[PATCH 1/7 v2] libsepol/cil: Check syntax of src_info statement

James Carter <jwcart2@xxxxxxxxx> · Mon, 16 Aug 2021 15:57:46 -0400

Every rule other than src_info has their syntax checked when
building the AST. It wasn't considered necessary for src_info rules
because they were expected to always be generated by the parser and
aren't part of the CIL language. But there is no check preventing
them from occurring in a policy and the secilc fuzzer found some bugs
by using src_info rules in a policy. This caused some syntax checking
to be added. Since the parse AST from secil2tree will contain src_info
rules and since the goal is to be able to compile the output of
secil2tree, it makes sense to check the syntax of src_info rules
in the same way that all of the other rules are checked.

Check the syntax of src_info statements in the same way every other
rule is checked.

Signed-off-by: James Carter <jwcart2@xxxxxxxxx>
---
 libsepol/cil/src/cil_build_ast.c | 24 ++++++++++++++++++++----
 1 file changed, 20 insertions(+), 4 deletions(-)

diff --git a/libsepol/cil/src/cil_build_ast.c b/libsepol/cil/src/cil_build_ast.c
index 9da90883..5e65a266 100644
--- a/libsepol/cil/src/cil_build_ast.c
+++ b/libsepol/cil/src/cil_build_ast.c
@@ -6075,12 +6075,24 @@ void cil_destroy_mls(struct cil_mls *mls)
 
 int cil_gen_src_info(struct cil_tree_node *parse_current, struct cil_tree_node *ast_node)
 {
-	/* No need to check syntax, because this is auto generated */
+	int rc = SEPOL_ERR;
+	enum cil_syntax syntax[] = {
+		CIL_SYN_STRING,
+		CIL_SYN_STRING,
+		CIL_SYN_STRING,
+		CIL_SYN_N_LISTS | CIL_SYN_END,
+		CIL_SYN_END
+	};
+	int syntax_len = sizeof(syntax)/sizeof(*syntax);
 	struct cil_src_info *info = NULL;
 
-	if (parse_current->next == NULL || parse_current->next->next == NULL) {
-		cil_tree_log(parse_current, CIL_ERR, "Bad <src_info>");
-		return SEPOL_ERR;
+	if (parse_current == NULL || ast_node == NULL) {
+		goto exit;
+	}
+
+	rc = __cil_verify_syntax(parse_current, syntax, syntax_len);
+	if (rc != SEPOL_OK) {
+		goto exit;
 	}
 
 	cil_src_info_init(&info);
@@ -6092,6 +6104,10 @@ int cil_gen_src_info(struct cil_tree_node *parse_current, struct cil_tree_node *
 	ast_node->flavor = CIL_SRC_INFO;
 
 	return SEPOL_OK;
+
+exit:
+	cil_tree_log(parse_current, CIL_ERR, "Bad src info");
+	return rc;
 }
 
 void cil_destroy_src_info(struct cil_src_info *info)
-- 
2.31.1







