Fix location of selinuxfs mount point #12
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Please post to selinux list too. |
stephensmalley
pushed a commit
that referenced
this pull request
Jun 12, 2017
… fails
In mls_semantic_range_expand(), when a call to
mls_semantic_level_expand() fails, the function destroys the semantic
level instead of the expanded one. This leads to a use-after-free which
is reported by gcc's Address Sanitizer:
libsepol.mls_semantic_level_expand: mls_semantic_level_expand: invalid sensitivity level found 128/0.
libsepol.sepol_module_package_read: invalid module in module package (at section 0)
Failed to read policy package
=================================================================
==24456==ERROR: AddressSanitizer: heap-use-after-free on address 0x60200000ee58 at pc 0x7fe6c4fb96b4 bp 0x7fffa5ea6b70 sp 0x7fffa5ea6b60
READ of size 8 at 0x60200000ee58 thread T0
#0 0x7fe6c4fb96b3 in mls_semantic_level_destroy /usr/src/selinux/libsepol/src/mls.c:755
#1 0x7fe6c4fb9b88 in mls_semantic_range_destroy /usr/src/selinux/libsepol/src/mls.c:802
#2 0x7fe6c500e8ab in user_datum_destroy /usr/src/selinux/libsepol/src/policydb.c:535
#3 0x7fe6c500e980 in user_destroy /usr/src/selinux/libsepol/src/policydb.c:1390
#4 0x7fe6c4f36c48 in hashtab_map /usr/src/selinux/libsepol/src/hashtab.c:235
#5 0x7fe6c50152da in symtabs_destroy /usr/src/selinux/libsepol/src/policydb.c:1595
#6 0x7fe6c5015433 in policydb_destroy /usr/src/selinux/libsepol/src/policydb.c:1503
#7 0x7fe6c5040e0d in sepol_policydb_free /usr/src/selinux/libsepol/src/policydb_public.c:82
#8 0x7fe6c4fbc503 in sepol_module_package_free /usr/src/selinux/libsepol/src/module.c:143
#9 0x7fe6c4fefefb in sepol_ppfile_to_module_package /usr/src/selinux/libsepol/src/module_to_cil.c:4293
#10 0x401e51 in main /usr/src/selinux/policycoreutils/hll/pp/pp.c:124
#11 0x7fe6c4add510 in __libc_start_main (/usr/lib/libc.so.6+0x20510)
#12 0x402589 in _start (/usr/src/selinux/DESTDIR/usr/libexec/selinux/hll/pp+0x402589)
0x60200000ee58 is located 8 bytes inside of 16-byte region [0x60200000ee50,0x60200000ee60)
freed by thread T0 here:
#0 0x7fe6c5537ae0 in __interceptor_free /build/gcc-multilib/src/gcc/libsanitizer/asan/asan_malloc_linux.cc:45
#1 0x7fe6c4fb969b in mls_semantic_level_destroy /usr/src/selinux/libsepol/src/mls.c:757
#2 0x7fe6c4f02a57 in mls_semantic_range_expand /usr/src/selinux/libsepol/src/expand.c:948
#3 0x7fe6c5007a98 in policydb_user_cache /usr/src/selinux/libsepol/src/policydb.c:939
#4 0x7fe6c4f36c48 in hashtab_map /usr/src/selinux/libsepol/src/hashtab.c:235
#5 0x7fe6c5013859 in policydb_index_others /usr/src/selinux/libsepol/src/policydb.c:1286
#6 0x7fe6c5020b65 in policydb_read /usr/src/selinux/libsepol/src/policydb.c:4342
#7 0x7fe6c4fc0cdb in sepol_module_package_read /usr/src/selinux/libsepol/src/module.c:618
#8 0x7fe6c4ff008d in sepol_ppfile_to_module_package /usr/src/selinux/libsepol/src/module_to_cil.c:4276
#9 0x401e51 in main /usr/src/selinux/policycoreutils/hll/pp/pp.c:124
#10 0x7fe6c4add510 in __libc_start_main (/usr/lib/libc.so.6+0x20510)
previously allocated by thread T0 here:
#0 0x7fe6c5537e40 in __interceptor_malloc /build/gcc-multilib/src/gcc/libsanitizer/asan/asan_malloc_linux.cc:62
#1 0x7fe6c5004efc in mls_read_semantic_level_helper /usr/src/selinux/libsepol/src/policydb.c:1976
#2 0x7fe6c500f596 in mls_read_semantic_range_helper /usr/src/selinux/libsepol/src/policydb.c:2010
#3 0x7fe6c500f596 in user_read /usr/src/selinux/libsepol/src/policydb.c:3258
#4 0x7fe6c502055b in policydb_read /usr/src/selinux/libsepol/src/policydb.c:4286
#5 0x7fe6c4fc0cdb in sepol_module_package_read /usr/src/selinux/libsepol/src/module.c:618
#6 0x7fe6c4ff008d in sepol_ppfile_to_module_package /usr/src/selinux/libsepol/src/module_to_cil.c:4276
#7 0x401e51 in main /usr/src/selinux/policycoreutils/hll/pp/pp.c:124
#8 0x7fe6c4add510 in __libc_start_main (/usr/lib/libc.so.6+0x20510)
SUMMARY: AddressSanitizer: heap-use-after-free /usr/src/selinux/libsepol/src/mls.c:755 in mls_semantic_level_destroy
Shadow bytes around the buggy address:
0x0c047fff9d70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9d80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9d90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9da0: fa fa fa fa fa fa fa fa fa fa 01 fa fa fa 01 fa
0x0c047fff9db0: fa fa 01 fa fa fa 01 fa fa fa 01 fa fa fa 01 fa
=>0x0c047fff9dc0: fa fa 00 00 fa fa 00 00 fa fa fd[fd]fa fa fd fd
0x0c047fff9dd0: fa fa fd fd fa fa fd fd fa fa fd fa fa fa fd fd
0x0c047fff9de0: fa fa 04 fa fa fa 00 01 fa fa fd fd fa fa fd fd
0x0c047fff9df0: fa fa fd fd fa fa fd fd fa fa 00 00 fa fa fd fd
0x0c047fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==24456==ABORTING
This issue has been found while fuzzing hll/pp with the American Fuzzy
Lop.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
fishilico
added a commit
to fishilico/selinux
that referenced
this pull request
Oct 2, 2020
On Fedora 32 executing scripts/ci/fedora-test-runner.sh, semodule
crashes:
[root@localhost selinux-testsuite]# make test
make -C policy load
make[1]: Entering directory '/root/selinux-testsuite/policy'
# Test for "expand-check = 0" in /etc/selinux/semanage.conf
# General policy build
make[2]: Entering directory '/root/selinux-testsuite/policy/test_policy'
Compiling targeted test_policy module
Creating targeted test_policy.pp policy package
rm tmp/test_policy.mod.fc
make[2]: Leaving directory '/root/selinux-testsuite/policy/test_policy'
# General policy load
domain_fd_use --> off
/usr/sbin/semodule -i test_policy/test_policy.pp test_mlsconstrain.cil test_overlay_defaultrange.cil test_add_levels.cil test_glblub.cil
make[1]: *** [Makefile:174: load] Aborted (core dumped)
(gdb) bt
#0 0x00007f608fe4fa25 in raise () from /lib64/libc.so.6
SELinuxProject#1 0x00007f608fe38895 in abort () from /lib64/libc.so.6
