Limit the maximum length of permission identifiers. Otherwise formatting an access vector might fail in the common used helper sepol_av_to_string(). The current longest permission within the Reference Policy is x_application_data { paste_after_confirm } with a length of 19. Reported-by: oss-fuzz (issue 64832) Signed-off-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx> --- The oss-fuzz issue got closed by the latest fuzzer updates (due to unrelated changes that invalid the current reproducer), but the issue is still valid. --- libsepol/src/policydb_validate.c | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/libsepol/src/policydb_validate.c b/libsepol/src/policydb_validate.c index bd8e9f8f..72681120 100644 --- a/libsepol/src/policydb_validate.c +++ b/libsepol/src/policydb_validate.c @@ -366,12 +366,30 @@ bad: return -1; } +static int validate_permission_wrapper(hashtab_key_t k, __attribute__((unused)) hashtab_datum_t d, void *args) +{ + sepol_handle_t *handle = args; + const char *name = k; + size_t len = strlen(name); + + if (len == 0 || len >= 32) + goto bad; + + return 0; + +bad: + ERR(handle, "Invalid permission"); + return -1; +} + static int validate_common_datum(sepol_handle_t *handle, const common_datum_t *common, validate_t flavors[]) { if (validate_value(common->s.value, &flavors[SYM_COMMONS])) goto bad; if (common->permissions.table->nel == 0 || common->permissions.nprim > PERM_SYMTAB_SIZE) goto bad; + if (hashtab_map(common->permissions.table, validate_permission_wrapper, handle)) + goto bad; return 0; @@ -395,6 +413,8 @@ static int validate_class_datum(sepol_handle_t *handle, const class_datum_t *cla goto bad; if (class->permissions.nprim > PERM_SYMTAB_SIZE) goto bad; + if (hashtab_map(class->permissions.table, validate_permission_wrapper, handle)) + goto bad; if (validate_constraint_nodes(handle, class->permissions.nprim, class->constraints, flavors)) goto bad; if (validate_constraint_nodes(handle, 0, class->validatetrans, flavors)) -- 2.43.0