On Thu, Jul 13, 2023 at 2:35 PM Christian Göttsche
<cgzones@xxxxxxxxxxxxxx> wrote:
>
> Neverallow avtab entries are not supported (normal and extended). Reject
> them to avoid lookup confusions via avtab_search(), e.g. when searching
> for a invalid key of AVTAB_TRANSITION|AVTAB_NEVERALLOW and the result of
> only AVTAB_NEVERALLOW has no transition value.
>
> Simplify the check for the number of specifiers by using the compiler
> popcount builtin (already used in libsepol).
>
> Reported-by: oss-fuzz (issue 60568)
> Signed-off-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx>
> ---
> libsepol/src/avtab.c | 13 ++++++-------
> 1 file changed, 6 insertions(+), 7 deletions(-)
>
> diff --git a/libsepol/src/avtab.c b/libsepol/src/avtab.c
> index 5c76fe12..7b85519b 100644
> --- a/libsepol/src/avtab.c
> +++ b/libsepol/src/avtab.c
> @@ -564,7 +564,6 @@ int avtab_read_item(struct policy_file *fp, uint32_t vers, avtab_t * a,
> avtab_datum_t datum;
> avtab_trans_t trans;
> avtab_extended_perms_t xperms;
> - unsigned set;
> unsigned int i;
> int rc;
>
> @@ -666,13 +665,13 @@ int avtab_read_item(struct policy_file *fp, uint32_t vers, avtab_t * a,
> key.target_class = le16_to_cpu(buf16[items++]);
> key.specified = le16_to_cpu(buf16[items++]);
>
> - set = 0;
> - for (i = 0; i < ARRAY_SIZE(spec_order); i++) {
> - if (key.specified & spec_order[i])
> - set++;
> + if (key.specified & ~(AVTAB_AV | AVTAB_TYPE | AVTAB_XPERMS | AVTAB_ENABLED)) {
> + ERR(fp->handle, "invalid specifier");
> + return -1;
> }
> - if (!set || set > 1) {
> - ERR(fp->handle, "more than one specifier");
> +
> + if (__builtin_popcount(key.specified & ~AVTAB_ENABLED) != 1) {
> + ERR(fp->handle, "not exactly one specifier");
> return -1;
> }
>
> --
> 2.40.1
>
Patches 1, 3, and 4 depended on the prefix/suffix patches and are no
longer applicable.
But this one does seem like it is, but, of course, it will not longer
apply cleanly.
Jim