SELinuxProject#2 0x00007f6090028aca in __addvsi3.cold () from /lib64/libsepol.so.1
SELinuxProject#3 0x00007f6090096f59 in __avrule_xperm_setrangebits (low=30, high=30, xperms=0x8b9eea0)
at ../cil/src/cil_binary.c:1551
SELinuxProject#4 0x00007f60900970dd in __cil_permx_bitmap_to_sepol_xperms_list (xperms=0xb650a30, xperms_list=0x7ffce2653b18)
at ../cil/src/cil_binary.c:1596
SELinuxProject#5 0x00007f6090097286 in __cil_avrulex_ioctl_to_policydb (k=0xb8ec200 "@\023\214\022\006", datum=0xb650a30,
args=0x239a640) at ../cil/src/cil_binary.c:1649
SELinuxProject#6 0x00007f609003f1e5 in hashtab_map (h=0x41f8710, apply=0x7f60900971da <__cil_avrulex_ioctl_to_policydb>,
args=0x239a640) at hashtab.c:234
SELinuxProject#7 0x00007f609009ea19 in cil_binary_create_allocated_pdb (db=0x2394f10, policydb=0x239a640)
at ../cil/src/cil_binary.c:4969
SELinuxProject#8 0x00007f609009d19d in cil_binary_create (db=0x2394f10, policydb=0x7ffce2653d30) at ../cil/src/cil_binary.c:4329
SELinuxProject#9 0x00007f609008ec23 in cil_build_policydb_create_pdb (db=0x2394f10, sepol_db=0x7ffce2653d30)
at ../cil/src/cil.c:631
SELinuxProject#10 0x00007f608fff4bf3 in semanage_direct_commit () from /lib64/libsemanage.so.1
SELinuxProject#11 0x00007f608fff9fae in semanage_commit () from /lib64/libsemanage.so.1
SELinuxProject#12 0x0000000000403e2b in main (argc=7, argv=0x7ffce2655058) at semodule.c:753
(gdb) f 3
SELinuxProject#3 0x00007f6090096f59 in __avrule_xperm_setrangebits (low=30, high=30, xperms=0x8b9eea0)
at ../cil/src/cil_binary.c:1551
1551 xperms->perms[i] |= XPERM_SETBITS(h) - XPERM_SETBITS(low);
This is due to XPERM_SETBITS(h) with h = 31:
#define XPERM_SETBITS(x) ((1 << (x & 0x1f)) - 1)
Using "1U" to make the type unsigned fixes the crash.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
fishilico
added a commit
to fishilico/selinux
that referenced
this pull request
Oct 3, 2020
When compiling SELinux userspace tools with -ftrapv (this option
generates traps for signed overflow on addition, subtraction,
multiplication operations, instead of silently wrapping around),
semodule crashes when running the tests from
scripts/ci/fedora-test-runner.sh in a Fedora 32 virtual machine:
[root@localhost selinux-testsuite]# make test
make -C policy load
make[1]: Entering directory '/root/selinux-testsuite/policy'
# Test for "expand-check = 0" in /etc/selinux/semanage.conf
# General policy build
make[2]: Entering directory '/root/selinux-testsuite/policy/test_policy'
Compiling targeted test_policy module
Creating targeted test_policy.pp policy package
rm tmp/test_policy.mod.fc
make[2]: Leaving directory '/root/selinux-testsuite/policy/test_policy'
# General policy load
domain_fd_use --> off
/usr/sbin/semodule -i test_policy/test_policy.pp test_mlsconstrain.cil test_overlay_defaultrange.cil test_add_levels.cil test_glblub.cil
make[1]: *** [Makefile:174: load] Aborted (core dumped)
Using "coredumpctl gdb" leads to the following strack trace:
(gdb) bt
#0 0x00007f608fe4fa25 in raise () from /lib64/libc.so.6
SELinuxProject#1 0x00007f608fe38895 in abort () from /lib64/libc.so.6
SELinuxProject#2 0x00007f6090028aca in __addvsi3.cold () from /lib64/libsepol.so.1
SELinuxProject#3 0x00007f6090096f59 in __avrule_xperm_setrangebits (low=30, high=30, xperms=0x8b9eea0)
at ../cil/src/cil_binary.c:1551
SELinuxProject#4 0x00007f60900970dd in __cil_permx_bitmap_to_sepol_xperms_list (xperms=0xb650a30, xperms_list=0x7ffce2653b18)
at ../cil/src/cil_binary.c:1596
SELinuxProject#5 0x00007f6090097286 in __cil_avrulex_ioctl_to_policydb (k=0xb8ec200 "@\023\214\022\006", datum=0xb650a30,
args=0x239a640) at ../cil/src/cil_binary.c:1649
SELinuxProject#6 0x00007f609003f1e5 in hashtab_map (h=0x41f8710, apply=0x7f60900971da <__cil_avrulex_ioctl_to_policydb>,
args=0x239a640) at hashtab.c:234
SELinuxProject#7 0x00007f609009ea19 in cil_binary_create_allocated_pdb (db=0x2394f10, policydb=0x239a640)
at ../cil/src/cil_binary.c:4969
SELinuxProject#8 0x00007f609009d19d in cil_binary_create (db=0x2394f10, policydb=0x7ffce2653d30) at ../cil/src/cil_binary.c:4329
SELinuxProject#9 0x00007f609008ec23 in cil_build_policydb_create_pdb (db=0x2394f10, sepol_db=0x7ffce2653d30)
at ../cil/src/cil.c:631
SELinuxProject#10 0x00007f608fff4bf3 in semanage_direct_commit () from /lib64/libsemanage.so.1
SELinuxProject#11 0x00007f608fff9fae in semanage_commit () from /lib64/libsemanage.so.1
SELinuxProject#12 0x0000000000403e2b in main (argc=7, argv=0x7ffce2655058) at semodule.c:753
(gdb) f 3
SELinuxProject#3 0x00007f6090096f59 in __avrule_xperm_setrangebits (low=30, high=30, xperms=0x8b9eea0)
at ../cil/src/cil_binary.c:1551
1551 xperms->perms[i] |= XPERM_SETBITS(h) - XPERM_SETBITS(low);
A signed integer overflow therefore occurs in XPERM_SETBITS(h):
#define XPERM_SETBITS(x) ((1 << (x & 0x1f)) - 1)
This macro is expanded with h=31, so "(1 << 31)-1" is computed:
* (1 << 31) = -0x80000000 is the lowest signed 32-bit integer value
* (1 << 31)-1 overflows the capacity of a signed 32-bit integer and
result in 0x7fffffff (which is unsigned)
Using unsigned integers (with "1U") fixes the crash, as
(1U << 31) = 0x80000000U has no overflowing issues.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
fishilico
added a commit
to fishilico/selinux
that referenced
this pull request
Oct 3, 2020
When compiling SELinux userspace tools with -ftrapv (this option
generates traps for signed overflow on addition, subtraction,
multiplication operations, instead of silently wrapping around),
semodule crashes when running the tests from
scripts/ci/fedora-test-runner.sh in a Fedora 32 virtual machine:
[root@localhost selinux-testsuite]# make test
make -C policy load
make[1]: Entering directory '/root/selinux-testsuite/policy'
# Test for "expand-check = 0" in /etc/selinux/semanage.conf
# General policy build
make[2]: Entering directory '/root/selinux-testsuite/policy/test_policy'
Compiling targeted test_policy module
Creating targeted test_policy.pp policy package
rm tmp/test_policy.mod.fc
make[2]: Leaving directory '/root/selinux-testsuite/policy/test_policy'
# General policy load
domain_fd_use --> off
/usr/sbin/semodule -i test_policy/test_policy.pp test_mlsconstrain.cil test_overlay_defaultrange.cil test_add_levels.cil test_glblub.cil
make[1]: *** [Makefile:174: load] Aborted (core dumped)
Using "coredumpctl gdb" leads to the following strack trace:
(gdb) bt
#0 0x00007f608fe4fa25 in raise () from /lib64/libc.so.6
SELinuxProject#1 0x00007f608fe38895 in abort () from /lib64/libc.so.6
SELinuxProject#2 0x00007f6090028aca in __addvsi3.cold () from /lib64/libsepol.so.1
SELinuxProject#3 0x00007f6090096f59 in __avrule_xperm_setrangebits (low=30, high=30, xperms=0x8b9eea0)
at ../cil/src/cil_binary.c:1551
SELinuxProject#4 0x00007f60900970dd in __cil_permx_bitmap_to_sepol_xperms_list (xperms=0xb650a30, xperms_list=0x7ffce2653b18)
at ../cil/src/cil_binary.c:1596
SELinuxProject#5 0x00007f6090097286 in __cil_avrulex_ioctl_to_policydb (k=0xb8ec200 "@\023\214\022\006", datum=0xb650a30,
args=0x239a640) at ../cil/src/cil_binary.c:1649
SELinuxProject#6 0x00007f609003f1e5 in hashtab_map (h=0x41f8710, apply=0x7f60900971da <__cil_avrulex_ioctl_to_policydb>,
args=0x239a640) at hashtab.c:234
SELinuxProject#7 0x00007f609009ea19 in cil_binary_create_allocated_pdb (db=0x2394f10, policydb=0x239a640)
at ../cil/src/cil_binary.c:4969
SELinuxProject#8 0x00007f609009d19d in cil_binary_create (db=0x2394f10, policydb=0x7ffce2653d30) at ../cil/src/cil_binary.c:4329
SELinuxProject#9 0x00007f609008ec23 in cil_build_policydb_create_pdb (db=0x2394f10, sepol_db=0x7ffce2653d30)
at ../cil/src/cil.c:631
SELinuxProject#10 0x00007f608fff4bf3 in semanage_direct_commit () from /lib64/libsemanage.so.1
SELinuxProject#11 0x00007f608fff9fae in semanage_commit () from /lib64/libsemanage.so.1
SELinuxProject#12 0x0000000000403e2b in main (argc=7, argv=0x7ffce2655058) at semodule.c:753
(gdb) f 3
SELinuxProject#3 0x00007f6090096f59 in __avrule_xperm_setrangebits (low=30, high=30, xperms=0x8b9eea0)
at ../cil/src/cil_binary.c:1551
1551 xperms->perms[i] |= XPERM_SETBITS(h) - XPERM_SETBITS(low);
A signed integer overflow therefore occurs in XPERM_SETBITS(h):
#define XPERM_SETBITS(x) ((1 << (x & 0x1f)) - 1)
This macro is expanded with h=31, so "(1 << 31) - 1" is computed:
* (1 << 31) = -0x80000000 is the lowest signed 32-bit integer value
* (1 << 31) - 1 overflows the capacity of a signed 32-bit integer and
results in 0x7fffffff (which is unsigned)
Using unsigned integers (with "1U") fixes the crash, as
(1U << 31) = 0x80000000U has no overflowing issues.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
bachradsusi
pushed a commit
that referenced
this pull request
Oct 15, 2020
When compiling SELinux userspace tools with -ftrapv (this option
generates traps for signed overflow on addition, subtraction,
multiplication operations, instead of silently wrapping around),
semodule crashes when running the tests from
scripts/ci/fedora-test-runner.sh in a Fedora 32 virtual machine:
[root@localhost selinux-testsuite]# make test
make -C policy load
make[1]: Entering directory '/root/selinux-testsuite/policy'
# Test for "expand-check = 0" in /etc/selinux/semanage.conf
# General policy build
make[2]: Entering directory '/root/selinux-testsuite/policy/test_policy'
Compiling targeted test_policy module
Creating targeted test_policy.pp policy package
rm tmp/test_policy.mod.fc
make[2]: Leaving directory '/root/selinux-testsuite/policy/test_policy'
# General policy load
domain_fd_use --> off
/usr/sbin/semodule -i test_policy/test_policy.pp test_mlsconstrain.cil test_overlay_defaultrange.cil test_add_levels.cil test_glblub.cil
make[1]: *** [Makefile:174: load] Aborted (core dumped)
Using "coredumpctl gdb" leads to the following strack trace:
(gdb) bt
#0 0x00007f608fe4fa25 in raise () from /lib64/libc.so.6
#1 0x00007f608fe38895 in abort () from /lib64/libc.so.6
#2 0x00007f6090028aca in __addvsi3.cold () from /lib64/libsepol.so.1
#3 0x00007f6090096f59 in __avrule_xperm_setrangebits (low=30, high=30, xperms=0x8b9eea0)
at ../cil/src/cil_binary.c:1551
#4 0x00007f60900970dd in __cil_permx_bitmap_to_sepol_xperms_list (xperms=0xb650a30, xperms_list=0x7ffce2653b18)
at ../cil/src/cil_binary.c:1596
#5 0x00007f6090097286 in __cil_avrulex_ioctl_to_policydb (k=0xb8ec200 "@\023\214\022\006", datum=0xb650a30,
args=0x239a640) at ../cil/src/cil_binary.c:1649
#6 0x00007f609003f1e5 in hashtab_map (h=0x41f8710, apply=0x7f60900971da <__cil_avrulex_ioctl_to_policydb>,
args=0x239a640) at hashtab.c:234
#7 0x00007f609009ea19 in cil_binary_create_allocated_pdb (db=0x2394f10, policydb=0x239a640)
at ../cil/src/cil_binary.c:4969
#8 0x00007f609009d19d in cil_binary_create (db=0x2394f10, policydb=0x7ffce2653d30) at ../cil/src/cil_binary.c:4329
#9 0x00007f609008ec23 in cil_build_policydb_create_pdb (db=0x2394f10, sepol_db=0x7ffce2653d30)
at ../cil/src/cil.c:631
#10 0x00007f608fff4bf3 in semanage_direct_commit () from /lib64/libsemanage.so.1
#11 0x00007f608fff9fae in semanage_commit () from /lib64/libsemanage.so.1
#12 0x0000000000403e2b in main (argc=7, argv=0x7ffce2655058) at semodule.c:753
(gdb) f 3
#3 0x00007f6090096f59 in __avrule_xperm_setrangebits (low=30, high=30, xperms=0x8b9eea0)
at ../cil/src/cil_binary.c:1551
1551 xperms->perms[i] |= XPERM_SETBITS(h) - XPERM_SETBITS(low);
A signed integer overflow therefore occurs in XPERM_SETBITS(h):
#define XPERM_SETBITS(x) ((1 << (x & 0x1f)) - 1)
This macro is expanded with h=31, so "(1 << 31) - 1" is computed:
* (1 << 31) = -0x80000000 is the lowest signed 32-bit integer value
* (1 << 31) - 1 overflows the capacity of a signed 32-bit integer and
