-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
This patch looks good to me. acked.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEUEARECAAYFAlD+qRsACgkQrlYvE4MpobNAJQCfXxdwKy8Ljd261gCf71EkwDJ2
iMIAl1vZLP7tZJcsuAg+13Dwg8u/h8s=
=vMA2
-----END PGP SIGNATURE-----
>From e9b90ddd9df3ba70298cdb95b7f4c00b603d91d2 Mon Sep 17 00:00:00 2001
From: Eric Paris <eparis@xxxxxxxxxx>
Date: Tue, 8 Jan 2013 11:42:21 -0500
Subject: [PATCH 76/84] libsepol: constraint queue overflow
The code to include constraints in the policy and allow those to be
written back in audit2why was overflowing its fixed length stack. This
patch changes the stack implementation to be dynamic in size, rather
than of a fixed depth. It fixes the overflows found when used in fedora
policy.
Signed-off-by: Eric Paris <eparis@xxxxxxxxxx>
---
libsepol/src/expand.c | 17 ++++++++--------
libsepol/src/policydb.c | 11 +++++-----
libsepol/src/services.c | 54 ++++++++++++++++++++++++++++++++++---------------
3 files changed, 53 insertions(+), 29 deletions(-)
diff --git a/libsepol/src/expand.c b/libsepol/src/expand.c
index 34e764b..0ca8448 100644
--- a/libsepol/src/expand.c
+++ b/libsepol/src/expand.c
@@ -382,16 +382,17 @@ static int constraint_node_clone(constraint_node_t ** dst,
new_expr->op = expr->op;
if (new_expr->expr_type == CEXPR_NAMES) {
if (new_expr->attr & CEXPR_TYPE) {
- /*
- * Copy over constraint policy source types and/or
- * attributes for sepol_compute_av_reason_buffer(3) so that
- * utilities can analyse constraint errors.
- */
+ /*
+ * Copy over constraint policy source types and/or
+ * attributes for sepol_compute_av_reason_buffer(3) so that
+ * utilities can analyse constraint errors.
+ */
if (map_ebitmap(&expr->type_names->types,
- &new_expr->type_names->types, state->typemap)) {
- ERR(NULL, "Failed to map type_names->types");
+ &new_expr->type_names->types,
+ state->typemap)) {
+ ERR(NULL, "Failed to map type_names->types");
goto out_of_mem;
- }
+ }
/* Type sets require expansion and conversion. */
if (expand_convert_type_set(state->out,
state->
diff --git a/libsepol/src/policydb.c b/libsepol/src/policydb.c
index ef0252a..00cf6a8 100644
--- a/libsepol/src/policydb.c
+++ b/libsepol/src/policydb.c
@@ -2037,11 +2037,12 @@ static int read_cons_helper(policydb_t * p, constraint_node_t ** nodep,
depth++;
if (ebitmap_read(&e->names, fp))
return -1;
- if ((p->policy_type != POLICY_KERN &&
- type_set_read(e->type_names, fp)) ||
- ((p->policy_type == POLICY_KERN &&
- p->policyvers >= POLICYDB_VERSION_CONSTRAINT_NAMES) &&
- type_set_read(e->type_names, fp)))
+ if (p->policy_type != POLICY_KERN &&
+ type_set_read(e->type_names, fp))
+ return -1;
+ else if (p->policy_type == POLICY_KERN &&
+ p->policyvers >= POLICYDB_VERSION_CONSTRAINT_NAMES &&
+ type_set_read(e->type_names, fp))
return -1;
break;
default:
diff --git a/libsepol/src/services.c b/libsepol/src/services.c
index 9b42d8d..23cef4c 100644
--- a/libsepol/src/services.c
+++ b/libsepol/src/services.c
@@ -47,7 +47,6 @@
#define REASON_BUF_SIZE 30000
/* The maximum size of each malloc'd expression buffer */
#define EXPR_BUF_SIZE 1000
-/* Number expressions in a constraint - max seen in MLS policy is 21 */
#define EXPR_BUFFERS 30
#include <stdlib.h>
@@ -79,27 +78,42 @@ static sidtab_t mysidtab, *sidtab = &mysidtab;
static policydb_t mypolicydb, *policydb = &mypolicydb;
/* Stack services for RPN to infix conversion. Size is num of expr bufs */
-char *stack[EXPR_BUFFERS];
-int tos = 0;
-
-void push(char * expr_ptr)
+static char **stack;
+static int stack_len;
+static int next_stack_entry;
+
+static void push(char * expr_ptr)
{
- if (tos >= EXPR_BUFFERS) {
- ERR(NULL, "Stack is full");
- return;
+ if (next_stack_entry >= stack_len) {
+ char **new_stack = stack;
+ int new_stack_len;
+
+ if (stack_len == 0)
+ new_stack_len = 32;
+ else
+ new_stack_len = stack_len * 2;
+
+ new_stack = realloc(stack, new_stack_len * sizeof(*stack));
+ if (!new_stack) {
+ ERR(NULL, "unable to allocate space");
+ return;
+ }
+ stack_len = new_stack_len;
+ stack = new_stack;
}
- stack[tos] = expr_ptr;
- tos++;
+ stack[next_stack_entry] = expr_ptr;
+ next_stack_entry++;
}
-
-char *pop()
+
+static char *pop(void)
{
- tos--;
- if (tos < 0) {
- ERR(NULL, "Stack is Empty");
+ next_stack_entry--;
+ if (next_stack_entry < 0) {
+ next_stack_entry = 0;
+ ERR(NULL, "pop called with no stack entries");
return NULL;
}
- return (char *)stack[tos];
+ return stack[next_stack_entry];
}
/* End Stack services */
@@ -322,6 +336,10 @@ static int constraint_expr_eval_reason(context_struct_t * scontext,
/* Original function but with buffer support */
for (e = constraint->expr; e; e = e->next) {
+ if (expr_counter >= EXPR_BUFFERS) {
+ ERR(NULL, "%s: expr_buf overflow", __func__);
+ return -ENOMEM;
+ }
/* malloc a buffer to store each expression text component */
expr_buf[expr_counter] = malloc(EXPR_BUF_SIZE);
if (!expr_buf[expr_counter]) {
@@ -622,6 +640,10 @@ static int constraint_expr_eval_reason(context_struct_t * scontext,
for (x = 0; expr_buf[x] != NULL; x++) {
if (strncmp(expr_buf[x], "and", 3) == 0 || strncmp(expr_buf[x],
"or", 2) == 0) {
+ if (answer_counter >= EXPR_BUFFERS) {
+ ERR(NULL, "%s: answer_buf overflow", __func__);
+ return -ENOMEM;
+ }
b = pop();
b_len = strlen(b);
a = pop();
--
1.8.1
