On Mon, Jul 12, 2021 at 4:54 AM Nicolas Iooss <nicolas.iooss@xxxxxxx> wrote:
>
> Using the '\0' character in strings in a CIL policy is not expected to
> happen, and makes the flex tokenizer very slow. For example when
> generating a file with:
>
> python -c 'print("\"" + "\0"*100000 + "\"")' > policy.cil
>
> secilc fails after 26 seconds, on my desktop computer. Increasing the
> numbers of \0 makes this time increase significantly. But replacing \0
> with another character makes secilc fail in only few milliseconds.
>
> Fix this "possible denial of service" issue by forbidding \0 in strings
> in CIL policies.
>
> Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=36016
>
> Signed-off-by: Nicolas Iooss <nicolas.iooss@xxxxxxx>
Acked-by: James Carter <jwcart2@xxxxxxxxx>
> ---
> libsepol/cil/src/cil_lexer.l | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/libsepol/cil/src/cil_lexer.l b/libsepol/cil/src/cil_lexer.l
> index e28c33ecb9f1..8bf2b6e7765a 100644
> --- a/libsepol/cil/src/cil_lexer.l
> +++ b/libsepol/cil/src/cil_lexer.l
> @@ -49,7 +49,7 @@ spec_char [\[\]\.\@\=\/\*\-\_\$\%\+\-\!\|\&\^\:\~\`\#\{\}\'\<\>\?\,]
> symbol ({digit}|{alpha}|{spec_char})+
> white [ \t]
> newline [\n\r]
> -qstring \"[^"\n]*\"
> +qstring \"[^"\n\0]*\"
> hll_lm ^;;\*
> comment ;
>
> --
> 2.32.0
>
