Skip to content

Commit

Permalink
libsepol: add checks for read sizes
Browse files Browse the repository at this point in the history
Add checks for invalid read sizes from a binary policy to guard
allocations.

The common and class permission counts needs to be limited more strict
otherwise a too high count of common or class permissions can lead to
permission values with a too high value, which can lead to overflows
in shift operations.

In the fuzzer build the value will also be bounded to avoid oom reports.

    ==29857== ERROR: libFuzzer: out-of-memory (malloc(17179868160))
       To change the out-of-memory limit use -rss_limit_mb=<N>

        #0 0x52dc61 in __sanitizer_print_stack_trace (./out/binpolicy-fuzzer+0x52dc61)
        #1 0x475618 in fuzzer::PrintStackTrace() fuzzer.o
        SELinuxProject#2 0x458855 in fuzzer::Fuzzer::HandleMalloc(unsigned long) fuzzer.o
        SELinuxProject#3 0x45876a in fuzzer::MallocHook(void const volatile*, unsigned long) fuzzer.o
        SELinuxProject#4 0x534557 in __sanitizer::RunMallocHooks(void const*, unsigned long) (./out/binpolicy-fuzzer+0x534557)
        SELinuxProject#5 0x4aa7d7 in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) (./out/binpolicy-fuzzer+0x4aa7d7)
        SELinuxProject#6 0x4aa143 in __asan::asan_malloc(unsigned long, __sanitizer::BufferedStackTrace*) (./out/binpolicy-fuzzer+0x4aa143)
        SELinuxProject#7 0x5259cb in malloc (./out/binpolicy-fuzzer+0x5259cb)
        SELinuxProject#8 0x580b5d in mallocarray ./libsepol/src/./private.h:93:9
        SELinuxProject#9 0x57c2ed in scope_read ./libsepol/src/policydb.c:4120:7
        SELinuxProject#10 0x576b0d in policydb_read ./libsepol/src/policydb.c:4462:9
        SELinuxProject#11 0x55a214 in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:26:6
        SELinuxProject#12 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o
        SELinuxProject#13 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o
        SELinuxProject#14 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o
        SELinuxProject#15 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2)
        SELinuxProject#16 0x7ffad6e107ec in __libc_start_main csu/../csu/libc-start.c:332:16
        SELinuxProject#17 0x423689 in _start (./out/binpolicy-fuzzer+0x423689)

    ==19462== ERROR: libFuzzer: out-of-memory (malloc(18253611008))
       To change the out-of-memory limit use -rss_limit_mb=<N>

        #0 0x52dc61 in __sanitizer_print_stack_trace (./out/binpolicy-fuzzer+0x52dc61)
        #1 0x475618 in fuzzer::PrintStackTrace() fuzzer.o
        SELinuxProject#2 0x458855 in fuzzer::Fuzzer::HandleMalloc(unsigned long) fuzzer.o
        SELinuxProject#3 0x45876a in fuzzer::MallocHook(void const volatile*, unsigned long) fuzzer.o
        SELinuxProject#4 0x534557 in __sanitizer::RunMallocHooks(void const*, unsigned long) (./out/binpolicy-fuzzer+0x534557)
        SELinuxProject#5 0x4aa7d7 in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) (./out/binpolicy-fuzzer+0x4aa7d7)
        SELinuxProject#6 0x4aa999 in __asan::asan_calloc(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*) (./out/binpolicy-fuzzer+0x4aa999)
        SELinuxProject#7 0x525b63 in __interceptor_calloc (./out/binpolicy-fuzzer+0x525b63)
        SELinuxProject#8 0x570938 in policydb_index_others ./libsepol/src/policydb.c:1245:6
        SELinuxProject#9 0x5771f3 in policydb_read ./src/policydb.c:4481:6
        SELinuxProject#10 0x55a214 in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:26:6
        SELinuxProject#11 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o
        SELinuxProject#12 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o
        SELinuxProject#13 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o
        SELinuxProject#14 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2)
        SELinuxProject#15 0x7f4d933157ec in __libc_start_main csu/../csu/libc-start.c:332:16
        SELinuxProject#16 0x423689 in _start (./out/binpolicy-fuzzer+0x423689)

Signed-off-by: Christian Göttsche <[email protected]>
  • Loading branch information
cgzones authored and jwcart2 committed Dec 15, 2021
1 parent 541d45d commit 2a0cd89
Showing 1 changed file with 9 additions and 1 deletion.
10 changes: 9 additions & 1 deletion libsepol/src/policydb.c
Original file line number Diff line number Diff line change
Expand Up @@ -2103,6 +2103,8 @@ static int common_read(policydb_t * p, hashtab_t h, struct policy_file *fp)
if (symtab_init(&comdatum->permissions, PERM_SYMTAB_SIZE))
goto bad;
comdatum->permissions.nprim = le32_to_cpu(buf[2]);
if (comdatum->permissions.nprim > PERM_SYMTAB_SIZE)
goto bad;
nel = le32_to_cpu(buf[3]);

key = malloc(len + 1);
Expand Down Expand Up @@ -2251,6 +2253,8 @@ static int class_read(policydb_t * p, hashtab_t h, struct policy_file *fp)
if (symtab_init(&cladatum->permissions, PERM_SYMTAB_SIZE))
goto bad;
cladatum->permissions.nprim = le32_to_cpu(buf[3]);
if (cladatum->permissions.nprim > PERM_SYMTAB_SIZE)
goto bad;
nel = le32_to_cpu(buf[4]);

ncons = le32_to_cpu(buf[5]);
Expand Down Expand Up @@ -3980,6 +3984,8 @@ static int avrule_decl_read(policydb_t * p, avrule_decl_t * decl,
if (rc < 0)
return -1;
nprim = le32_to_cpu(buf[0]);
if (is_saturated(nprim))
return -1;
nel = le32_to_cpu(buf[1]);
for (j = 0; j < nel; j++) {
if (read_f[i] (p, decl->symtab[i].table, fp)) {
Expand Down Expand Up @@ -4106,7 +4112,7 @@ static int scope_read(policydb_t * p, int symnum, struct policy_file *fp)
goto cleanup;
scope->scope = le32_to_cpu(buf[0]);
scope->decl_ids_len = le32_to_cpu(buf[1]);
if (scope->decl_ids_len == 0) {
if (zero_or_saturated(scope->decl_ids_len)) {
ERR(fp->handle, "invalid scope with no declaration");
goto cleanup;
}
Expand Down Expand Up @@ -4396,6 +4402,8 @@ int policydb_read(policydb_t * p, struct policy_file *fp, unsigned verbose)
if (rc < 0)
goto bad;
nprim = le32_to_cpu(buf[0]);
if (is_saturated(nprim))
goto bad;
nel = le32_to_cpu(buf[1]);
if (nel && !nprim) {
ERR(fp->handle, "unexpected items in symbol table with no symbol");
Expand Down

0 comments on commit 2a0cd89

Please sign in to comment.