Re: libsepol: signed integer overflow in the HLL line counter of CIL compiler

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Tue, Feb 2, 2021 at 2:42 PM William Roberts <bill.c.roberts@xxxxxxxxx> wrote:
>
> On Tue, Feb 2, 2021 at 1:37 AM Nicolas Iooss <nicolas.iooss@xxxxxxx> wrote:
> >
> > Hello,
> >
> > OSS-Fuzz found an integer overflow when compiling the following
> > (empty) CIL policy:
> >
> > ;;*lms 2147483647 a
> > ; (empty line)
> >
> > ";;*lms" is a line mark which can be produced by the HLL compiler (if
> > I understand correctly the meaning of CIL_KEY_HLL_LMS in
> > libsepol/cil/src/cil_parser.c). The line number is parsed as an "int"
> > variable:
> >
> >   *hll_lineno = strtol(tok.value, &end, 10);
> >   if (errno == ERANGE || *end != '\0') {
> >     cil_log(CIL_ERR, "Problem parsing line number for line mark\n");
> >     goto exit;
> >   }
> >
> > This code has another issue which is that it silently truncates values
> > to 32-bit signed integers on systems where sizeof(long) is 8, because
> > hll_lineno is of type "int *", not "long *".
> >
> > But the issue found by OSS-Fuzz is that when 2147483647 is used (which
> > is INT_MAX, 0x7fffffff in hexadecimal), "hll_lineno++;" overflows the
> > capacity of signed integers, in cil_parser(), and this is an undefined
> > behavior. This could be fixed by limiting the number of lines in a
> > source file to some sane value. Another approach consists in emitting
> > a warning and resetting the line counter every time it reaches
> > INT_MAX. Thoughts?
>
> I would lean towards using the proper type, so we get the full range depending
> on architecture and warn on lineno wrap, but let it happen. IIUC,
> Lineno is a helper.
> I don't see it really affecting anything, so why make it a fatal error.
>

I agree that it doesn't need to be a fatal error. I think it should be
read into an unsigned long and then checked using something like what
Nicolas did in cil_fill_integer() before being saved in hll_lineno.
Also, it makes sense to just make hll_lineno be a uint32_t.

I am working on a patch, but I won't be able to send it out until late
this afternoon.

Jim

> >
> > For reference (and for the people who have access to it), the related
> > OSS-Fuzz issue is
> > https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28751.
> >
> > Cheers,
> > Nicolas
> >
[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux