On Wed, Jan 20, 2021 at 11:13 AM Nicolas Iooss <nicolas.iooss@xxxxxxx> wrote: > > While fuzzing /usr/libexec/hll/pp, a policy module was generated with a > role->bounds larger that the number of roles in the policy. > > This issue has been found while fuzzing hll/pp with the American Fuzzy > Lop. > > This patch was suggested by James Carter <jwcart2@xxxxxxxxx> in > https://lore.kernel.org/selinux/CAP+JOzQc3yXczhk5JfUrr+6rFe3AXis+yJAukCFbz=aQotriQQ@xxxxxxxxxxxxxx/T/#mdd4bed0972c7c6f339e28270f73e9b7b09bb359f > > Signed-off-by: Nicolas Iooss <nicolas.iooss@xxxxxxx> > --- > libsepol/src/policydb.c | 4 ++++ > 1 file changed, 4 insertions(+) > > diff --git a/libsepol/src/policydb.c b/libsepol/src/policydb.c > index f5809315cc08..08c4cb18efcf 100644 > --- a/libsepol/src/policydb.c > +++ b/libsepol/src/policydb.c > @@ -1030,6 +1030,8 @@ static int role_index(hashtab_key_t key, hashtab_datum_t datum, void *datap) > return -EINVAL; > if (p->p_role_val_to_name[role->s.value - 1] != NULL) > return -EINVAL; > + if (role->bounds > p->p_roles.nprim) > + return -EINVAL; > p->p_role_val_to_name[role->s.value - 1] = (char *)key; > p->role_val_to_struct[role->s.value - 1] = role; > > @@ -1049,6 +1051,8 @@ static int type_index(hashtab_key_t key, hashtab_datum_t datum, void *datap) > return -EINVAL; > if (p->p_type_val_to_name[typdatum->s.value - 1] != NULL) > return -EINVAL; > + if (typdatum->bounds > p->p_types.nprim) > + return -EINVAL; This is very tricky, but for both of these the bounds value cannot be 0 or >= nprim because the value -1 is used as an index. It has taken me longer than I thought it would, but I am almost ready to send out a patch that should check everything in a policydb_t after it is read in. Maybe by the end of the day, but definitely before the end of the week. Thanks, Jim > p->p_type_val_to_name[typdatum->s.value - 1] = (char *)key; > p->type_val_to_struct[typdatum->s.value - 1] = typdatum; > } > -- > 2.30.0 >
