While fuzzing /usr/libexec/hll/pp, a policy module was generated with a role->bounds larger that the number of roles in the policy. This issue has been found while fuzzing hll/pp with the American Fuzzy Lop. This patch was suggested by James Carter <jwcart2@xxxxxxxxx> in https://lore.kernel.org/selinux/CAP+JOzQc3yXczhk5JfUrr+6rFe3AXis+yJAukCFbz=aQotriQQ@xxxxxxxxxxxxxx/T/#mdd4bed0972c7c6f339e28270f73e9b7b09bb359f Signed-off-by: Nicolas Iooss <nicolas.iooss@xxxxxxx> --- libsepol/src/policydb.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libsepol/src/policydb.c b/libsepol/src/policydb.c index f5809315cc08..08c4cb18efcf 100644 --- a/libsepol/src/policydb.c +++ b/libsepol/src/policydb.c @@ -1030,6 +1030,8 @@ static int role_index(hashtab_key_t key, hashtab_datum_t datum, void *datap) return -EINVAL; if (p->p_role_val_to_name[role->s.value - 1] != NULL) return -EINVAL; + if (role->bounds > p->p_roles.nprim) + return -EINVAL; p->p_role_val_to_name[role->s.value - 1] = (char *)key; p->role_val_to_struct[role->s.value - 1] = role; @@ -1049,6 +1051,8 @@ static int type_index(hashtab_key_t key, hashtab_datum_t datum, void *datap) return -EINVAL; if (p->p_type_val_to_name[typdatum->s.value - 1] != NULL) return -EINVAL; + if (typdatum->bounds > p->p_types.nprim) + return -EINVAL; p->p_type_val_to_name[typdatum->s.value - 1] = (char *)key; p->type_val_to_struct[typdatum->s.value - 1] = typdatum; } -- 2.30.0
