On Fri, Dec 8, 2023 at 10:19 AM Christian Göttsche
<cgzones@xxxxxxxxxxxxxx> wrote:
>
> Validate common classes inside scope indices similar to all other symbol
> table types.
>
> Reported-by: oss-fuzz (issue 64849)
> Signed-off-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx>
> ---
> This probably also resolves issue 64854, which I could not reproduce
> locally.
> ---
> libsepol/include/sepol/policydb/policydb.h | 1 +
> libsepol/src/policydb_validate.c | 2 ++
> 2 files changed, 3 insertions(+)
>
> diff --git a/libsepol/include/sepol/policydb/policydb.h b/libsepol/include/sepol/policydb/policydb.h
> index 6682069e..658b25d4 100644
> --- a/libsepol/include/sepol/policydb/policydb.h
> +++ b/libsepol/include/sepol/policydb/policydb.h
> @@ -430,6 +430,7 @@ typedef struct genfs {
> * subtract one) into the global policydb->scope array. */
> typedef struct scope_index {
> ebitmap_t scope[SYM_NUM];
> +#define p_commons_scope scope[SYM_COMMONS]
> #define p_classes_scope scope[SYM_CLASSES]
> #define p_roles_scope scope[SYM_ROLES]
> #define p_types_scope scope[SYM_TYPES]
> diff --git a/libsepol/src/policydb_validate.c b/libsepol/src/policydb_validate.c
> index bd8e9f8f..4919f674 100644
> --- a/libsepol/src/policydb_validate.c
> +++ b/libsepol/src/policydb_validate.c
> @@ -1344,6 +1344,8 @@ bad:
>
> static int validate_scope_index(sepol_handle_t *handle, const scope_index_t *scope_index, validate_t flavors[])
> {
> + if (validate_ebitmap(&scope_index->p_commons_scope, &flavors[SYM_COMMONS]))
> + goto bad;
As far as I know, there will never be any commons in the scope index,
so it would be better to just check that it is empty.
Thanks,
Jim
> if (validate_ebitmap(&scope_index->p_classes_scope, &flavors[SYM_CLASSES]))
> goto bad;
> if (validate_ebitmap(&scope_index->p_roles_scope, &flavors[SYM_ROLES]))
> --
> 2.43.0
>
>
