[PATCH] libsepol: Fix buffer overflow when using sepol_av_to_string()

James Carter <jwcart2@xxxxxxxxx> · Mon, 11 Mar 2024 08:48:31 -0400

The function sepol_av_to_string() returns a list of permissions
with a space at the beginning. This fits the normal formating of
permisisons for a policy.conf policy which uses a format of
"{ p1 p2 ... pn }", but not the formating for a CIL policy which uses
a format of "(p1 p2 ... pn)". Both kernel_to_cil and module_to_cil
skip the space by using "perms+1", but this is a problem if there
are no permissions because sepol_av_to_string() returns '\0'.

In kernel_to_cil and module_to_cil, check for the permission string
being '\0' and return an error if it is.

Reported-by: oss-fuzz (issue 67276)
Signed-off-by: James Carter <jwcart2@xxxxxxxxx>
---
 libsepol/src/kernel_to_cil.c | 11 +++++++++++
 libsepol/src/module_to_cil.c | 12 ++++++++++++
 2 files changed, 23 insertions(+)

diff --git a/libsepol/src/kernel_to_cil.c b/libsepol/src/kernel_to_cil.c
index a081915e..e20ba4af 100644
--- a/libsepol/src/kernel_to_cil.c
+++ b/libsepol/src/kernel_to_cil.c
@@ -302,6 +302,12 @@ static int class_constraint_rules_to_strs(struct policydb *pdb, char *classkey,
 			rc = -1;
 			goto exit;
 		}
+		if (*perms == '\0') {
+			ERR(NULL, "No permisisons in permission string");
+			free(perms);
+			rc = -1;
+			goto exit;
+		}
 
 		if (is_mls) {
 			key_word = "mlsconstrain";
@@ -1775,6 +1781,11 @@ static char *avtab_node_to_str(struct policydb *pdb, avtab_key_t *key, avtab_dat
 			ERR(NULL, "Failed to generate permission string");
 			goto exit;
 		}
+		if (*perms == '\0') {
+			ERR(NULL, "No permisisons in permission string");
+			free(perms);
+			goto exit;
+		}
 		rule = create_str("(%s %s %s (%s (%s)))",
 				  flavor, src, tgt, class, perms+1);
 		free(perms);
diff --git a/libsepol/src/module_to_cil.c b/libsepol/src/module_to_cil.c
index 6699a46b..3b3480bf 100644
--- a/libsepol/src/module_to_cil.c
+++ b/libsepol/src/module_to_cil.c
@@ -593,6 +593,12 @@ static int avrule_to_cil(int indent, struct policydb *pdb, uint32_t type, const
 				rc = -1;
 				goto exit;
 			}
+			if (*perms == '\0') {
+				ERR(NULL, "No permissions in permission string");
+				free(perms);
+				rc = -1;
+				goto exit;
+			}
 			cil_println(indent, "(%s %s %s (%s (%s)))",
 					rule, src, tgt,
 					pdb->p_class_val_to_name[classperm->tclass - 1],
@@ -1973,6 +1979,12 @@ static int constraints_to_cil(int indent, struct policydb *pdb, char *classkey,
 				rc = -1;
 				goto exit;
 			}
+			if (*perms == '\0') {
+				ERR(NULL, "No permissions in permission string");
+				free(perms);
+				rc = -1;
+				goto exit;
+			}
 			cil_println(indent, "(%sconstrain (%s (%s)) %s)", mls, classkey, perms + 1, expr);
 			free(perms);
 		} else {
-- 
2.44.0








