This needs to be broken up into three patch sets.
1) libfuzz: patches 1-5
2) policydb_validate improvements: patches 13, 16, 17, 22, 23, 25-31, 33
3) General libsepol fixes: patches 6-12, 14, 15, 18-21, 24, 32, 34, 35
I have some comments on the individual patches which will be coming soon.
Thanks,
Jim
On Mon, Oct 11, 2021 at 12:42 PM Christian Göttsche
<cgzones@xxxxxxxxxxxxxx> wrote:
>
> Add a libfuzz[1] based fuzzer testing the reading and parsing of binary policy
> files. This fuzzer will be run within the OSS-Fuzz service.
>
> Handle and reject a variety of edge cases causing crashes or resource leaks.
>
> The fifth patch ("libsepol/fuzz: limit element sizes for fuzzing") needs some
> discussion: To avoid oom reports from the fuzzer, caused by huge memory
> allocations, all identifiers are limited to a length of 2^16 for the fuzzer
> build only. Probably there should be a limit for the release build too.
> Is there a specification for the binary policy format saying something about
> the maximum length of identifiers?
> After a quick look at the kernel sources (most interesting is str_read()) I
> could not find any limits either.
>
> [1]: https://llvm.org/docs/LibFuzzer.html
>
> Christian Göttsche (35):
> cifuzz: enable report-unreproducible-crashes
> cifuzz: use the default runtime of 600 seconds
> libsepol/fuzz: silence secilc-fuzzer
> libsepol: add libfuzz based fuzzer for reading binary policies
> libsepol/fuzz: limit element sizes for fuzzing
> libsepol: use logging framework in conditional.c
> libsepol: use logging framework in ebitmap.c
> libsepol: use mallocarray wrapper to avoid overflows
> libsepol: use reallocarray wrapper to avoid overflows
> libsepol: add checks for read sizes
> libsepol: enforce avtab item limit
> libsepol: clean memory on conditional read failure
> libsepol: validate MLS levels
> libsepol: reject invalid fsuse types
> libsepol: reject invalid default targets
> libsepol: validate expanded user range and level
> libsepol: validate types
> libsepol: use size_t for indexes in strs helpers
> libsepol: reject abnormal huge sid ids
> libsepol: do not crash on class gaps
> libsepol: do not crash on user gaps
> libsepol: validate permission count of classes
> libsepol: resolve log message mismatch
> libsepol: zero member before potential dereference
> libsepol: validate avtab types
> libsepol: validate constraint expression operators and attributes
> libsepol: validate type of avtab type rules
> libsepol: validate ocontexts
> libsepol: validate genfs contexts
> libsepol: validate permissive types
> libsepol: validate policy properties
> libsepol: do not underflow on short format arguments
> libsepol: validate categories
> libsepol: use correct size for initial string list
> libsepol: do not create a string list with initial size zero
>
> .github/workflows/cifuzz.yml | 3 +-
> libsepol/fuzz/binpolicy-fuzzer.c | 63 +++++++
> libsepol/fuzz/policy.bin | Bin 0 -> 1552 bytes
> libsepol/fuzz/secilc-fuzzer.c | 5 +
> libsepol/src/Makefile | 6 +
> libsepol/src/avtab.c | 6 +
> libsepol/src/conditional.c | 36 ++--
> libsepol/src/ebitmap.c | 27 ++-
> libsepol/src/expand.c | 4 +-
> libsepol/src/hashtab.c | 4 +-
> libsepol/src/kernel_to_cil.c | 10 ++
> libsepol/src/kernel_to_common.c | 23 ++-
> libsepol/src/kernel_to_common.h | 4 +-
> libsepol/src/kernel_to_conf.c | 13 +-
> libsepol/src/link.c | 3 +-
> libsepol/src/module.c | 4 +-
> libsepol/src/module_to_cil.c | 13 +-
> libsepol/src/optimize.c | 11 +-
> libsepol/src/policydb.c | 68 +++++++-
> libsepol/src/policydb_validate.c | 274 +++++++++++++++++++++++++++++--
> libsepol/src/private.h | 27 ++-
> libsepol/src/services.c | 12 +-
> libsepol/src/sidtab.c | 3 +-
> libsepol/src/user_record.c | 8 +-
> libsepol/src/users.c | 12 +-
> libsepol/src/util.c | 11 +-
> libsepol/src/write.c | 2 +-
> scripts/oss-fuzz.sh | 19 ++-
> 28 files changed, 556 insertions(+), 115 deletions(-)
> create mode 100644 libsepol/fuzz/binpolicy-fuzzer.c
> create mode 100644 libsepol/fuzz/policy.bin
>
> --
> 2.33.0
>