results in 0x7fffffff (which is unsigned)
Using unsigned integers (with "1U") fixes the crash, as
(1U << 31) = 0x80000000U has no overflowing issues.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Acked-by: Petr Lautrbach <plautrba@redhat.com>
evverx
added a commit
to evverx/selinux
that referenced
this pull request
Dec 6, 2020
It was found in google/oss-fuzz#4790: ``` Invalid token '' at line 2 of fuzz NEW_FUNC[1/2]: 0x67fff0 in yy_get_previous_state /src/selinux/libsepol/src/../cil/src/cil_lexer.c:1143 NEW_FUNC[2/2]: 0x6803e0 in yy_try_NUL_trans /src/selinux/libsepol/src/../cil/src/cil_lexer.c:1176 ================================================================= ==12==ERROR: AddressSanitizer: heap-use-after-free on address 0x602000007992 at pc 0x000000681800 bp 0x7ffccddee530 sp 0x7ffccddee528 WRITE of size 1 at 0x602000007992 thread T0 SCARINESS: 41 (1-byte-write-heap-use-after-free) #0 0x6817ff in cil_yy_switch_to_buffer /src/selinux/libsepol/src/../cil/src/cil_lexer.c:1315:17 #1 0x6820cc in cil_yy_scan_buffer /src/selinux/libsepol/src/../cil/src/cil_lexer.c:1571:2 SELinuxProject#2 0x682662 in cil_lexer_setup /src/selinux/libsepol/src/../cil/src/cil_lexer.l:73:6 SELinuxProject#3 0x5cf2ae in cil_parser /src/selinux/libsepol/src/../cil/src/cil_parser.c:220:2 SELinuxProject#4 0x56d5e2 in cil_add_file /src/selinux/libsepol/src/../cil/src/cil.c:514:7 SELinuxProject#5 0x556e91 in LLVMFuzzerTestOneInput /src/secilc-fuzzer.c:434:7 SELinuxProject#6 0x459ab1 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:599:15 SELinuxProject#7 0x45a755 in fuzzer::Fuzzer::TryDetectingAMemoryLeak(unsigned char const*, unsigned long, bool) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:675:3 SELinuxProject#8 0x45acd9 in fuzzer::Fuzzer::MutateAndTestOne() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:747:5 SELinuxProject#9 0x45b875 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocator<fuzzer::SizedFile> >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:883:5 SELinuxProject#10 0x4499fb in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:906:6 SELinuxProject#11 0x473a32 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10 SELinuxProject#12 0x7f982296d83f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2083f) SELinuxProject#13 0x41e758 in _start (/out/secilc-fuzzer+0x41e758) DEDUP_TOKEN: cil_yy_switch_to_buffer--cil_yy_scan_buffer--cil_lexer_setup 0x602000007992 is located 2 bytes inside of 4-byte region [0x602000007990,0x602000007994) freed by thread T0 here: #0 0x521ef2 in free /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:127:3 #1 0x56d630 in cil_add_file /src/selinux/libsepol/src/../cil/src/cil.c:526:2 SELinuxProject#2 0x556e91 in LLVMFuzzerTestOneInput /src/secilc-fuzzer.c:434:7 SELinuxProject#3 0x459ab1 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:599:15 SELinuxProject#4 0x458fba in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:505:3 SELinuxProject#5 0x45acc7 in fuzzer::Fuzzer::MutateAndTestOne() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:745:19 SELinuxProject#6 0x45b875 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocator<fuzzer::SizedFile> >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:883:5 SELinuxProject#7 0x4499fb in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:906:6 SELinuxProject#8 0x473a32 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10 SELinuxProject#9 0x7f982296d83f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2083f) DEDUP_TOKEN: free--cil_add_file--LLVMFuzzerTestOneInput previously allocated by thread T0 here: #0 0x52215d in malloc /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3 #1 0x5cecb8 in cil_malloc /src/selinux/libsepol/src/../cil/src/cil_mem.c:39:14 SELinuxProject#2 0x56d584 in cil_add_file /src/selinux/libsepol/src/../cil/src/cil.c:510:11 SELinuxProject#3 0x556e91 in LLVMFuzzerTestOneInput /src/secilc-fuzzer.c:434:7 SELinuxProject#4 0x459ab1 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:599:15 SELinuxProject#5 0x458fba in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:505:3 SELinuxProject#6 0x45acc7 in fuzzer::Fuzzer::MutateAndTestOne() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:745:19 SELinuxProject#7 0x45b875 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocator<fuzzer::SizedFile> >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:883:5 SELinuxProject#8 0x4499fb in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:906:6 SELinuxProject#9 0x473a32 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10 SELinuxProject#10 0x7f982296d83f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2083f) DEDUP_TOKEN: malloc--cil_malloc--cil_add_file SUMMARY: AddressSanitizer: heap-use-after-free /src/selinux/libsepol/src/../cil/src/cil_lexer.c:1315:17 in cil_yy_switch_to_buffer Shadow bytes around the buggy address: 0x0c047fff8ee0: fa fa fd fa fa fa fd fd fa fa fd fa fa fa fd fd 0x0c047fff8ef0: fa fa fd fa fa fa fd fd fa fa fd fa fa fa fd fd 0x0c047fff8f00: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fd 0x0c047fff8f10: fa fa fd fa fa fa fd fd fa fa fd fa fa fa fd fd 0x0c047fff8f20: fa fa fd fa fa fa fd fd fa fa fd fa fa fa fd fa =>0x0c047fff8f30: fa fa[fd]fa fa fa fd fa fa fa fd fa fa fa fd fa 0x0c047fff8f40: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa 0x0c047fff8f50: fa fa fd fa fa fa fd fd fa fa fd fa fa fa fd fa 0x0c047fff8f60: fa fa fd fd fa fa fd fa fa fa fd fd fa fa fd fa 0x0c047fff8f70: fa fa 00 00 fa fa 02 fa fa fa 02 fa fa fa 00 fa 0x0c047fff8f80: fa fa 03 fa fa fa 00 fa fa fa 03 fa fa fa 00 fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==12==ABORTING ``` Signed-off-by: Evgeny Vereshchagin <evvers@ya.ru>
fishilico
pushed a commit
to fishilico/selinux
that referenced
this pull request
Dec 6, 2020
