Re: [PATCH 3/3] libsepol: make parsing symbol table headers more robust

Stephen Smalley <sds@xxxxxxxxxxxxx> · Wed, 16 Nov 2016 09:12:29 -0500

On 11/15/2016 06:07 PM, Nicolas Iooss wrote:
> When hll/pp loads a policy file which has been modified so that the
> nprim field of one of its non-empty symbol table was changed to zero, it
> crashes with a segmentation fault. A quick analysis leads to
> "p->sym_val_to_name[i] = (char **)alloc(p->symtab[i].nprim, sizeof(char
> *));" in policydb_index_others(), which is not executed when
> p->symtab[i].nprim is zero even though there are items in
> p->symtab[i].table.
> 
> Detect such an oddity in the policy file early to exit with a clean
> error message.

I'll apply this but I'd like to know where the segmentation fault
occurred.  The index functions already check whether the value exceeds
the nprim value, and therefore shouldn't try to set the _val_to_name[]
entry.

> 
> Signed-off-by: Nicolas Iooss <nicolas.iooss@xxxxxxx>
> ---
>  libsepol/src/policydb.c | 8 ++++++++
>  1 file changed, 8 insertions(+)
> 
> diff --git a/libsepol/src/policydb.c b/libsepol/src/policydb.c
> index b112fd5465b5..d1019e42de16 100644
> --- a/libsepol/src/policydb.c
> +++ b/libsepol/src/policydb.c
> @@ -3510,6 +3510,10 @@ static int avrule_decl_read(policydb_t * p, avrule_decl_t * decl,
>  			return -1;
>  		nprim = le32_to_cpu(buf[0]);
>  		nel = le32_to_cpu(buf[1]);
> +		if (nel && !nprim) {
> +			ERR(fp->handle, "unexpected items in decl symbol table with no symbol");
> +			return -1;
> +		}
>  		for (j = 0; j < nel; j++) {
>  			if (read_f[i] (p, decl->symtab[i].table, fp)) {
>  				return -1;
> @@ -3881,6 +3885,10 @@ int policydb_read(policydb_t * p, struct policy_file *fp, unsigned verbose)
>  			goto bad;
>  		nprim = le32_to_cpu(buf[0]);
>  		nel = le32_to_cpu(buf[1]);
> +		if (nel && !nprim) {
> +			ERR(fp->handle, "unexpected items in symbol table with no symbol");
> +			goto bad;
> +		}
>  		for (j = 0; j < nel; j++) {
>  			if (read_f[i] (p, p->symtab[i].table, fp))
>  				goto bad;
> 

_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.