When there are conflicting context rules, the location of the
conflicting rules are written out. If there are many duplicates of
the same context rule, there will be many pairs of conflicts written
out. This hides the fact that all of the rules are the same and can
make it hard to see the different conflicts.
Report all the duplicate conflicting rules together and only report
the first 10 conflicts of the same rule.
Fixes problem found by oss-fuzz (#39735)
Signed-off-by: James Carter <jwcart2@xxxxxxxxx>
---
libsepol/cil/src/cil_post.c | 46 +++++++++++++++++++++----------------
1 file changed, 26 insertions(+), 20 deletions(-)
diff --git a/libsepol/cil/src/cil_post.c b/libsepol/cil/src/cil_post.c
index 7e2c2b9a..f0520abe 100644
--- a/libsepol/cil/src/cil_post.c
+++ b/libsepol/cil/src/cil_post.c
@@ -2280,7 +2280,8 @@ static int __cil_post_report_conflict(struct cil_tree_node *node, uint32_t *fini
static int __cil_post_process_context_rules(struct cil_sort *sort, int (*compar)(const void *, const void *), int (*concompar)(const void *, const void *), struct cil_db *db, enum cil_flavor flavor, const char *flavor_str)
{
uint32_t count = sort->count;
- uint32_t i, j = 0, removed = 0;
+ uint32_t i = 0, j, removed = 0;
+ int conflicting = 0;
int rc = SEPOL_OK;
if (count < 2) {
@@ -2289,36 +2290,41 @@ static int __cil_post_process_context_rules(struct cil_sort *sort, int (*compar)
qsort(sort->array, sort->count, sizeof(sort->array), compar);
- for (i=1; i<count; i++) {
+ for (j=1; j<count; j++) {
if (compar(&sort->array[i], &sort->array[j]) != 0) {
- j++;
+ i++;
+ if (conflicting >= 10) {
+ cil_log(CIL_WARN, " Only first 10 of %d conflicting rules shown\n", conflicting);
+ }
+ conflicting = 0;
} else {
removed++;
if (!db->multiple_decls ||
concompar(&sort->array[i], &sort->array[j]) != 0) {
struct cil_list_item li;
int rc2;
- cil_log(CIL_WARN, "Found conflicting %s rules\n",
- flavor_str);
- rc = SEPOL_ERR;
- li.flavor = flavor;
- li.data = sort->array[i];
- rc2 = cil_tree_walk(db->ast->root,
- __cil_post_report_conflict,
- NULL, NULL, &li);
- if (rc2 != SEPOL_OK) goto exit;
- li.data = sort->array[j];
- rc2 = cil_tree_walk(db->ast->root,
- __cil_post_report_conflict,
- NULL, NULL, &li);
- if (rc2 != SEPOL_OK) goto exit;
+ conflicting++;
+ if (conflicting == 1) {
+ cil_log(CIL_WARN, "Found conflicting %s rules\n", flavor_str);
+ rc = SEPOL_ERR;
+ li.flavor = flavor;
+ li.data = sort->array[i];
+ rc2 = cil_tree_walk(db->ast->root, __cil_post_report_conflict,
+ NULL, NULL, &li);
+ if (rc2 != SEPOL_OK) goto exit;
+ }
+ if (conflicting < 10) {
+ li.data = sort->array[j];
+ rc2 = cil_tree_walk(db->ast->root, __cil_post_report_conflict,
+ NULL, NULL, &li);
+ if (rc2 != SEPOL_OK) goto exit;
+ }
}
}
- if (i != j) {
- sort->array[j] = sort->array[i];
+ if (i != j && !conflicting) {
+ sort->array[i] = sort->array[j];
}
}
-
sort->count = count - removed;
exit:
--
2.31.1
