On Thu, Jul 13, 2023 at 2:49 PM Christian Göttsche
<cgzones@xxxxxxxxxxxxxx> wrote:
>
> Ensure counts are not set to the maximum value of their type.
> Also limit their size during fuzzing to prevent OOM reports.
>
> Reported-by: oss-fuzz (issue 60572)
> Signed-off-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx>
> ---
> libsepol/src/avtab.c | 9 ++++++++-
> 1 file changed, 8 insertions(+), 1 deletion(-)
>
> diff --git a/libsepol/src/avtab.c b/libsepol/src/avtab.c
> index 9c7daf8e..cb2ca06a 100644
> --- a/libsepol/src/avtab.c
> +++ b/libsepol/src/avtab.c
> @@ -461,6 +461,8 @@ static int avtab_read_name_trans(policy_file_t *fp, symtab_t *target)
> if (rc < 0)
> return rc;
> nel = le32_to_cpu(buf32[0]);
> + if (is_saturated(nel))
> + return -1;
>
> rc = symtab_init(target, nel);
> if (rc < 0)
> @@ -736,7 +738,7 @@ int avtab_read(avtab_t * a, struct policy_file *fp, uint32_t vers)
> goto bad;
> }
> nel = le32_to_cpu(buf[0]);
> - if (!nel) {
> + if (zero_or_saturated(nel)) {
> ERR(fp->handle, "table is empty");
> goto bad;
> }
The other three hunks depended on the prefix/suffix patches, but I
think that this hunk might still be applicable.
Jim
> @@ -909,6 +911,9 @@ static int filename_trans_comp_read_one(avtab_t *a, void *fp)
> key.target_class = le32_to_cpu(buf[1]);
>
> ndatum = le32_to_cpu(buf[2]);
> + if (is_saturated(ndatum))
> + goto err;
> +
> for (i = 0; i < ndatum; i++) {
> rc = ebitmap_read(&stypes, fp);
> if (rc < 0)
> @@ -951,6 +956,8 @@ int avtab_filename_trans_read(void *fp, uint32_t vers, avtab_t *a)
> if (rc < 0)
> return rc;
> nel = le32_to_cpu(*buf);
> + if (is_saturated(nel))
> + return -1;
>
> if (vers < POLICYDB_VERSION_COMP_FTRANS) {
> for (i = 0; i < nel; i++) {
> --
> 2.40.1
>
