Hello,
OSS-Fuzz found an integer overflow when compiling the following
(empty) CIL policy:
;;*lms 2147483647 a
; (empty line)
";;*lms" is a line mark which can be produced by the HLL compiler (if
I understand correctly the meaning of CIL_KEY_HLL_LMS in
libsepol/cil/src/cil_parser.c). The line number is parsed as an "int"
variable:
*hll_lineno = strtol(tok.value, &end, 10);
if (errno == ERANGE || *end != '\0') {
cil_log(CIL_ERR, "Problem parsing line number for line mark\n");
goto exit;
}
This code has another issue which is that it silently truncates values
to 32-bit signed integers on systems where sizeof(long) is 8, because
hll_lineno is of type "int *", not "long *".
But the issue found by OSS-Fuzz is that when 2147483647 is used (which
is INT_MAX, 0x7fffffff in hexadecimal), "hll_lineno++;" overflows the
capacity of signed integers, in cil_parser(), and this is an undefined
behavior. This could be fixed by limiting the number of lines in a
source file to some sane value. Another approach consists in emitting
a warning and resetting the line counter every time it reaches
INT_MAX. Thoughts?
For reference (and for the people who have access to it), the related
OSS-Fuzz issue is
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28751.
Cheers,
Nicolas