It was found in google/oss-fuzz#4790: ``` Invalid token '' at line 2 of fuzz NEW_FUNC[1/2]: 0x67fff0 in yy_get_previous_state /src/selinux/libsepol/src/../cil/src/cil_lexer.c:1143 NEW_FUNC[2/2]: 0x6803e0 in yy_try_NUL_trans /src/selinux/libsepol/src/../cil/src/cil_lexer.c:1176 ================================================================= ==12==ERROR: AddressSanitizer: heap-use-after-free on address 0x602000007992 at pc 0x000000681800 bp 0x7ffccddee530 sp 0x7ffccddee528 WRITE of size 1 at 0x602000007992 thread T0 SCARINESS: 41 (1-byte-write-heap-use-after-free) #0 0x6817ff in cil_yy_switch_to_buffer /src/selinux/libsepol/src/../cil/src/cil_lexer.c:1315:17 SELinuxProject#1 0x6820cc in cil_yy_scan_buffer /src/selinux/libsepol/src/../cil/src/cil_lexer.c:1571:2 SELinuxProject#2 0x682662 in cil_lexer_setup /src/selinux/libsepol/src/../cil/src/cil_lexer.l:73:6 SELinuxProject#3 0x5cf2ae in cil_parser /src/selinux/libsepol/src/../cil/src/cil_parser.c:220:2 SELinuxProject#4 0x56d5e2 in cil_add_file /src/selinux/libsepol/src/../cil/src/cil.c:514:7 SELinuxProject#5 0x556e91 in LLVMFuzzerTestOneInput /src/secilc-fuzzer.c:434:7 SELinuxProject#6 0x459ab1 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:599:15 SELinuxProject#7 0x45a755 in fuzzer::Fuzzer::TryDetectingAMemoryLeak(unsigned char const*, unsigned long, bool) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:675:3 SELinuxProject#8 0x45acd9 in fuzzer::Fuzzer::MutateAndTestOne() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:747:5 SELinuxProject#9 0x45b875 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocator<fuzzer::SizedFile> >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:883:5 SELinuxProject#10 0x4499fb in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:906:6 SELinuxProject#11 0x473a32 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10 SELinuxProject#12 0x7f982296d83f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2083f) SELinuxProject#13 0x41e758 in _start (/out/secilc-fuzzer+0x41e758) DEDUP_TOKEN: cil_yy_switch_to_buffer--cil_yy_scan_buffer--cil_lexer_setup 0x602000007992 is located 2 bytes inside of 4-byte region [0x602000007990,0x602000007994) freed by thread T0 here: #0 0x521ef2 in free /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:127:3 SELinuxProject#1 0x56d630 in cil_add_file /src/selinux/libsepol/src/../cil/src/cil.c:526:2 SELinuxProject#2 0x556e91 in LLVMFuzzerTestOneInput /src/secilc-fuzzer.c:434:7 SELinuxProject#3 0x459ab1 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:599:15 SELinuxProject#4 0x458fba in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:505:3 SELinuxProject#5 0x45acc7 in fuzzer::Fuzzer::MutateAndTestOne() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:745:19 SELinuxProject#6 0x45b875 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocator<fuzzer::SizedFile> >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:883:5 SELinuxProject#7 0x4499fb in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:906:6 SELinuxProject#8 0x473a32 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10 SELinuxProject#9 0x7f982296d83f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2083f) DEDUP_TOKEN: free--cil_add_file--LLVMFuzzerTestOneInput previously allocated by thread T0 here: #0 0x52215d in malloc /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3 SELinuxProject#1 0x5cecb8 in cil_malloc /src/selinux/libsepol/src/../cil/src/cil_mem.c:39:14 SELinuxProject#2 0x56d584 in cil_add_file /src/selinux/libsepol/src/../cil/src/cil.c:510:11 SELinuxProject#3 0x556e91 in LLVMFuzzerTestOneInput /src/secilc-fuzzer.c:434:7 SELinuxProject#4 0x459ab1 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:599:15 SELinuxProject#5 0x458fba in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:505:3 SELinuxProject#6 0x45acc7 in fuzzer::Fuzzer::MutateAndTestOne() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:745:19 SELinuxProject#7 0x45b875 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocator<fuzzer::SizedFile> >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:883:5 SELinuxProject#8 0x4499fb in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:906:6 SELinuxProject#9 0x473a32 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10 SELinuxProject#10 0x7f982296d83f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2083f) DEDUP_TOKEN: malloc--cil_malloc--cil_add_file SUMMARY: AddressSanitizer: heap-use-after-free /src/selinux/libsepol/src/../cil/src/cil_lexer.c:1315:17 in cil_yy_switch_to_buffer Shadow bytes around the buggy address: 0x0c047fff8ee0: fa fa fd fa fa fa fd fd fa fa fd fa fa fa fd fd 0x0c047fff8ef0: fa fa fd fa fa fa fd fd fa fa fd fa fa fa fd fd 0x0c047fff8f00: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fd 0x0c047fff8f10: fa fa fd fa fa fa fd fd fa fa fd fa fa fa fd fd 0x0c047fff8f20: fa fa fd fa fa fa fd fd fa fa fd fa fa fa fd fa =>0x0c047fff8f30: fa fa[fd]fa fa fa fd fa fa fa fd fa fa fa fd fa 0x0c047fff8f40: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa 0x0c047fff8f50: fa fa fd fa fa fa fd fd fa fa fd fa fa fa fd fa 0x0c047fff8f60: fa fa fd fd fa fa fd fa fa fa fd fd fa fa fd fa 0x0c047fff8f70: fa fa 00 00 fa fa 02 fa fa fa 02 fa fa fa 00 fa 0x0c047fff8f80: fa fa 03 fa fa fa 00 fa fa fa 03 fa fa fa 00 fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==12==ABORTING ``` Signed-off-by: Evgeny Vereshchagin <evvers@ya.ru>
jwcart2
pushed a commit
that referenced
this pull request
Dec 8, 2020
It was found in google/oss-fuzz#4790: ``` Invalid token '' at line 2 of fuzz NEW_FUNC[1/2]: 0x67fff0 in yy_get_previous_state /src/selinux/libsepol/src/../cil/src/cil_lexer.c:1143 NEW_FUNC[2/2]: 0x6803e0 in yy_try_NUL_trans /src/selinux/libsepol/src/../cil/src/cil_lexer.c:1176 ================================================================= ==12==ERROR: AddressSanitizer: heap-use-after-free on address 0x602000007992 at pc 0x000000681800 bp 0x7ffccddee530 sp 0x7ffccddee528 WRITE of size 1 at 0x602000007992 thread T0 SCARINESS: 41 (1-byte-write-heap-use-after-free) #0 0x6817ff in cil_yy_switch_to_buffer /src/selinux/libsepol/src/../cil/src/cil_lexer.c:1315:17 #1 0x6820cc in cil_yy_scan_buffer /src/selinux/libsepol/src/../cil/src/cil_lexer.c:1571:2 #2 0x682662 in cil_lexer_setup /src/selinux/libsepol/src/../cil/src/cil_lexer.l:73:6 #3 0x5cf2ae in cil_parser /src/selinux/libsepol/src/../cil/src/cil_parser.c:220:2 #4 0x56d5e2 in cil_add_file /src/selinux/libsepol/src/../cil/src/cil.c:514:7 #5 0x556e91 in LLVMFuzzerTestOneInput /src/secilc-fuzzer.c:434:7 #6 0x459ab1 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:599:15 #7 0x45a755 in fuzzer::Fuzzer::TryDetectingAMemoryLeak(unsigned char const*, unsigned long, bool) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:675:3 #8 0x45acd9 in fuzzer::Fuzzer::MutateAndTestOne() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:747:5 #9 0x45b875 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocator<fuzzer::SizedFile> >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:883:5 #10 0x4499fb in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:906:6 #11 0x473a32 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10 #12 0x7f982296d83f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2083f) #13 0x41e758 in _start (/out/secilc-fuzzer+0x41e758) DEDUP_TOKEN: cil_yy_switch_to_buffer--cil_yy_scan_buffer--cil_lexer_setup 0x602000007992 is located 2 bytes inside of 4-byte region [0x602000007990,0x602000007994) freed by thread T0 here: #0 0x521ef2 in free /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:127:3 #1 0x56d630 in cil_add_file /src/selinux/libsepol/src/../cil/src/cil.c:526:2 #2 0x556e91 in LLVMFuzzerTestOneInput /src/secilc-fuzzer.c:434:7 #3 0x459ab1 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:599:15 #4 0x458fba in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:505:3 #5 0x45acc7 in fuzzer::Fuzzer::MutateAndTestOne() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:745:19 #6 0x45b875 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocator<fuzzer::SizedFile> >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:883:5 #7 0x4499fb in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:906:6 #8 0x473a32 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10 #9 0x7f982296d83f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2083f) DEDUP_TOKEN: free--cil_add_file--LLVMFuzzerTestOneInput previously allocated by thread T0 here: #0 0x52215d in malloc /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3 #1 0x5cecb8 in cil_malloc /src/selinux/libsepol/src/../cil/src/cil_mem.c:39:14 #2 0x56d584 in cil_add_file /src/selinux/libsepol/src/../cil/src/cil.c:510:11 #3 0x556e91 in LLVMFuzzerTestOneInput /src/secilc-fuzzer.c:434:7 #4 0x459ab1 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:599:15 #5 0x458fba in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:505:3 #6 0x45acc7 in fuzzer::Fuzzer::MutateAndTestOne() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:745:19 #7 0x45b875 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocator<fuzzer::SizedFile> >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:883:5 #8 0x4499fb in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:906:6 #9 0x473a32 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10 #10 0x7f982296d83f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2083f) DEDUP_TOKEN: malloc--cil_malloc--cil_add_file SUMMARY: AddressSanitizer: heap-use-after-free /src/selinux/libsepol/src/../cil/src/cil_lexer.c:1315:17 in cil_yy_switch_to_buffer Shadow bytes around the buggy address: 0x0c047fff8ee0: fa fa fd fa fa fa fd fd fa fa fd fa fa fa fd fd 0x0c047fff8ef0: fa fa fd fa fa fa fd fd fa fa fd fa fa fa fd fd 0x0c047fff8f00: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fd 0x0c047fff8f10: fa fa fd fa fa fa fd fd fa fa fd fa fa fa fd fd 0x0c047fff8f20: fa fa fd fa fa fa fd fd fa fa fd fa fa fa fd fa =>0x0c047fff8f30: fa fa[fd]fa fa fa fd fa fa fa fd fa fa fa fd fa 0x0c047fff8f40: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa 0x0c047fff8f50: fa fa fd fa fa fa fd fd fa fa fd fa fa fa fd fa 0x0c047fff8f60: fa fa fd fd fa fa fd fa fa fa fd fd fa fa fd fa 0x0c047fff8f70: fa fa 00 00 fa fa 02 fa fa fa 02 fa fa fa 00 fa 0x0c047fff8f80: fa fa 03 fa fa fa 00 fa fa fa 03 fa fa fa 00 fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==12==ABORTING ``` Signed-off-by: Evgeny Vereshchagin <evvers@ya.ru> Acked-by: Nicolas Iooss <nicolas.iooss@m4x.org>
fishilico
added a commit
to fishilico/selinux
that referenced
this pull request
Feb 4, 2021
OSS-Fuzz found a Null-dereference READ in the CIL compiler when trying
to compile the following policy:
(macro m((name n))) (call m(()))
When calling the macro, the name (in variable "pc") is NULL, which
triggers a NULL pointer dereference when using it as a key in
__cil_insert_name(). The stack trace is:
#0 0x7f4662655a85 in __strlen_avx2 (/usr/lib/libc.so.6+0x162a85)
SELinuxProject#1 0x556d0b6d150c in __interceptor_strlen.part.0 (/selinux/libsepol/fuzz/fuzz-secilc+0x44850c)
SELinuxProject#2 0x556d0ba74ed6 in symhash /selinux/libsepol/src/symtab.c:22:9
SELinuxProject#3 0x556d0b9ef50d in hashtab_search /selinux/libsepol/src/hashtab.c:186:11
SELinuxProject#4 0x556d0b928e1f in cil_symtab_get_datum /selinux/libsepol/src/../cil/src/cil_symtab.c:121:37
SELinuxProject#5 0x556d0b8f28f4 in __cil_insert_name /selinux/libsepol/src/../cil/src/cil_resolve_ast.c:96:2
SELinuxProject#6 0x556d0b908184 in cil_resolve_call1 /selinux/libsepol/src/../cil/src/cil_resolve_ast.c:2835:12
SELinuxProject#7 0x556d0b91b404 in __cil_resolve_ast_node /selinux/libsepol/src/../cil/src/cil_resolve_ast.c
