Skip to content

Commit

Permalink
libsepol/cil: prevent undefined behavior due to 1 << 31
Browse files Browse the repository at this point in the history
On Fedora 32 executing scripts/ci/fedora-test-runner.sh, semodule
crashes:

    [root@localhost selinux-testsuite]# make test
    make -C policy load
    make[1]: Entering directory '/root/selinux-testsuite/policy'
    # Test for "expand-check = 0" in /etc/selinux/semanage.conf
    # General policy build
    make[2]: Entering directory '/root/selinux-testsuite/policy/test_policy'
    Compiling targeted test_policy module
    Creating targeted test_policy.pp policy package
    rm tmp/test_policy.mod.fc
    make[2]: Leaving directory '/root/selinux-testsuite/policy/test_policy'
    # General policy load
    domain_fd_use --> off
    /usr/sbin/semodule -i test_policy/test_policy.pp test_mlsconstrain.cil test_overlay_defaultrange.cil test_add_levels.cil test_glblub.cil
    make[1]: *** [Makefile:174: load] Aborted (core dumped)

    (gdb) bt
    #0  0x00007f608fe4fa25 in raise () from /lib64/libc.so.6
    SELinuxProject#1  0x00007f608fe38895 in abort () from /lib64/libc.so.6
    SELinuxProject#2  0x00007f6090028aca in __addvsi3.cold () from /lib64/libsepol.so.1
    SELinuxProject#3  0x00007f6090096f59 in __avrule_xperm_setrangebits (low=30, high=30, xperms=0x8b9eea0)
        at ../cil/src/cil_binary.c:1551
    SELinuxProject#4  0x00007f60900970dd in __cil_permx_bitmap_to_sepol_xperms_list (xperms=0xb650a30, xperms_list=0x7ffce2653b18)
        at ../cil/src/cil_binary.c:1596
    SELinuxProject#5  0x00007f6090097286 in __cil_avrulex_ioctl_to_policydb (k=0xb8ec200 "@\023\214\022\006", datum=0xb650a30,
        args=0x239a640) at ../cil/src/cil_binary.c:1649
    SELinuxProject#6  0x00007f609003f1e5 in hashtab_map (h=0x41f8710, apply=0x7f60900971da <__cil_avrulex_ioctl_to_policydb>,
        args=0x239a640) at hashtab.c:234
    SELinuxProject#7  0x00007f609009ea19 in cil_binary_create_allocated_pdb (db=0x2394f10, policydb=0x239a640)
        at ../cil/src/cil_binary.c:4969
    SELinuxProject#8  0x00007f609009d19d in cil_binary_create (db=0x2394f10, policydb=0x7ffce2653d30) at ../cil/src/cil_binary.c:4329
    SELinuxProject#9  0x00007f609008ec23 in cil_build_policydb_create_pdb (db=0x2394f10, sepol_db=0x7ffce2653d30)
        at ../cil/src/cil.c:631
    SELinuxProject#10 0x00007f608fff4bf3 in semanage_direct_commit () from /lib64/libsemanage.so.1
    SELinuxProject#11 0x00007f608fff9fae in semanage_commit () from /lib64/libsemanage.so.1
    SELinuxProject#12 0x0000000000403e2b in main (argc=7, argv=0x7ffce2655058) at semodule.c:753

    (gdb) f 3
    SELinuxProject#3  0x00007f6090096f59 in __avrule_xperm_setrangebits (low=30, high=30, xperms=0x8b9eea0)
        at ../cil/src/cil_binary.c:1551
    1551     xperms->perms[i] |= XPERM_SETBITS(h) - XPERM_SETBITS(low);

This is due to XPERM_SETBITS(h) with h = 31:

    #define XPERM_SETBITS(x) ((1 << (x & 0x1f)) - 1)

Using "1U" to make the type unsigned fixes the crash.

Signed-off-by: Nicolas Iooss <[email protected]>
  • Loading branch information
fishilico committed Oct 2, 2020
1 parent 806aeb6 commit a4e137c
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion libsepol/cil/src/cil_binary.c
Original file line number Diff line number Diff line change
Expand Up @@ -1526,7 +1526,7 @@ int cil_avrule_to_policydb(policydb_t *pdb, const struct cil_db *db, struct cil_
/* index of the u32 containing the permission */
#define XPERM_IDX(x) (x >> 5)
/* set bits 0 through x-1 within the u32 */
#define XPERM_SETBITS(x) ((1 << (x & 0x1f)) - 1)
#define XPERM_SETBITS(x) ((1U << (x & 0x1f)) - 1)
/* low value for this u32 */
#define XPERM_LOW(x) (x << 5)
/* high value for this u32 */
Expand Down

0 comments on commit a4e137c

Please sign in to comment.