On Mon, Oct 11, 2021 at 12:41 PM Christian Göttsche
<cgzones@xxxxxxxxxxxxxx> wrote:
>
> Check all types are valid values, especially important for aliases.
>
> ==9702==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000af8 at pc 0x000000560698 bp 0x7ffcca93b9f0 sp 0x7ffcca93b9e8
> READ of size 8 at 0x602000000af8 thread T0
> #0 0x560697 in write_type_alias_rules_to_conf ./libsepol/src/kernel_to_conf.c:1424:10
> #1 0x55af16 in sepol_kernel_policydb_to_conf ./libsepol/src/kernel_to_conf.c:3131:7
> #2 0x55a34f in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:38:9
> #3 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o
> #4 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o
> #5 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o
> #6 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2)
> #7 0x7f518b1d57ec in __libc_start_main csu/../csu/libc-start.c:332:16
> #8 0x423689 in _start (./out/binpolicy-fuzzer+0x423689)
>
> Signed-off-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx>
> ---
> libsepol/src/policydb_validate.c | 19 +++++++++++--------
> 1 file changed, 11 insertions(+), 8 deletions(-)
>
> diff --git a/libsepol/src/policydb_validate.c b/libsepol/src/policydb_validate.c
> index a6ae728a..c9700399 100644
> --- a/libsepol/src/policydb_validate.c
> +++ b/libsepol/src/policydb_validate.c
> @@ -348,6 +348,14 @@ static int validate_level(__attribute__ ((unused))hashtab_key_t k, hashtab_datum
> return validate_mls_level(level->level, &flavors[SYM_LEVELS], &flavors[SYM_CATS]);
> }
>
> +static int validate_datum(__attribute__ ((unused))hashtab_key_t k, hashtab_datum_t d, void *args)
> +{
> + symtab_datum_t *s = d;
> + uint32_t *nprim = (uint32_t *)args;
> +
> + return !value_isvalid(s->value, *nprim);
> +}
> +
> static int validate_datum_arrays(sepol_handle_t *handle, policydb_t *p, validate_t flavors[])
> {
> unsigned int i;
> @@ -406,6 +414,9 @@ static int validate_datum_arrays(sepol_handle_t *handle, policydb_t *p, validate
> }
> }
>
> + if (hashtab_map(p->p_types.table, validate_datum, &flavors[SYM_TYPES]))
> + goto bad;
> +
> if (hashtab_map(p->p_levels.table, validate_level, flavors))
> goto bad;
>
This should not be in this function. See the comments for patch 13.
Thanks,
Jim
> @@ -707,14 +718,6 @@ bad:
> return -1;
> }
>
> -static int validate_datum(__attribute__ ((unused))hashtab_key_t k, hashtab_datum_t d, void *args)
> -{
> - symtab_datum_t *s = d;
> - uint32_t *nprim = (uint32_t *)args;
> -
> - return !value_isvalid(s->value, *nprim);
> -}
> -
> static int validate_symtabs(sepol_handle_t *handle, symtab_t symtabs[], validate_t flavors[])
> {
> unsigned int i;
> --
> 2.33.0
>