SELinuxProject#8 0x556d0b91380f in __cil_resolve_ast_node_helper /selinux/libsepol/src/../cil/src/cil_resolve_ast.c:3773:7
SELinuxProject#9 0x556d0b932230 in cil_tree_walk_core /selinux/libsepol/src/../cil/src/cil_tree.c:263:9
SELinuxProject#10 0x556d0b932230 in cil_tree_walk /selinux/libsepol/src/../cil/src/cil_tree.c:307:7
SELinuxProject#11 0x556d0b932326 in cil_tree_walk_core /selinux/libsepol/src/../cil/src/cil_tree.c:275:9
SELinuxProject#12 0x556d0b932326 in cil_tree_walk /selinux/libsepol/src/../cil/src/cil_tree.c:307:7
SELinuxProject#13 0x556d0b911189 in cil_resolve_ast /selinux/libsepol/src/../cil/src/cil_resolve_ast.c:3941:8
SELinuxProject#14 0x556d0b798729 in cil_compile /selinux/libsepol/src/../cil/src/cil.c:550:7
Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28544
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
fishilico
added a commit
to fishilico/selinux
that referenced
this pull request
Feb 5, 2021
OSS-Fuzz found a Null-dereference READ in the CIL compiler when trying
to compile the following policy:
(macro m((name n))) (call m(()))
When calling the macro, the name (in variable "pc") is NULL, which
triggers a NULL pointer dereference when using it as a key in
__cil_insert_name(). The stack trace is:
#0 0x7f4662655a85 in __strlen_avx2 (/usr/lib/libc.so.6+0x162a85)
SELinuxProject#1 0x556d0b6d150c in __interceptor_strlen.part.0 (/selinux/libsepol/fuzz/fuzz-secilc+0x44850c)
SELinuxProject#2 0x556d0ba74ed6 in symhash /selinux/libsepol/src/symtab.c:22:9
SELinuxProject#3 0x556d0b9ef50d in hashtab_search /selinux/libsepol/src/hashtab.c:186:11
SELinuxProject#4 0x556d0b928e1f in cil_symtab_get_datum /selinux/libsepol/src/../cil/src/cil_symtab.c:121:37
SELinuxProject#5 0x556d0b8f28f4 in __cil_insert_name /selinux/libsepol/src/../cil/src/cil_resolve_ast.c:96:2
SELinuxProject#6 0x556d0b908184 in cil_resolve_call1 /selinux/libsepol/src/../cil/src/cil_resolve_ast.c:2835:12
SELinuxProject#7 0x556d0b91b404 in __cil_resolve_ast_node /selinux/libsepol/src/../cil/src/cil_resolve_ast.c
SELinuxProject#8 0x556d0b91380f in __cil_resolve_ast_node_helper /selinux/libsepol/src/../cil/src/cil_resolve_ast.c:3773:7
SELinuxProject#9 0x556d0b932230 in cil_tree_walk_core /selinux/libsepol/src/../cil/src/cil_tree.c:263:9
SELinuxProject#10 0x556d0b932230 in cil_tree_walk /selinux/libsepol/src/../cil/src/cil_tree.c:307:7
SELinuxProject#11 0x556d0b932326 in cil_tree_walk_core /selinux/libsepol/src/../cil/src/cil_tree.c:275:9
SELinuxProject#12 0x556d0b932326 in cil_tree_walk /selinux/libsepol/src/../cil/src/cil_tree.c:307:7
SELinuxProject#13 0x556d0b911189 in cil_resolve_ast /selinux/libsepol/src/../cil/src/cil_resolve_ast.c:3941:8
SELinuxProject#14 0x556d0b798729 in cil_compile /selinux/libsepol/src/../cil/src/cil.c:550:7
Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28544
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
fishilico
added a commit
to fishilico/selinux
that referenced
this pull request
Feb 5, 2021
OSS-Fuzz found a Null-dereference READ in the CIL compiler when trying
to compile the following policy:
(macro m((name n))) (call m(()))
When calling the macro, the name (in variable "pc") is NULL, which
triggers a NULL pointer dereference when using it as a key in
__cil_insert_name(). The stack trace is:
#0 0x7f4662655a85 in __strlen_avx2 (/usr/lib/libc.so.6+0x162a85)
SELinuxProject#1 0x556d0b6d150c in __interceptor_strlen.part.0 (/selinux/libsepol/fuzz/fuzz-secilc+0x44850c)
SELinuxProject#2 0x556d0ba74ed6 in symhash /selinux/libsepol/src/symtab.c:22:9
SELinuxProject#3 0x556d0b9ef50d in hashtab_search /selinux/libsepol/src/hashtab.c:186:11
SELinuxProject#4 0x556d0b928e1f in cil_symtab_get_datum /selinux/libsepol/src/../cil/src/cil_symtab.c:121:37
SELinuxProject#5 0x556d0b8f28f4 in __cil_insert_name /selinux/libsepol/src/../cil/src/cil_resolve_ast.c:96:2
SELinuxProject#6 0x556d0b908184 in cil_resolve_call1 /selinux/libsepol/src/../cil/src/cil_resolve_ast.c:2835:12
SELinuxProject#7 0x556d0b91b404 in __cil_resolve_ast_node /selinux/libsepol/src/../cil/src/cil_resolve_ast.c
SELinuxProject#8 0x556d0b91380f in __cil_resolve_ast_node_helper /selinux/libsepol/src/../cil/src/cil_resolve_ast.c:3773:7
SELinuxProject#9 0x556d0b932230 in cil_tree_walk_core /selinux/libsepol/src/../cil/src/cil_tree.c:263:9
SELinuxProject#10 0x556d0b932230 in cil_tree_walk /selinux/libsepol/src/../cil/src/cil_tree.c:307:7
SELinuxProject#11 0x556d0b932326 in cil_tree_walk_core /selinux/libsepol/src/../cil/src/cil_tree.c:275:9
SELinuxProject#12 0x556d0b932326 in cil_tree_walk /selinux/libsepol/src/../cil/src/cil_tree.c:307:7
SELinuxProject#13 0x556d0b911189 in cil_resolve_ast /selinux/libsepol/src/../cil/src/cil_resolve_ast.c:3941:8
SELinuxProject#14 0x556d0b798729 in cil_compile /selinux/libsepol/src/../cil/src/cil.c:550:7
Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28544
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
fishilico
added a commit
to fishilico/selinux
that referenced
this pull request
Feb 16, 2021
OSS-Fuzz found a Null-dereference READ in the CIL compiler when trying
to compile the following policy:
(macro m((name n))) (call m(()))
When calling the macro, the name (in variable "pc") is NULL, which
triggers a NULL pointer dereference when using it as a key in
__cil_insert_name(). The stack trace is:
#0 0x7f4662655a85 in __strlen_avx2 (/usr/lib/libc.so.6+0x162a85)
SELinuxProject#1 0x556d0b6d150c in __interceptor_strlen.part.0 (/selinux/libsepol/fuzz/fuzz-secilc+0x44850c)
SELinuxProject#2 0x556d0ba74ed6 in symhash /selinux/libsepol/src/symtab.c:22:9
SELinuxProject#3 0x556d0b9ef50d in hashtab_search /selinux/libsepol/src/hashtab.c:186:11
SELinuxProject#4 0x556d0b928e1f in cil_symtab_get_datum /selinux/libsepol/src/../cil/src/cil_symtab.c:121:37
SELinuxProject#5 0x556d0b8f28f4 in __cil_insert_name /selinux/libsepol/src/../cil/src/cil_resolve_ast.c:96:2
