On Fri, Jan 7, 2022 at 1:58 PM Christian Göttsche
<cgzones@xxxxxxxxxxxxxx> wrote:
>
> Check the from the polciy read length value to guard allocations.
>
> In the fuzzer build the value will also be bounded to avoid oom reports.
>
> ==143646==ERROR: AddressSanitizer: allocator is out of memory trying to allocate 0xd60000000 bytes
> #0 0x4dac18 in __interceptor_calloc (./out/binpolicy-fuzzer+0x4dac18)
> #1 0x55d388 in scope_index_read ./libsepol/src/policydb.c:3945:7
> #2 0x550097 in avrule_decl_read ./libsepol/src/policydb.c:3984:6
> #3 0x550097 in avrule_block_read ./libsepol/src/policydb.c:4044:8
> #4 0x54b3ac in policydb_read ./libsepol/src/policydb.c:4456:7
> #5 0x518fd9 in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:35:6
> #6 0x43f623 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (./out/binpolicy-fuzzer+0x43f623)
> #7 0x42910f in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (./out/binpolicy-fuzzer+0x42910f)
> #8 0x42ee76 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (./out/binpolicy-fuzzer+0x42ee76)
> #9 0x458ff2 in main (./out/binpolicy-fuzzer+0x458ff2)
> #10 0x7fd37b7931c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
>
> Found by oss-fuzz (#42909)
>
> Signed-off-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx>
Acked-by: James Carter <jwcart2@xxxxxxxxx>
> ---
> libsepol/src/policydb.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/libsepol/src/policydb.c b/libsepol/src/policydb.c
> index 79aba3af..562e044e 100644
> --- a/libsepol/src/policydb.c
> +++ b/libsepol/src/policydb.c
> @@ -3937,7 +3937,7 @@ static int scope_index_read(scope_index_t * scope_index,
> if (rc < 0)
> return -1;
> scope_index->class_perms_len = le32_to_cpu(buf[0]);
> - if (scope_index->class_perms_len == 0) {
> + if (zero_or_saturated(scope_index->class_perms_len)) {
> scope_index->class_perms_map = NULL;
> return 0;
> }
> --
> 2.34.1
>
