On Fri, Oct 8, 2021 at 12:06 PM Christian Göttsche
<cgzones@xxxxxxxxxxxxxx> wrote:
>
> On Fri, 8 Oct 2021 at 16:49, James Carter <jwcart2@xxxxxxxxx> wrote:
> >
> > The maximum number of permissions in a class is 32. This is so that
> > each permission can be represented by a bit in a uint32_t. In two
> > places while building the binary policy from CIL an expression of the
> > form "1 << x" is used to set the permission bit. Unfortunately, this
> > expression is undefined if x == 31 because the 1 is an int and cannot
> > be left shifted by 31.
> >
> > Instead, use 1U << x, because an unsigned can be shifted 31.
> >
> > This bug was found by the secilc-fuzzer.
> >
> > Signed-off-by: James Carter <jwcart2@xxxxxxxxx>
> > ---
> > libsepol/cil/src/cil_binary.c | 4 ++--
> > 1 file changed, 2 insertions(+), 2 deletions(-)
> >
> > diff --git a/libsepol/cil/src/cil_binary.c b/libsepol/cil/src/cil_binary.c
> > index ec5f01e5..90af430d 100644
> > --- a/libsepol/cil/src/cil_binary.c
> > +++ b/libsepol/cil/src/cil_binary.c
> > @@ -1225,7 +1225,7 @@ int __perm_str_to_datum(char *perm_str, class_datum_t *sepol_class, uint32_t *da
> > goto exit;
> > }
> > }
> > - *datum |= 1 << (sepol_perm->s.value - 1);
> > + *datum |= 1U << (sepol_perm->s.value - 1);
> >
> > return SEPOL_OK;
> >
> > @@ -4760,7 +4760,7 @@ static struct cil_list *cil_classperms_from_sepol(policydb_t *pdb, uint16_t clas
> > cil_list_init(&cp->perms, CIL_PERM);
> > for (i = 0; i < sepol_class->permissions.nprim; i++) {
> > struct cil_perm *perm;
> > - if ((data & (1 << i)) == 0) continue;
> > + if ((data & (1U << i)) == 0) continue;
> > perm = perm_value_to_cil[class][i+1];
> > if (!perm) goto exit;
> > cil_list_append(cp->perms, CIL_PERM, perm);
> > --
> > 2.31.1
> >
>
> There might be more instances (not in libsepol/cil though), as a
> simple `grep -REi "1\s*<<"` shows (false positives removed by hand):
>
> libselinux/src/stringrep.c: return
> map_perm(tclass, 1<<i);
> libselinux/src/stringrep.c: if ((1<<i) & av)
> libselinux/src/stringrep.c: str =
> security_av_perm_to_string(tclass, av & (1<<i));
> libselinux/src/stringrep.c: str =
> security_av_perm_to_string(tclass, av & (1<<i));
> libselinux/src/mapping.c: if (tperm & (1<<i)) {
> libselinux/src/mapping.c: tperm &= ~(1<<i);
> libselinux/src/mapping.c: tperm |= 1<<i;
> libselinux/src/mapping.c: result |= 1<<i;
> libselinux/src/mapping.c: result |= 1<<i;
> libselinux/src/mapping.c: result |= 1<<i;
> libselinux/src/mapping.c: result |= 1<<i;
> libselinux/src/mapping.c: result |= 1<<i;
> libselinux/src/mapping.c: result |= 1<<i;
> libselinux/src/mapping.c: result |= 1<<i;
> libselinux/src/mapping.c: result |= 1<<i;
> mcstrans/src/mcscolor.c: mask |= (1 << i);
> mcstrans/src/mcscolor.c: if (!(mask & (1 << i)))
> python/audit2allow/sepolgen-ifgen-attr-helper.c: if (av
> & (1 << i)) {
> checkpolicy/policy_define.c: node->permissions |=
> (1 << (perdatum->s.value - 1));
> checkpolicy/checkpolicy.c: if
> (avd.allowed & (1 << (i - 1))) {
> libsepol/src/conditional.c: (test &
> (0x1 << j)) ? 1 : 0;
> libsepol/src/conditional.c:
> cn->expr_pre_comp |= 0x1 << test;
> libsepol/src/services.c: *av = 0x1 << (perm_datum->s.value - 1);
> libsepol/src/services.c: *av = 0x1 << (perm_datum->s.value - 1);
> libsepol/src/avtab.c: nslot = 1 << shift;
Thanks, I just searched for them in the CIL code. I will take a look at these.
Jim
