Skip to content

Commit

Permalink
libsepol: validate expanded user range and level
Browse files Browse the repository at this point in the history 
Check those contains valid values.

    ==57532==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x603000001178 at pc 0x000000564c04 bp 0x7ffed7a5ad90 sp 0x7ffed7a5ad88
    READ of size 8 at 0x603000001178 thread T0
        #0 0x564c03 in level_to_str ./libsepol/src/kernel_to_conf.c:1901:19
        SELinuxProject#1 0x564c03 in range_to_str ./libsepol/src/kernel_to_conf.c:1926:9
        SELinuxProject#2 0x564c03 in write_user_decl_rules_to_conf ./libsepol/src/kernel_to_conf.c:2367:12
        SELinuxProject#3 0x55b137 in sepol_kernel_policydb_to_conf ./libsepol/src/kernel_to_conf.c:3184:7
        SELinuxProject#4 0x55a34f in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:38:9
        SELinuxProject#5 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o
        SELinuxProject#6 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o
        SELinuxProject#7 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o
        SELinuxProject#8 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2)
        SELinuxProject#9 0x7f2c2e1a77ec in __libc_start_main csu/../csu/libc-start.c:332:16
        SELinuxProject#10 0x423689 in _start (./out/binpolicy-fuzzer+0x423689)

Signed-off-by: Christian Göttsche <[email protected]>
  • Loading branch information
@cgzones @fishilico
cgzones authored and fishilico committed Oct 11, 2021
1 parent 9d92b89 commit d90ea99
Showing 1 changed file with 31 additions and 16 deletions.
47 changes: 31 additions & 16 deletions libsepol/src/policydb_validate.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -290,38 +290,53 @@ static int validate_mls_semantic_range(mls_semantic_range_t *range, validate_t *
return -1;
}

static int validate_user_datum(sepol_handle_t *handle, user_datum_t *user, validate_t flavors[])
static int validate_mls_level(mls_level_t *level, validate_t *sens, validate_t *cats)
{
if (validate_value(user->s.value, &flavors[SYM_USERS]))
goto bad;
if (validate_role_set(&user->roles, &flavors[SYM_ROLES]))
if (validate_value(level->sens, sens))
goto bad;
if (validate_mls_semantic_range(&user->range, &flavors[SYM_LEVELS], &flavors[SYM_CATS]))
if (validate_ebitmap(&level->cat, cats))
goto bad;
if (validate_mls_semantic_level(&user->dfltlevel, &flavors[SYM_LEVELS], &flavors[SYM_CATS]))

return 0;

bad:
return -1;
}

static int validate_mls_range(mls_range_t *range, validate_t *sens, validate_t *cats)
{
if (validate_mls_level(&range->level[0], sens, cats))
goto bad;
if (user->bounds && validate_value(user->bounds, &flavors[SYM_USERS]))
if (validate_mls_level(&range->level[1], sens, cats))
goto bad;

return 0;

bad:
ERR(handle, "Invalid user datum");
bad:
return -1;
}

static int validate_mls_level(mls_level_t *level, validate_t *sens, validate_t *cats)
static int validate_user_datum(sepol_handle_t *handle, user_datum_t *user, validate_t flavors[], int mls)
{
if (level->sens == 0)
return 0;
if (validate_value(level->sens, sens))
if (validate_value(user->s.value, &flavors[SYM_USERS]))
goto bad;
if (validate_ebitmap(&level->cat, cats))
if (validate_role_set(&user->roles, &flavors[SYM_ROLES]))
goto bad;
if (validate_mls_semantic_range(&user->range, &flavors[SYM_LEVELS], &flavors[SYM_CATS]))
goto bad;
if (validate_mls_semantic_level(&user->dfltlevel, &flavors[SYM_LEVELS], &flavors[SYM_CATS]))
goto bad;
if (mls && validate_mls_range(&user->exp_range, &flavors[SYM_LEVELS], &flavors[SYM_CATS]))
goto bad;
if (mls && validate_mls_level(&user->exp_dfltlevel, &flavors[SYM_LEVELS], &flavors[SYM_CATS]))
goto bad;
if (user->bounds && validate_value(user->bounds, &flavors[SYM_USERS]))
goto bad;

return 0;

bad:
bad:
ERR(handle, "Invalid user datum");
return -1;
}

Expand Down Expand Up @@ -383,7 +398,7 @@ static int validate_datum_arrays(sepol_handle_t *handle, policydb_t *p, validate
if (p->user_val_to_struct[i]) {
if (ebitmap_get_bit(&flavors[SYM_USERS].gaps, i))
goto bad;
if (validate_user_datum(handle, p->user_val_to_struct[i], flavors))
if (validate_user_datum(handle, p->user_val_to_struct[i], flavors, p->mls))
goto bad;
} else {
if (!ebitmap_get_bit(&flavors[SYM_USERS].gaps, i))
Expand Down

0 comments on commit d90ea99

Please sign in to comment.