On 11/15/2016 06:07 PM, Nicolas Iooss wrote:
> When hll/pp loads a policy file which has been modified so that the
> nprim field of one of its non-empty symbol table was changed to zero, it
> crashes with a segmentation fault. A quick analysis leads to
> "p->sym_val_to_name[i] = (char **)alloc(p->symtab[i].nprim, sizeof(char
> *));" in policydb_index_others(), which is not executed when
> p->symtab[i].nprim is zero even though there are items in
> p->symtab[i].table.
>
> Detect such an oddity in the policy file early to exit with a clean
> error message.
>
> Signed-off-by: Nicolas Iooss <nicolas.iooss@xxxxxxx>
Thanks, applied all three.
> ---
> libsepol/src/policydb.c | 8 ++++++++
> 1 file changed, 8 insertions(+)
>
> diff --git a/libsepol/src/policydb.c b/libsepol/src/policydb.c
> index b112fd5465b5..d1019e42de16 100644
> --- a/libsepol/src/policydb.c
> +++ b/libsepol/src/policydb.c
> @@ -3510,6 +3510,10 @@ static int avrule_decl_read(policydb_t * p, avrule_decl_t * decl,
> return -1;
> nprim = le32_to_cpu(buf[0]);
> nel = le32_to_cpu(buf[1]);
> + if (nel && !nprim) {
> + ERR(fp->handle, "unexpected items in decl symbol table with no symbol");
> + return -1;
> + }
> for (j = 0; j < nel; j++) {
> if (read_f[i] (p, decl->symtab[i].table, fp)) {
> return -1;
> @@ -3881,6 +3885,10 @@ int policydb_read(policydb_t * p, struct policy_file *fp, unsigned verbose)
> goto bad;
> nprim = le32_to_cpu(buf[0]);
> nel = le32_to_cpu(buf[1]);
> + if (nel && !nprim) {
> + ERR(fp->handle, "unexpected items in symbol table with no symbol");
> + goto bad;
> + }
> for (j = 0; j < nel; j++) {
> if (read_f[i] (p, p->symtab[i].table, fp))
> goto bad;
>
_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
