Re: [PATCH] libsepol: validate common classes have at least one permissions

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, Nov 14, 2023 at 3:40 PM James Carter <jwcart2@xxxxxxxxx> wrote:
>
> On Mon, Nov 13, 2023 at 2:26 PM Christian Göttsche
> <cgzones@xxxxxxxxxxxxxx> wrote:
> >
> > The traditional language and CIL permit common classes only to be
> > defined with at least one permission.  Thus writing a common class
> > without one will fail.
> >
> > Reported-by: oss-fuzz (issue 64059)
> > Signed-off-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx>
>
> Acked-by: James Carter <jwcart2@xxxxxxxxx>
>

This patch has been merged.
Thanks,
Jim

> > ---
> >  libsepol/src/policydb_validate.c | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/libsepol/src/policydb_validate.c b/libsepol/src/policydb_validate.c
> > index 016ab655..1121c8bb 100644
> > --- a/libsepol/src/policydb_validate.c
> > +++ b/libsepol/src/policydb_validate.c
> > @@ -369,7 +369,7 @@ static int validate_common_datum(sepol_handle_t *handle, const common_datum_t *c
> >  {
> >         if (validate_value(common->s.value, &flavors[SYM_COMMONS]))
> >                 goto bad;
> > -       if (common->permissions.nprim > PERM_SYMTAB_SIZE)
> > +       if (common->permissions.table->nel == 0 || common->permissions.nprim > PERM_SYMTAB_SIZE)
> >                 goto bad;
> >
> >         return 0;
> > --
> > 2.42.0
> >




[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux