main csu/../csu/libc-start.c:332:16 SELinuxProject#16 0x423689 in _start (./out/binpolicy-fuzzer+0x423689) Signed-off-by: Christian Göttsche <[email protected]> --- v3: - use PERM_SYMTAB_SIZE instead of bare 32 as limit
cgzones
added a commit
to cgzones/selinux
that referenced
this pull request
Dec 9, 2021
Check if the sid value is saturated to guard dependent allocations. ==19967== ERROR: libFuzzer: out-of-memory (malloc(7784628224)) #0 0x52dc61 in __sanitizer_print_stack_trace (./out/binpolicy-fuzzer+0x52dc61) SELinuxProject#1 0x475618 in fuzzer::PrintStackTrace() fuzzer.o SELinuxProject#2 0x458855 in fuzzer::Fuzzer::HandleMalloc(unsigned long) fuzzer.o SELinuxProject#3 0x45876a in fuzzer::MallocHook(void const volatile*, unsigned long) fuzzer.o SELinuxProject#4 0x534557 in __sanitizer::RunMallocHooks(void const*, unsigned long) (./out/binpolicy-fuzzer+0x534557) SELinuxProject#5 0x4aa7d7 in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) (./out/binpolicy-fuzzer+0x4aa7d7) SELinuxProject#6 0x4aabe3 in __asan::Allocator::Reallocate(void*, unsigned long, __sanitizer::BufferedStackTrace*) (./out/binpolicy-fuzzer+0x4aabe3) SELinuxProject#7 0x4aaa32 in __asan::asan_reallocarray(void*, unsigned long, unsigned long, __sanitizer::BufferedStackTrace*) (./out/binpolicy-fuzzer+0x4aaa32) SELinuxProject#8 0x525f8e in __interceptor_reallocarray (./out/binpolicy-fuzzer+0x525f8e) SELinuxProject#9 0x5ebad3 in strs_add_at_index ./libsepol/src/kernel_to_common.c:224:9 SELinuxProject#10 0x5680eb in write_sids_to_conf ./libsepol/src/kernel_to_conf.c:466:8 SELinuxProject#11 0x55c1c0 in write_sid_decl_rules_to_conf ./libsepol/src/kernel_to_conf.c:498:8 SELinuxProject#12 0x55ad36 in sepol_kernel_policydb_to_conf ./libsepol/src/kernel_to_conf.c:3083:7 SELinuxProject#13 0x55a34f in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:38:9 SELinuxProject#14 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o SELinuxProject#15 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o SELinuxProject#16 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o SELinuxProject#17 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2) SELinuxProject#18 0x7f085ac657ec in __libc_start_main csu/../csu/libc-start.c:332:16 SELinuxProject#19 0x423689 in _start (./out/binpolicy-fuzzer+0x423689) Signed-off-by: Christian Göttsche <[email protected]>
cgzones
added a commit
to cgzones/selinux
that referenced
this pull request
Dec 9, 2021
Check the literal contexts in ocontext statements are defined. ==91274==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f60b0afe8c6 bp 0x7ffd42edc990 sp 0x7ffd42edc148 T0) ==91274==The signal is caused by a READ memory access. ==91274==Hint: address points to the zero page. #0 0x7f60b0afe8c6 string/../sysdeps/x86_64/multiarch/../strlen.S:120 SELinuxProject#1 0x4bd128 in __interceptor_strlen (./out/binpolicy-fuzzer+0x4bd128) SELinuxProject#2 0x5eb387 in create_str_helper ./libsepol/src/kernel_to_common.c:69:10 SELinuxProject#3 0x5eb11e in create_str ./libsepol/src/kernel_to_common.c:99:8 SELinuxProject#4 0x56ad7b in context_to_str ./libsepol/src/kernel_to_conf.c:2408:9 SELinuxProject#5 0x56a717 in write_sid_context_rules_to_conf ./libsepol/src/kernel_to_conf.c:2441:9 SELinuxProject#6 0x55b26c in write_selinux_isid_rules_to_conf ./libsepol/src/kernel_to_conf.c:2476:9 SELinuxProject#7 0x55b26c in sepol_kernel_policydb_to_conf ./libsepol/src/kernel_to_conf.c:3206:8 SELinuxProject#8 0x55a34f in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:38:9 SELinuxProject#9 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o