On Fri, 2017-04-07 at 22:44 +0200, Nicolas Iooss wrote:
> Some invalid policies might have p->p_types.nprim = 0. When parsing
> such a policy, "i > p->p_types.nprim - 1" is always false even though
> reading p->type_val_to_struct[i] triggers a segmentation fault.
>
> Make type_set_expand() return an error when parsing such a policy by
> handling correctly when p->p_types.nprim is zero.
>
> This issue has been found while fuzzing semodule_package with the
> American Fuzzy Lop.
>
> Signed-off-by: Nicolas Iooss <nicolas.iooss@xxxxxxx>
Thanks, applied these six patches.
> ---
> libsepol/src/expand.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/libsepol/src/expand.c b/libsepol/src/expand.c
> index 315fc65cfd7e..54bf781d335f 100644
> --- a/libsepol/src/expand.c
> +++ b/libsepol/src/expand.c
> @@ -2527,7 +2527,7 @@ int type_set_expand(type_set_t * set, ebitmap_t
> * t, policydb_t * p,
> * invalid policies might have more
> types set in the ebitmap than
> * what's available in the
> type_val_to_struct mapping
> */
> - if (i > p->p_types.nprim - 1)
> + if (i >= p->p_types.nprim)
> goto err_types;
>
> if (!p->type_val_to_struct[i]) {
_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
