Re: [PATCH v2 2/3] libsepol: validate constraint depth

[James Carter <jwcart2@xxxxxxxxx>]

On Fri, Nov 3, 2023 at 2:27 PM Christian Göttsche
<cgzones@xxxxxxxxxxxxxx> wrote:
>
> Ensure constraint expressions are complete and do not exceed the
> supported depth limit.
>
> Signed-off-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx>

Acked-by: James Carter <jwcart2@xxxxxxxxx>

> ---
>  libsepol/src/policydb_validate.c | 20 ++++++++++++++++++++
>  1 file changed, 20 insertions(+)
>
> diff --git a/libsepol/src/policydb_validate.c b/libsepol/src/policydb_validate.c
> index 810c3263..b20ed579 100644
> --- a/libsepol/src/policydb_validate.c
> +++ b/libsepol/src/policydb_validate.c
> @@ -228,6 +228,7 @@ bad:
>  static int validate_constraint_nodes(sepol_handle_t *handle, unsigned int nperms, const constraint_node_t *cons, validate_t flavors[])
>  {
>         const constraint_expr_t *cexp;
> +       int depth;
>
>         for (; cons; cons = cons->next) {
>                 if (nperms == 0 && cons->permissions != 0)
> @@ -240,8 +241,14 @@ static int validate_constraint_nodes(sepol_handle_t *handle, unsigned int nperms
>                 if (!cons->expr)
>                         goto bad;
>
> +               depth = -1;
> +
>                 for (cexp = cons->expr; cexp; cexp = cexp->next) {
>                         if (cexp->expr_type == CEXPR_NAMES) {
> +                               if (depth >= (CEXPR_MAXDEPTH - 1))
> +                                       goto bad;
> +                               depth++;
> +
>                                 if (cexp->attr & CEXPR_XTARGET && nperms != 0)
>                                         goto bad;
>                                 if (!(cexp->attr & CEXPR_TYPE)) {
> @@ -282,6 +289,10 @@ static int validate_constraint_nodes(sepol_handle_t *handle, unsigned int nperms
>                                         goto bad;
>                                 }
>                         } else if (cexp->expr_type == CEXPR_ATTR) {
> +                               if (depth >= (CEXPR_MAXDEPTH - 1))
> +                                       goto bad;
> +                               depth++;
> +
>                                 if (!ebitmap_is_empty(&cexp->names))
>                                         goto bad;
>                                 if (validate_empty_type_set(cexp->type_names))
> @@ -318,8 +329,14 @@ static int validate_constraint_nodes(sepol_handle_t *handle, unsigned int nperms
>                         } else {
>                                 switch (cexp->expr_type) {
>                                 case CEXPR_NOT:
> +                                       if (depth < 0)
> +                                               goto bad;
> +                                       break;
>                                 case CEXPR_AND:
>                                 case CEXPR_OR:
> +                                       if (depth < 1)
> +                                               goto bad;
> +                                       depth--;
>                                         break;
>                                 default:
>                                         goto bad;
> @@ -335,6 +352,9 @@ static int validate_constraint_nodes(sepol_handle_t *handle, unsigned int nperms
>                                         goto bad;
>                         }
>                 }
> +
> +               if (depth != 0)
> +                       goto bad;
>         }
>
>         return 0;
> --
> 2.42.0
>