Re: [PATCH 2/5] libsepol: reject avtab entries with invalid specifier

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, Jul 13, 2023 at 2:35 PM Christian Göttsche
<cgzones@xxxxxxxxxxxxxx> wrote:
>
> Neverallow avtab entries are not supported (normal and extended). Reject
> them to avoid lookup confusions via avtab_search(), e.g. when searching
> for a invalid key of AVTAB_TRANSITION|AVTAB_NEVERALLOW and the result of
> only AVTAB_NEVERALLOW has no transition value.
>
> Simplify the check for the number of specifiers by using the compiler
> popcount builtin (already used in libsepol).
>
> Reported-by: oss-fuzz (issue 60568)
> Signed-off-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx>
> ---
>  libsepol/src/avtab.c | 13 ++++++-------
>  1 file changed, 6 insertions(+), 7 deletions(-)
>
> diff --git a/libsepol/src/avtab.c b/libsepol/src/avtab.c
> index 5c76fe12..7b85519b 100644
> --- a/libsepol/src/avtab.c
> +++ b/libsepol/src/avtab.c
> @@ -564,7 +564,6 @@ int avtab_read_item(struct policy_file *fp, uint32_t vers, avtab_t * a,
>         avtab_datum_t datum;
>         avtab_trans_t trans;
>         avtab_extended_perms_t xperms;
> -       unsigned set;
>         unsigned int i;
>         int rc;
>
> @@ -666,13 +665,13 @@ int avtab_read_item(struct policy_file *fp, uint32_t vers, avtab_t * a,
>         key.target_class = le16_to_cpu(buf16[items++]);
>         key.specified = le16_to_cpu(buf16[items++]);
>
> -       set = 0;
> -       for (i = 0; i < ARRAY_SIZE(spec_order); i++) {
> -               if (key.specified & spec_order[i])
> -                       set++;
> +       if (key.specified & ~(AVTAB_AV | AVTAB_TYPE | AVTAB_XPERMS | AVTAB_ENABLED)) {
> +               ERR(fp->handle, "invalid specifier");
> +               return -1;
>         }
> -       if (!set || set > 1) {
> -               ERR(fp->handle, "more than one specifier");
> +
> +       if (__builtin_popcount(key.specified & ~AVTAB_ENABLED) != 1) {
> +               ERR(fp->handle, "not exactly one specifier");
>                 return -1;
>         }
>
> --
> 2.40.1
>

Patches 1, 3, and 4 depended on the prefix/suffix patches and are no
longer applicable.
But this one does seem like it is, but, of course, it will not longer
apply cleanly.
Jim




[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux