On Tue, Nov 14, 2023 at 3:40 PM James Carter <jwcart2@xxxxxxxxx> wrote:
>
> On Mon, Nov 13, 2023 at 2:26 PM Christian Göttsche
> <cgzones@xxxxxxxxxxxxxx> wrote:
> >
> > The traditional language and CIL permit common classes only to be
> > defined with at least one permission. Thus writing a common class
> > without one will fail.
> >
> > Reported-by: oss-fuzz (issue 64059)
> > Signed-off-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx>
>
> Acked-by: James Carter <jwcart2@xxxxxxxxx>
>
This patch has been merged.
Thanks,
Jim
> > ---
> > libsepol/src/policydb_validate.c | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/libsepol/src/policydb_validate.c b/libsepol/src/policydb_validate.c
> > index 016ab655..1121c8bb 100644
> > --- a/libsepol/src/policydb_validate.c
> > +++ b/libsepol/src/policydb_validate.c
> > @@ -369,7 +369,7 @@ static int validate_common_datum(sepol_handle_t *handle, const common_datum_t *c
> > {
> > if (validate_value(common->s.value, &flavors[SYM_COMMONS]))
> > goto bad;
> > - if (common->permissions.nprim > PERM_SYMTAB_SIZE)
> > + if (common->permissions.table->nel == 0 || common->permissions.nprim > PERM_SYMTAB_SIZE)
> > goto bad;
> >
> > return 0;
> > --
> > 2.42.0
> >
