On Fri, 8 Oct 2021 at 16:49, James Carter <jwcart2@xxxxxxxxx> wrote:
>
> The maximum number of permissions in a class is 32. This is so that
> each permission can be represented by a bit in a uint32_t. In two
> places while building the binary policy from CIL an expression of the
> form "1 << x" is used to set the permission bit. Unfortunately, this
> expression is undefined if x == 31 because the 1 is an int and cannot
> be left shifted by 31.
>
> Instead, use 1U << x, because an unsigned can be shifted 31.
>
> This bug was found by the secilc-fuzzer.
>
> Signed-off-by: James Carter <jwcart2@xxxxxxxxx>
> ---
> libsepol/cil/src/cil_binary.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/libsepol/cil/src/cil_binary.c b/libsepol/cil/src/cil_binary.c
> index ec5f01e5..90af430d 100644
> --- a/libsepol/cil/src/cil_binary.c
> +++ b/libsepol/cil/src/cil_binary.c
> @@ -1225,7 +1225,7 @@ int __perm_str_to_datum(char *perm_str, class_datum_t *sepol_class, uint32_t *da
> goto exit;
> }
> }
> - *datum |= 1 << (sepol_perm->s.value - 1);
> + *datum |= 1U << (sepol_perm->s.value - 1);
>
> return SEPOL_OK;
>
> @@ -4760,7 +4760,7 @@ static struct cil_list *cil_classperms_from_sepol(policydb_t *pdb, uint16_t clas
> cil_list_init(&cp->perms, CIL_PERM);
> for (i = 0; i < sepol_class->permissions.nprim; i++) {
> struct cil_perm *perm;
> - if ((data & (1 << i)) == 0) continue;
> + if ((data & (1U << i)) == 0) continue;
> perm = perm_value_to_cil[class][i+1];
> if (!perm) goto exit;
> cil_list_append(cp->perms, CIL_PERM, perm);
> --
> 2.31.1
>
There might be more instances (not in libsepol/cil though), as a
simple `grep -REi "1\s*<<"` shows (false positives removed by hand):
libselinux/src/stringrep.c: return
map_perm(tclass, 1<<i);
libselinux/src/stringrep.c: if ((1<<i) & av)
libselinux/src/stringrep.c: str =
security_av_perm_to_string(tclass, av & (1<<i));
libselinux/src/stringrep.c: str =
security_av_perm_to_string(tclass, av & (1<<i));
libselinux/src/mapping.c: if (tperm & (1<<i)) {
libselinux/src/mapping.c: tperm &= ~(1<<i);
libselinux/src/mapping.c: tperm |= 1<<i;
libselinux/src/mapping.c: result |= 1<<i;
libselinux/src/mapping.c: result |= 1<<i;
libselinux/src/mapping.c: result |= 1<<i;
libselinux/src/mapping.c: result |= 1<<i;
libselinux/src/mapping.c: result |= 1<<i;
libselinux/src/mapping.c: result |= 1<<i;
libselinux/src/mapping.c: result |= 1<<i;
libselinux/src/mapping.c: result |= 1<<i;
mcstrans/src/mcscolor.c: mask |= (1 << i);
mcstrans/src/mcscolor.c: if (!(mask & (1 << i)))
python/audit2allow/sepolgen-ifgen-attr-helper.c: if (av
& (1 << i)) {
checkpolicy/policy_define.c: node->permissions |=
(1 << (perdatum->s.value - 1));
checkpolicy/checkpolicy.c: if
(avd.allowed & (1 << (i - 1))) {
libsepol/src/conditional.c: (test &
(0x1 << j)) ? 1 : 0;
libsepol/src/conditional.c:
cn->expr_pre_comp |= 0x1 << test;
libsepol/src/services.c: *av = 0x1 << (perm_datum->s.value - 1);
libsepol/src/services.c: *av = 0x1 << (perm_datum->s.value - 1);
libsepol/src/avtab.c: nslot = 1 << shift;