SELinuxProject#10 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o SELinuxProject#11 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o SELinuxProject#12 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2) SELinuxProject#13 0x7f60b0a887ec in __libc_start_main csu/../csu/libc-start.c:332:16 SELinuxProject#14 0x423689 in _start (./out/binpolicy-fuzzer+0x423689) Signed-off-by: Christian Göttsche <[email protected]> --- v3: only check FS and NETIF ocons in selinux policies (not xen) v2: also check in base modules
jwcart2
pushed a commit
to jwcart2/selinux
that referenced
this pull request
Dec 15, 2021
Limit the maximum length of read sizes, like string length of module version and name or keys and number of symtab entries. This avoids the fuzzer to report oom events for huge allocations (it also improves the number of executions per seconds of the fuzzer). This change only affects the fuzzer build. ==15211== ERROR: libFuzzer: out-of-memory (malloc(3115956666)) To change the out-of-memory limit use -rss_limit_mb=<N> #0 0x52dc61 in __sanitizer_print_stack_trace (./out/binpolicy-fuzzer+0x52dc61) #1 0x475618 in fuzzer::PrintStackTrace() fuzzer.o SELinuxProject#2 0x458855 in fuzzer::Fuzzer::HandleMalloc(unsigned long) fuzzer.o SELinuxProject#3 0x45876a in fuzzer::MallocHook(void const volatile*, unsigned long) fuzzer.o SELinuxProject#4 0x534557 in __sanitizer::RunMallocHooks(void const*, unsigned long) (./out/binpolicy-fuzzer+0x534557) SELinuxProject#5 0x4aa7d7 in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) (./out/binpolicy-fuzzer+0x4aa7d7) SELinuxProject#6 0x4aa143 in __asan::asan_malloc(unsigned long, __sanitizer::BufferedStackTrace*) (./out/binpolicy-fuzzer+0x4aa143) SELinuxProject#7 0x5259cb in malloc (./out/binpolicy-fuzzer+0x5259cb) SELinuxProject#8 0x59d307 in str_read ./libsepol/src/services.c:1746:8 SELinuxProject#9 0x585b97 in perm_read ./libsepol/src/policydb.c:2063:5 SELinuxProject#10 0x581f8a in common_read ./libsepol/src/policydb.c:2119:7 SELinuxProject#11 0x576681 in policydb_read ./libsepol/src/policydb.c:4417:8 SELinuxProject#12 0x55a214 in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:26:6 SELinuxProject#13 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o SELinuxProject#14 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o SELinuxProject#15 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o SELinuxProject#16 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2) SELinuxProject#17 0x7fe1ec88a7ec in __libc_start_main csu/../csu/libc-start.c:332:16 SELinuxProject#18 0x423689 in _start (./out/binpolicy-fuzzer+0x423689) ==12683== ERROR: libFuzzer: out-of-memory (malloc(2526451450)) To change the out-of-memory limit use -rss_limit_mb=<N> #0 0x52dc61 in __sanitizer_print_stack_trace (./out/binpolicy-fuzzer+0x52dc61) #1 0x475618 in fuzzer::PrintStackTrace() fuzzer.o SELinuxProject#2 0x458855 in fuzzer::Fuzzer::HandleMalloc(unsigned long) fuzzer.o SELinuxProject#3 0x45876a in fuzzer::MallocHook(void const volatile*, unsigned long) fuzzer.o SELinuxProject#4 0x534557 in __sanitizer::RunMallocHooks(void const*, unsigned long) (./out/binpolicy-fuzzer+0x534557) SELinuxProject#5 0x4aa7d7 in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) (./out/binpolicy-fuzzer+0x4aa7d7) SELinuxProject#6 0x4aa143 in __asan::asan_malloc(unsigned long, __sanitizer::BufferedStackTrace*) (./out/binpolicy-fuzzer+0x4aa143) SELinuxProject#7 0x5259cb in malloc (./out/binpolicy-fuzzer+0x5259cb) SELinuxProject#8 0x575f8a in policydb_read ./libsepol/src/policydb.c:4356:18 SELinuxProject#9 0x55a214 in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:26:6 SELinuxProject#10 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o SELinuxProject#11 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o SELinuxProject#12 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o SELinuxProject#13 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2) SELinuxProject#14 0x7fa737b377ec in __libc_start_main csu/../csu/libc-start.c:332:16 SELinuxProject#15 0x423689 in _start (./out/binpolicy-fuzzer+0x423689) Signed-off-by: Christian Göttsche <[email protected]>
jwcart2
pushed a commit
to jwcart2/selinux
that referenced
this pull request
Dec 15, 2021
Add checks for invalid read sizes from a binary policy to guard allocations. The common and class permission counts needs to be limited more strict otherwise a too high count of common or class permissions can lead to permission values with a too high value, which can lead to overflows in shift operations. In the fuzzer build the value will also be bounded to avoid oom reports. ==29857== ERROR: libFuzzer: out-of-memory (malloc(17179868160)) To change the out-of-memory limit use -rss_limit_mb=<N> #0 0x52dc61 in __sanitizer_print_stack_trace (./out/binpolicy-fuzzer+0x52dc61) #1 0x475618 in fuzzer::PrintStackTrace() fuzzer.o SELinuxProject#2 0x458855 in fuzzer::Fuzzer::HandleMalloc(unsigned long) fuzzer.o SELinuxProject#3 0x45876a in fuzzer::MallocHook(void const volatile*, unsigned long) fuzzer.o SELinuxProject#4 0x534557 in __sanitizer::RunMallocHooks(void const*, unsigned long) (./out/binpolicy-fuzzer+0x534557) SELinuxProject#5 0x4aa7d7 in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) (./out/binpolicy-fuzzer+0x4aa7d7) SELinuxProject#6 0x4aa143 in __asan::asan_malloc(unsigned long, __sanitizer::BufferedStackTrace*) (./out/binpolicy-fuzzer+0x4aa143) SELinuxProject#7 0x5259cb in malloc (./out/binpolicy-fuzzer+0x5259cb) SELinuxProject#8 0x580b5d in mallocarray ./libsepol/src/./private.h:93:9 SELinuxProject#9 0x57c2ed in scope_read ./libsepol/src/policydb.c:4120:7 SELinuxProject#10 0x576b0d in policydb_read ./libsepol/src/policydb.c:4462:9 SELinuxProject#11 0x55a214 in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:26:6 SELinuxProject#12 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o SELinuxProject#13 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o SELinuxProject#14 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o SELinuxProject#15 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2) SELinuxProject#16 0x7ffad6e107ec in __libc_start_main csu/../csu/libc-start.c:332:16 SELinuxProject#17 0x423689 in _start (./out/binpolicy-fuzzer+0x423689) ==19462== ERROR: libFuzzer: out-of-memory (malloc(18253611008)) To change the out-of-memory limit use -rss_limit_mb=<N> #0 0x52dc61 in __sanitizer_print_stack_trace (./out/binpolicy-fuzzer+0x52dc61) #1 0x475618 in fuzzer::PrintStackTrace() fuzzer.o SELinuxProject#2 0x458855 in fuzzer::Fuzzer::HandleMalloc(unsigned long) fuzzer.o SELinuxProject#3 0x45876a in fuzzer::MallocHook(void const volatile*, unsigned long) fuzzer.o SELinuxProject#4 0x534557 in __sanitizer::RunMallocHooks(void const*, unsigned long) (./out/binpolicy-fuzzer+0x534557) SELinuxProject#5 0x4aa7d7 in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) (./out/binpolicy-fuzzer+0x4aa7d7) SELinuxProject#6 0x4aa999 in __asan::asan_calloc(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*) (./out/binpolicy-fuzzer+0x4aa999) SELinuxProject#7 0x525b63 in __interceptor_calloc (./out/binpolicy-fuzzer+0x525b63) SELinuxProject#8 0x570938 in policydb_index_others ./libsepol/src/policydb.c:1245:6 SELinuxProject#9 0x5771f3 in policydb_read ./src/policydb.c:4481:6 SELinuxProject#10 0x55a214 in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:26:6 SELinuxProject#11 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o SELinuxProject#12 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o SELinuxProject#13 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o SELinuxProject#14 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2) SELinuxProject#15 0x7f4d933157ec in __libc_start_main csu/../csu/libc-start.c:332:16 SELinuxProject#16 0x423689 in _start (./out/binpolicy-fuzzer+0x423689) Signed-off-by: Christian Göttsche <[email protected]>
jwcart2
pushed a commit
to jwcart2/selinux
that referenced
this pull request
Dec 15, 2021
Check if the sid value is saturated to guard dependent allocations. ==19967== ERROR: libFuzzer: out-of-memory (malloc(7784628224)) #0 0x52dc61 in __sanitizer_print_stack_trace (./out/binpolicy-fuzzer+0x52dc61) #1 0x475618 in fuzzer::PrintStackTrace() fuzzer.o SELinuxProject#2 0x458855 in fuzzer::Fuzzer::HandleMalloc(unsigned long) fuzzer.o SELinuxProject#3 0x45876a in fuzzer::MallocHook(void const volatile*, unsigned long) fuzzer.o SELinuxProject#4 0x534557 in __sanitizer::RunMallocHooks(void const*, unsigned long) (./out/binpolicy-fuzzer+0x534557) SELinuxProject#5 0x4aa7d7 in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) (./out/binpolicy-fuzzer+0x4aa7d7) SELinuxProject#6 0x4aabe3 in __asan::Allocator::Reallocate(void*, unsigned long, __sanitizer::BufferedStackTrace*) (./out/binpolicy-fuzzer+0x4aabe3) SELinuxProject#7 0x4aaa32 in __asan::asan_reallocarray(void*, unsigned long, unsigned long, __sanitizer::BufferedStackTrace*) (./out/binpolicy-fuzzer+0x4aaa32) SELinuxProject#8 0x525f8e in __interceptor_reallocarray (./out/binpolicy-fuzzer+0x525f8e) SELinuxProject#9 0x5ebad3 in strs_add_at_index ./libsepol/src/kernel_to_common.c:224:9 SELinuxProject#10 0x5680eb in write_sids_to_conf ./libsepol/src/kernel_to_conf.c:466:8 SELinuxProject#11 0x55c1c0 in write_sid_decl_rules_to_conf ./libsepol/src/kernel_to_conf.c:498:8 SELinuxProject#12 0x55ad36 in sepol_kernel_policydb_to_conf ./libsepol/src/kernel_to_conf.c:3083:7 SELinuxProject#13 0x55a34f in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:38:9 SELinuxProject#14 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o SELinuxProject#15 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o SELinuxProject#16 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o SELinuxProject#17 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2) SELinuxProject#18 0x7f085ac657ec in __libc_start_main csu/../csu/libc-start.c:332:16 SELinuxProject#19 0x423689 in _start (./out/binpolicy-fuzzer+0x423689) Signed-off-by: Christian Göttsche <[email protected]>
jwcart2
pushed a commit
to jwcart2/selinux
that referenced
this pull request
Dec 15, 2021
Check the literal contexts in ocontext statements are defined. ==91274==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f60b0afe8c6 bp 0x7ffd42edc990 sp 0x7ffd42edc148 T0) ==91274==The signal is caused by a READ memory access. ==91274==Hint: address points to the zero page. #0 0x7f60b0afe8c6 string/../sysdeps/x86_64/multiarch/../strlen.S:120 #1 0x4bd128 in __interceptor_strlen (./out/binpolicy-fuzzer+0x4bd128) SELinuxProject#2 0x5eb387 in create_str_helper ./libsepol/src/kernel_to_common.c:69:10 SELinuxProject#3 0x5eb11e in create_str ./libsepol/src/kernel_to_common.c:99:8 SELinuxProject#4 0x56ad7b in