From: Christian Göttsche <cgzones@xxxxxxxxxxxxxx>
Validate that the permission maps in the scope index refer to a valid
class datum. Otherwise since commit 52e5c306 ("libsepol: move
unchanged
data out of loop") this can lead to a NULL dereference in the class
existence check during linking.
Reported-by: oss-fuzz (issue 69655)
Signed-off-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx>
---
libsepol/src/policydb_validate.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/libsepol/src/policydb_validate.c
b/libsepol/src/policydb_validate.c
index 9746f562..0216410c 100644
--- a/libsepol/src/policydb_validate.c
+++ b/libsepol/src/policydb_validate.c
@@ -1467,6 +1467,8 @@ bad:
static int validate_scope_index(sepol_handle_t *handle, const
scope_index_t *scope_index, validate_t flavors[])
{
+ uint32_t i;
+
if (!ebitmap_is_empty(&scope_index->scope[SYM_COMMONS]))
goto bad;
if (validate_ebitmap(&scope_index->p_classes_scope,
&flavors[SYM_CLASSES]))
@@ -1483,8 +1485,10 @@ static int validate_scope_index(sepol_handle_t
*handle, const scope_index_t *sco
goto bad;
if (validate_ebitmap(&scope_index->p_cat_scope,
&flavors[SYM_CATS]))
goto bad;
- if (scope_index->class_perms_len > flavors[SYM_CLASSES].nprim)
Since classes should not have gaps, this could be a simple off-by-one,
cause class_perms_len is 0-based while nprim is 1-based. So
scope_index->class_perms_len >= flavors[SYM_CLASSES].nprim
might suffice, but I am unable to test currently though.
- goto bad;
+
+ for (i = 0; i < scope_index->class_perms_len; i++)
+ if (validate_value(i + 1, &flavors[SYM_CLASSES]))
+ goto bad;
return 0;
