On Mon, Jul 12, 2021 at 4:36 PM James Carter <jwcart2@xxxxxxxxx> wrote:
>
> On Mon, Jul 12, 2021 at 4:54 AM Nicolas Iooss <nicolas.iooss@xxxxxxx> wrote:
> >
> > Using the '\0' character in strings in a CIL policy is not expected to
> > happen, and makes the flex tokenizer very slow. For example when
> > generating a file with:
> >
> > python -c 'print("\"" + "\0"*100000 + "\"")' > policy.cil
> >
> > secilc fails after 26 seconds, on my desktop computer. Increasing the
> > numbers of \0 makes this time increase significantly. But replacing \0
> > with another character makes secilc fail in only few milliseconds.
> >
> > Fix this "possible denial of service" issue by forbidding \0 in strings
> > in CIL policies.
> >
> > Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=36016
> >
> > Signed-off-by: Nicolas Iooss <nicolas.iooss@xxxxxxx>
>
> Acked-by: James Carter <jwcart2@xxxxxxxxx>
Merged.
Thanks!
Nicolas
> > ---
> > libsepol/cil/src/cil_lexer.l | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/libsepol/cil/src/cil_lexer.l b/libsepol/cil/src/cil_lexer.l
> > index e28c33ecb9f1..8bf2b6e7765a 100644
> > --- a/libsepol/cil/src/cil_lexer.l
> > +++ b/libsepol/cil/src/cil_lexer.l
> > @@ -49,7 +49,7 @@ spec_char [\[\]\.\@\=\/\*\-\_\$\%\+\-\!\|\&\^\:\~\`\#\{\}\'\<\>\?\,]
> > symbol ({digit}|{alpha}|{spec_char})+
> > white [ \t]
> > newline [\n\r]
> > -qstring \"[^"\n]*\"
> > +qstring \"[^"\n\0]*\"
> > hll_lm ^;;\*
> > comment ;
> >
> > --
> > 2.32.0
> >