context_to_str ./libsepol/src/kernel_to_conf.c:2408:9 SELinuxProject#5 0x56a717 in write_sid_context_rules_to_conf ./libsepol/src/kernel_to_conf.c:2441:9 SELinuxProject#6 0x55b26c in write_selinux_isid_rules_to_conf ./libsepol/src/kernel_to_conf.c:2476:9 SELinuxProject#7 0x55b26c in sepol_kernel_policydb_to_conf ./libsepol/src/kernel_to_conf.c:3206:8 SELinuxProject#8 0x55a34f in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:38:9 SELinuxProject#9 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o SELinuxProject#10 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o SELinuxProject#11 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o SELinuxProject#12 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2) SELinuxProject#13 0x7f60b0a887ec in __libc_start_main csu/../csu/libc-start.c:332:16 SELinuxProject#14 0x423689 in _start (./out/binpolicy-fuzzer+0x423689) Signed-off-by: Christian Göttsche <[email protected]>
jwcart2
pushed a commit
that referenced
this pull request
Dec 17, 2021
Limit the maximum length of read sizes, like string length of module version and name or keys and number of symtab entries. This avoids the fuzzer to report oom events for huge allocations (it also improves the number of executions per seconds of the fuzzer). This change only affects the fuzzer build. ==15211== ERROR: libFuzzer: out-of-memory (malloc(3115956666)) To change the out-of-memory limit use -rss_limit_mb=<N> #0 0x52dc61 in __sanitizer_print_stack_trace (./out/binpolicy-fuzzer+0x52dc61) #1 0x475618 in fuzzer::PrintStackTrace() fuzzer.o #2 0x458855 in fuzzer::Fuzzer::HandleMalloc(unsigned long) fuzzer.o #3 0x45876a in fuzzer::MallocHook(void const volatile*, unsigned long) fuzzer.o #4 0x534557 in __sanitizer::RunMallocHooks(void const*, unsigned long) (./out/binpolicy-fuzzer+0x534557) #5 0x4aa7d7 in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) (./out/binpolicy-fuzzer+0x4aa7d7) #6 0x4aa143 in __asan::asan_malloc(unsigned long, __sanitizer::BufferedStackTrace*) (./out/binpolicy-fuzzer+0x4aa143) #7 0x5259cb in malloc (./out/binpolicy-fuzzer+0x5259cb) #8 0x59d307 in str_read ./libsepol/src/services.c:1746:8 #9 0x585b97 in perm_read ./libsepol/src/policydb.c:2063:5 #10 0x581f8a in common_read ./libsepol/src/policydb.c:2119:7 #11 0x576681 in policydb_read ./libsepol/src/policydb.c:4417:8 #12 0x55a214 in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:26:6 #13 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o #14 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o #15 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o #16 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2) #17 0x7fe1ec88a7ec in __libc_start_main csu/../csu/libc-start.c:332:16 #18 0x423689 in _start (./out/binpolicy-fuzzer+0x423689) ==12683== ERROR: libFuzzer: out-of-memory (malloc(2526451450)) To change the out-of-memory limit use -rss_limit_mb=<N> #0 0x52dc61 in __sanitizer_print_stack_trace (./out/binpolicy-fuzzer+0x52dc61) #1 0x475618 in fuzzer::PrintStackTrace() fuzzer.o #2 0x458855 in fuzzer::Fuzzer::HandleMalloc(unsigned long) fuzzer.o #3 0x45876a in fuzzer::MallocHook(void const volatile*, unsigned long) fuzzer.o #4 0x534557 in __sanitizer::RunMallocHooks(void const*, unsigned long) (./out/binpolicy-fuzzer+0x534557) #5 0x4aa7d7 in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) (./out/binpolicy-fuzzer+0x4aa7d7) #6 0x4aa143 in __asan::asan_malloc(unsigned long, __sanitizer::BufferedStackTrace*) (./out/binpolicy-fuzzer+0x4aa143) #7 0x5259cb in malloc (./out/binpolicy-fuzzer+0x5259cb) #8 0x575f8a in policydb_read ./libsepol/src/policydb.c:4356:18 #9 0x55a214 in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:26:6 #10 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o #11 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o #12 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o #13 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2) #14 0x7fa737b377ec in __libc_start_main csu/../csu/libc-start.c:332:16 #15 0x423689 in _start (./out/binpolicy-fuzzer+0x423689) Signed-off-by: Christian Göttsche <[email protected]>
jwcart2
pushed a commit
that referenced
this pull request
Dec 17, 2021
Add checks for invalid read sizes from a binary policy to guard allocations. The common and class permission counts needs to be limited more strict otherwise a too high count of common or class permissions can lead to permission values with a too high value, which can lead to overflows in shift operations. In the fuzzer build the value will also be bounded to avoid oom reports. ==29857== ERROR: libFuzzer: out-of-memory (malloc(17179868160)) To change the out-of-memory limit use -rss_limit_mb=<N> #0 0x52dc61 in __sanitizer_print_stack_trace (./out/binpolicy-fuzzer+0x52dc61) #1 0x475618 in fuzzer::PrintStackTrace() fuzzer.o #2 0x458855 in fuzzer::Fuzzer::HandleMalloc(unsigned long) fuzzer.o #3 0x45876a in fuzzer::MallocHook(void const volatile*, unsigned long) fuzzer.o #4 0x534557 in __sanitizer::RunMallocHooks(void const*, unsigned long) (./out/binpolicy-fuzzer+0x534557) #5 0x4aa7d7 in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) (./out/binpolicy-fuzzer+0x4aa7d7) #6 0x4aa143 in __asan::asan_malloc(unsigned long, __sanitizer::BufferedStackTrace*) (./out/binpolicy-fuzzer+0x4aa143) #7 0x5259cb in malloc (./out/binpolicy-fuzzer+0x5259cb) #8 0x580b5d in mallocarray ./libsepol/src/./private.h:93:9 #9 0x57c2ed in scope_read ./libsepol/src/policydb.c:4120:7 #10 0x576b0d in policydb_read ./libsepol/src/policydb.c:4462:9 #11 0x55a214 in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:26:6 #12 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o #13 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o #14 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o #15 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2) #16 0x7ffad6e107ec in __libc_start_main csu/../csu/libc-start.c:332:16 #17 0x423689 in _start (./out/binpolicy-fuzzer+0x423689) ==19462== ERROR: libFuzzer: out-of-memory (malloc(18253611008)) To change the out-of-memory limit use -rss_limit_mb=<N> #0 0x52dc61 in __sanitizer_print_stack_trace (./out/binpolicy-fuzzer+0x52dc61) #1 0x475618 in fuzzer::PrintStackTrace() fuzzer.o #2 0x458855 in fuzzer::Fuzzer::HandleMalloc(unsigned long) fuzzer.o #3 0x45876a in fuzzer::MallocHook(void const volatile*, unsigned long) fuzzer.o #4 0x534557 in __sanitizer::RunMallocHooks(void const*, unsigned long) (./out/binpolicy-fuzzer+0x534557) #5 0x4aa7d7 in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) (./out/binpolicy-fuzzer+0x4aa7d7) #6 0x4aa999 in __asan::asan_calloc(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*) (./out/binpolicy-fuzzer+0x4aa999) #7 0x525b63 in __interceptor_calloc (./out/binpolicy-fuzzer+0x525b63) #8 0x570938 in policydb_index_others ./libsepol/src/policydb.c:1245:6 #9 0x5771f3 in policydb_read ./src/policydb.c:4481:6 #10 0x55a214 in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:26:6 #11 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o #12 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o #13 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o #14 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2) #15 0x7f4d933157ec in __libc_start_main csu/../csu/libc-start.c:332:16 #16 0x423689 in _start (./out/binpolicy-fuzzer+0x423689) Signed-off-by: Christian Göttsche <[email protected]>
jwcart2
pushed a commit
that referenced
this pull request
Dec 17, 2021
Check if the sid value is saturated to guard dependent allocations. ==19967== ERROR: libFuzzer: out-of-memory (malloc(7784628224)) #0 0x52dc61 in __sanitizer_print_stack_trace (./out/binpolicy-fuzzer+0x52dc61) #1 0x475618 in fuzzer::PrintStackTrace() fuzzer.o #2 0x458855 in fuzzer::Fuzzer::HandleMalloc(unsigned long) fuzzer.o #3 0x45876a in fuzzer::MallocHook(void const volatile*, unsigned long) fuzzer.o #4 0x534557 in __sanitizer::RunMallocHooks(void const*, unsigned long) (./out/binpolicy-fuzzer+0x534557) #5 0x4aa7d7 in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) (./out/binpolicy-fuzzer+0x4aa7d7) #6 0x4aabe3 in __asan::Allocator::Reallocate(void*, unsigned long, __sanitizer::BufferedStackTrace*) (./out/binpolicy-fuzzer+0x4aabe3) #7 0x4aaa32 in __asan::asan_reallocarray(void*, unsigned long, unsigned long, __sanitizer::BufferedStackTrace*) (./out/binpolicy-fuzzer+0x4aaa32) #8 0x525f8e in __interceptor_reallocarray (./out/binpolicy-fuzzer+0x525f8e) #9 0x5ebad3 in strs_add_at_index ./libsepol/src/kernel_to_common.c:224:9 #10 0x5680eb in write_sids_to_conf ./libsepol/src/kernel_to_conf.c:466:8 #11 0x55c1c0 in write_sid_decl_rules_to_conf ./libsepol/src/kernel_to_conf.c:498:8 #12 0x55ad36 in sepol_kernel_policydb_to_conf ./libsepol/src/kernel_to_conf.c:3083:7 #13 0x55a34f in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:38:9 #14 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o #15 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o #16 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o #17 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2) #18 0x7f085ac657ec in __libc_start_main csu/../csu/libc-start.c:332:16 #19 0x423689 in _start (./out/binpolicy-fuzzer+0x423689) Signed-off-by: Christian Göttsche <[email protected]>
jwcart2
pushed a commit
that referenced
this pull request
Dec 17, 2021
Check the literal contexts in ocontext statements are defined. ==91274==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f60b0afe8c6 bp 0x7ffd42edc990 sp 0x7ffd42edc148 T0) ==91274==The signal is caused by a READ memory access. ==91274==Hint: address points to the zero page. #0 0x7f60b0afe8c6 string/../sysdeps/x86_64/multiarch/../strlen.S:120 #1 0x4bd128 in __interceptor_strlen (./out/binpolicy-fuzzer+0x4bd128) #2 0x5eb387 in create_str_helper ./libsepol/src/kernel_to_common.c:69:10 #3 0x5eb11e in create_str ./libsepol/src/kernel_to_common.c:99:8 #4 0x56ad7b in context_to_str ./libsepol/src/kernel_to_conf.c:2408:9 #5 0x56a717 in write_sid_context_rules_to_conf ./libsepol/src/kernel_to_conf.c:2441:9 #6 0x55b26c in write_selinux_isid_rules_to_conf ./libsepol/src/kernel_to_conf.c:2476:9 #7 0x55b26c in sepol_kernel_policydb_to_conf ./libsepol/src/kernel_to_conf.c:3206:8 #8 0x55a34f in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:38:9 #9 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o #10 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o #11 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o #12 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2) #13 0x7f60b0a887ec in __libc_start_main csu/../csu/libc-start.c:332:16 #14 0x423689 in _start (./out/binpolicy-fuzzer+0x423689) Signed-off-by: Christian Göttsche <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.