On Wed, Mar 16, 2022 at 4:53 PM James Carter <jwcart2@xxxxxxxxx> wrote:
>
> When validating a policydb, validate the conditional expressions
> including the values of the booleans within them.
>
> Found by oss-fuzz (#45523)
>
> Signed-off-by: James Carter <jwcart2@xxxxxxxxx>
Merged.
Jim
> ---
> libsepol/src/policydb_validate.c | 43 ++++++++++++++++++++++++++++++++
> 1 file changed, 43 insertions(+)
>
> diff --git a/libsepol/src/policydb_validate.c b/libsepol/src/policydb_validate.c
> index a2dcebe4..13d9480d 100644
> --- a/libsepol/src/policydb_validate.c
> +++ b/libsepol/src/policydb_validate.c
> @@ -881,9 +881,52 @@ bad:
> return -1;
> }
>
> +static int validate_cond_expr(sepol_handle_t *handle, struct cond_expr *expr, validate_t *bool)
> +{
> + int depth = -1;
> +
> + for (; expr; expr = expr->next) {
> + switch(expr->expr_type) {
> + case COND_BOOL:
> + if (validate_value(expr->bool, bool))
> + goto bad;
> + if (depth == (COND_EXPR_MAXDEPTH - 1))
> + goto bad;
> + depth++;
> + break;
> + case COND_NOT:
> + if (depth < 0)
> + goto bad;
> + break;
> + case COND_OR:
> + case COND_AND:
> + case COND_XOR:
> + case COND_EQ:
> + case COND_NEQ:
> + if (depth < 1)
> + goto bad;
> + depth--;
> + break;
> + default:
> + goto bad;
> + }
> + }
> +
> + if (depth != 0)
> + goto bad;
> +
> + return 0;
> +
> +bad:
> + ERR(handle, "Invalid cond expression");
> + return -1;
> +}
> +
> static int validate_cond_list(sepol_handle_t *handle, cond_list_t *cond, validate_t flavors[])
> {
> for (; cond; cond = cond->next) {
> + if (validate_cond_expr(handle, cond->expr, &flavors[SYM_BOOLS]))
> + goto bad;
> if (validate_cond_av_list(handle, cond->true_list, flavors))
> goto bad;
> if (validate_cond_av_list(handle, cond->false_list, flavors))
> --
> 2.34.1
>
