Add a libfuzz[1] based fuzzer testing the reading and parsing of binary policy
files. This fuzzer will be run within the OSS-Fuzz service.
Handle and reject a variety of edge cases causing crashes or resource leaks.
The fifth patch ("libsepol/fuzz: limit element sizes for fuzzing") limits, to
avoid oom reports from the fuzzer, caused by huge memory allocations, all
identifiers to a length of 2^16 for the fuzzer build only.
A potential limit for the release build needs further discussion.
[1]: https://llvm.org/docs/LibFuzzer.html
v3:
- Drop RFC status
- [10] libsepol: add checks for read sizes
use PERM_SYMTAB_SIZE instead of bare 32 as limit
- [11] libsepol: enforce avtab item limit
take zero based numbering of variable items into account
- [30] libsepol: validate ocontexts
only check FS and NETIF ocons in selinux policies (not xen)
v2:
- reorder patches
1. oss-fuzz related
2. libsepol parsing and other crashesand UB
3. enhance policy validation
- misc changes based on review by James Carter
Christian Göttsche (36):
cifuzz: enable report-unreproducible-crashes
cifuzz: use the default runtime of 600 seconds
libsepol/fuzz: silence secilc-fuzzer
libsepol: add libfuzz based fuzzer for reading binary policies
libsepol/fuzz: limit element sizes for fuzzing
libsepol: use logging framework in conditional.c
libsepol: use logging framework in ebitmap.c
libsepol: use mallocarray wrapper to avoid overflows
libsepol: use reallocarray wrapper to avoid overflows
libsepol: add checks for read sizes
libsepol: enforce avtab item limit
libsepol: clean memory on conditional insertion failure
libsepol: reject abnormal huge sid ids
libsepol: reject invalid filetrans source type
libsepol: zero member before potential dereference
libsepol: use size_t for indexes in strs helpers
libsepol: do not underflow on short format arguments
libsepol: do not crash on class gaps
libsepol: do not crash on user gaps
libsepol: use correct size for initial string list
libsepol: do not create a string list with initial size zero
libsepol: split validation of datum array gaps and entries
libsepol: validate MLS levels
libsepol: validate expanded user range and level
libsepol: validate permission count of classes
libsepol: resolve log message mismatch
libsepol: validate avtab and avrule types
libsepol: validate constraint expression operators and attributes
libsepol: validate type of avtab type rules
libsepol: validate ocontexts
libsepol: validate genfs contexts
libsepol: validate permissive types
libsepol: validate policy properties
libsepol: validate categories
libsepol: validate fsuse types
libsepol: validate class default targets
.github/workflows/cifuzz.yml | 3 +-
libsepol/fuzz/binpolicy-fuzzer.c | 63 ++++
libsepol/fuzz/policy.bin | Bin 0 -> 1552 bytes
libsepol/fuzz/secilc-fuzzer.c | 5 +
libsepol/src/Makefile | 6 +
libsepol/src/avtab.c | 6 +
libsepol/src/conditional.c | 53 ++--
libsepol/src/ebitmap.c | 27 +-
libsepol/src/expand.c | 4 +-
libsepol/src/hashtab.c | 4 +-
libsepol/src/kernel_to_cil.c | 10 +
libsepol/src/kernel_to_common.c | 23 +-
libsepol/src/kernel_to_common.h | 4 +-
libsepol/src/kernel_to_conf.c | 13 +-
libsepol/src/link.c | 3 +-
libsepol/src/module.c | 4 +-
libsepol/src/module_to_cil.c | 13 +-
libsepol/src/optimize.c | 11 +-
libsepol/src/policydb.c | 27 +-
libsepol/src/policydb_validate.c | 477 +++++++++++++++++++++++++++----
libsepol/src/private.h | 27 +-
libsepol/src/services.c | 12 +-
libsepol/src/sidtab.c | 3 +-
libsepol/src/user_record.c | 8 +-
libsepol/src/users.c | 12 +-
libsepol/src/util.c | 11 +-
libsepol/src/write.c | 2 +-
scripts/oss-fuzz.sh | 17 +-
28 files changed, 686 insertions(+), 162 deletions(-)
create mode 100644 libsepol/fuzz/binpolicy-fuzzer.c
create mode 100644 libsepol/fuzz/policy.bin
--
2.34.1
