Re: [PATCH] libsepol: validate common classes have at least one permissions

James Carter <jwcart2@xxxxxxxxx> · Tue, 14 Nov 2023 15:40:45 -0500



On Mon, Nov 13, 2023 at 2:26 PM Christian Göttsche
<cgzones@xxxxxxxxxxxxxx> wrote:
>
> The traditional language and CIL permit common classes only to be
> defined with at least one permission.  Thus writing a common class
> without one will fail.
>
> Reported-by: oss-fuzz (issue 64059)
> Signed-off-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx>

Acked-by: James Carter <jwcart2@xxxxxxxxx>

> ---
>  libsepol/src/policydb_validate.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/libsepol/src/policydb_validate.c b/libsepol/src/policydb_validate.c
> index 016ab655..1121c8bb 100644
> --- a/libsepol/src/policydb_validate.c
> +++ b/libsepol/src/policydb_validate.c
> @@ -369,7 +369,7 @@ static int validate_common_datum(sepol_handle_t *handle, const common_datum_t *c
>  {
>         if (validate_value(common->s.value, &flavors[SYM_COMMONS]))
>                 goto bad;
> -       if (common->permissions.nprim > PERM_SYMTAB_SIZE)
> +       if (common->permissions.table->nel == 0 || common->permissions.nprim > PERM_SYMTAB_SIZE)
>                 goto bad;
>
>         return 0;
> --
> 2.42.0
>