Neverallow avtab entries are not supported (normal and extended). Reject them to avoid lookup confusions via avtab_search(), e.g. when searching for a invalid key of AVTAB_TRANSITION|AVTAB_NEVERALLOW and the result of only AVTAB_NEVERALLOW has no transition value. Simplify the check for the number of specifiers by using the compiler popcount builtin (already used in libsepol). Reported-by: oss-fuzz (issue 60568) Signed-off-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx> --- libsepol/src/avtab.c | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/libsepol/src/avtab.c b/libsepol/src/avtab.c index 5c76fe12..7b85519b 100644 --- a/libsepol/src/avtab.c +++ b/libsepol/src/avtab.c @@ -564,7 +564,6 @@ int avtab_read_item(struct policy_file *fp, uint32_t vers, avtab_t * a, avtab_datum_t datum; avtab_trans_t trans; avtab_extended_perms_t xperms; - unsigned set; unsigned int i; int rc; @@ -666,13 +665,13 @@ int avtab_read_item(struct policy_file *fp, uint32_t vers, avtab_t * a, key.target_class = le16_to_cpu(buf16[items++]); key.specified = le16_to_cpu(buf16[items++]); - set = 0; - for (i = 0; i < ARRAY_SIZE(spec_order); i++) { - if (key.specified & spec_order[i]) - set++; + if (key.specified & ~(AVTAB_AV | AVTAB_TYPE | AVTAB_XPERMS | AVTAB_ENABLED)) { + ERR(fp->handle, "invalid specifier"); + return -1; } - if (!set || set > 1) { - ERR(fp->handle, "more than one specifier"); + + if (__builtin_popcount(key.specified & ~AVTAB_ENABLED) != 1) { + ERR(fp->handle, "not exactly one specifier"); return -1; } -- 2.40.1