[PATCH] libselinux: Fix core dumps with corrupt *.bin files

Richard Haines <richard_c_haines@xxxxxxxxxxxxxx> · Thu, 7 May 2015 15:40:53 +0100

Check buffer address limits when processing *.bin files
to catch any over-runs. On failure process text file instead.

To test, the bin files were corrupted by adding and removing
various bits of data. Various file sizes were also checked and
all were caught by the patch.

Signed-off-by: Richard Haines <richard_c_haines@xxxxxxxxxxxxxx>
---
 libselinux/src/label_file.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/libselinux/src/label_file.c b/libselinux/src/label_file.c
index b3e5671..c722f29 100644
--- a/libselinux/src/label_file.c
+++ b/libselinux/src/label_file.c
@@ -325,6 +325,8 @@ static int load_mmap(struct selabel_handle *rec, const char *path, struct stat *
 		addr += sizeof(uint32_t);
 		if (memcmp((char *)addr, pcre_version(), len))
 			return -1; /* pcre version content mismatch */
+		if (addr + *plen >= (char *)mmap_area->addr + mmap_area->len)
+			return -1; /* Buffer over-run */
 		addr += *plen;
 	}
 
@@ -390,11 +392,15 @@ static int load_mmap(struct selabel_handle *rec, const char *path, struct stat *
 		if (!spec->lr.ctx_raw)
 			goto err;
 
+		if (addr + *plen >= (char *)mmap_area->addr + mmap_area->len)
+			return -1;
 		addr += *plen;
 
 		plen = (uint32_t *)addr;
 		addr += sizeof(uint32_t);
 		spec->regex_str = (char *)addr;
+		if (addr + *plen >= (char *)mmap_area->addr + mmap_area->len)
+			return -1;
 		addr += *plen;
 
 		spec->mode = *(mode_t *)addr;
@@ -415,12 +421,16 @@ static int load_mmap(struct selabel_handle *rec, const char *path, struct stat *
 		plen = (uint32_t *)addr;
 		addr += sizeof(uint32_t);
 		spec->regex = (pcre *)addr;
+		if (addr + *plen >= (char *)mmap_area->addr + mmap_area->len)
+			return -1;
 		addr += *plen;
 
 		plen = (uint32_t *)addr;
 		addr += sizeof(uint32_t);
 		spec->lsd.study_data = (void *)addr;
 		spec->lsd.flags |= PCRE_EXTRA_STUDY_DATA;
+		if (addr + *plen >= (char *)mmap_area->addr + mmap_area->len)
+			return -1;
 		addr += *plen;
 
 		data->nspec++;
-- 
2.1.0

_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.