SELinuxProject#6 0x556d0b908184 in cil_resolve_call1 /selinux/libsepol/src/../cil/src/cil_resolve_ast.c:2835:12
SELinuxProject#7 0x556d0b91b404 in __cil_resolve_ast_node /selinux/libsepol/src/../cil/src/cil_resolve_ast.c
SELinuxProject#8 0x556d0b91380f in __cil_resolve_ast_node_helper /selinux/libsepol/src/../cil/src/cil_resolve_ast.c:3773:7
SELinuxProject#9 0x556d0b932230 in cil_tree_walk_core /selinux/libsepol/src/../cil/src/cil_tree.c:263:9
SELinuxProject#10 0x556d0b932230 in cil_tree_walk /selinux/libsepol/src/../cil/src/cil_tree.c:307:7
SELinuxProject#11 0x556d0b932326 in cil_tree_walk_core /selinux/libsepol/src/../cil/src/cil_tree.c:275:9
SELinuxProject#12 0x556d0b932326 in cil_tree_walk /selinux/libsepol/src/../cil/src/cil_tree.c:307:7
SELinuxProject#13 0x556d0b911189 in cil_resolve_ast /selinux/libsepol/src/../cil/src/cil_resolve_ast.c:3941:8
SELinuxProject#14 0x556d0b798729 in cil_compile /selinux/libsepol/src/../cil/src/cil.c:550:7
Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28544
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
jwcart2
pushed a commit
that referenced
this pull request
Feb 16, 2021
OSS-Fuzz found a Null-dereference READ in the CIL compiler when trying
to compile the following policy:
(macro m((name n))) (call m(()))
When calling the macro, the name (in variable "pc") is NULL, which
triggers a NULL pointer dereference when using it as a key in
__cil_insert_name(). The stack trace is:
#0 0x7f4662655a85 in __strlen_avx2 (/usr/lib/libc.so.6+0x162a85)
#1 0x556d0b6d150c in __interceptor_strlen.part.0 (/selinux/libsepol/fuzz/fuzz-secilc+0x44850c)
#2 0x556d0ba74ed6 in symhash /selinux/libsepol/src/symtab.c:22:9
#3 0x556d0b9ef50d in hashtab_search /selinux/libsepol/src/hashtab.c:186:11
#4 0x556d0b928e1f in cil_symtab_get_datum /selinux/libsepol/src/../cil/src/cil_symtab.c:121:37
#5 0x556d0b8f28f4 in __cil_insert_name /selinux/libsepol/src/../cil/src/cil_resolve_ast.c:96:2
#6 0x556d0b908184 in cil_resolve_call1 /selinux/libsepol/src/../cil/src/cil_resolve_ast.c:2835:12
#7 0x556d0b91b404 in __cil_resolve_ast_node /selinux/libsepol/src/../cil/src/cil_resolve_ast.c
#8 0x556d0b91380f in __cil_resolve_ast_node_helper /selinux/libsepol/src/../cil/src/cil_resolve_ast.c:3773:7
#9 0x556d0b932230 in cil_tree_walk_core /selinux/libsepol/src/../cil/src/cil_tree.c:263:9
#10 0x556d0b932230 in cil_tree_walk /selinux/libsepol/src/../cil/src/cil_tree.c:307:7
#11 0x556d0b932326 in cil_tree_walk_core /selinux/libsepol/src/../cil/src/cil_tree.c:275:9
#12 0x556d0b932326 in cil_tree_walk /selinux/libsepol/src/../cil/src/cil_tree.c:307:7
#13 0x556d0b911189 in cil_resolve_ast /selinux/libsepol/src/../cil/src/cil_resolve_ast.c:3941:8
#14 0x556d0b798729 in cil_compile /selinux/libsepol/src/../cil/src/cil.c:550:7
Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28544
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
cgzones
added a commit
to cgzones/selinux
that referenced
this pull request
Oct 5, 2021
class s
sid e
class s { y }
sensitivity i alias { d };
==13999==ERROR: AddressSanitizer: heap-use-after-free on address 0x6030000008b8 at pc 0x000000594081 bp 0x7ffcd296ad80 sp 0x7ffcd296ad78
READ of size 8 at 0x6030000008b8 thread T0
#0 0x594080 in ebitmap_destroy ./libsepol/src/ebitmap.c:379:9
SELinuxProject#1 0x61d546 in mls_level_destroy ./DESTDIR/usr/include/sepol/policydb/mls_types.h:98:2
SELinuxProject#2 0x61d546 in sens_destroy ./libsepol/src/policydb.c:1380:2
SELinuxProject#3 0x5bc9d5 in hashtab_map ./libsepol/src/hashtab.c:234:10
SELinuxProject#4 0x60cbf1 in symtabs_destroy ./libsepol/src/policydb.c:1581:9
SELinuxProject#5 0x60cbf1 in policydb_destroy ./libsepol/src/policydb.c:1489:2
SELinuxProject#6 0x55aaa2 in LLVMFuzzerTestOneInput ./checkpolicy/fuzz/checkpolicy-fuzzer.c:209:2
SELinuxProject#7 0x45af33 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o
SELinuxProject#8 0x446a72 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o
SELinuxProject#9 0x44c99b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o
SELinuxProject#10 0x475e32 in main (./out/checkpolicy-fuzzer+0x475e32)
SELinuxProject#11 0x7f31b5ea1e49 in __libc_start_main csu/../csu/libc-start.c:314:16
SELinuxProject#12 0x4236e9 in _start (./out/checkpolicy-fuzzer+0x4236e9)
0x6030000008b8 is located 8 bytes inside of 24-byte region [0x6030000008b0,0x6030000008c8)
freed by thread T0 here:
#0 0x525762 in __interceptor_free (./out/checkpolicy-fuzzer+0x525762)
SELinuxProject#1 0x61d566 in sens_destroy ./libsepol/src/policydb.c:1381:2
SELinuxProject#2 0x5bc9d5 in hashtab_map ./libsepol/src/hashtab.c:234:10
SELinuxProject#3 0x60cbf1 in symtabs_destroy ./libsepol/src/policydb.c:1581:9
SELinuxProject#4 0x60cbf1 in policydb_destroy ./libsepol/src/policydb.c:1489:2
SELinuxProject#5 0x55aaa2 in LLVMFuzzerTestOneInput ./checkpolicy/fuzz/checkpolicy-fuzzer.c:209:2
SELinuxProject#6 0x45af33 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o
SELinuxProject#7 0x446a72 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o
SELinuxProject#8 0x44c99b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o
SELinuxProject#9 0x475e32 in main (./out/checkpolicy-fuzzer+0x475e32)
SELinuxProject#10 0x7f31b5ea1e49 in __libc_start_main csu/../csu/libc-start.c:314:16
previously allocated by thread T0 here:
#0 0x5259cd in malloc (./out/checkpolicy-fuzzer+0x5259cd)
SELinuxProject#1 0x56be7e in define_sens ./checkpolicy/policy_define.c:744:26
SELinuxProject#2 0x583ed4 in yyparse ./checkpolicy/policy_parse.y:261:30
SELinuxProject#3 0x55a5a0 in read_source_policy ./checkpolicy/fuzz/checkpolicy-fuzzer.c:96:6
SELinuxProject#4 0x55a5a0 in LLVMFuzzerTestOneInput ./checkpolicy/fuzz/checkpolicy-fuzzer.c:162:6
SELinuxProject#5 0x45af33 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o
SELinuxProject#6 0x446a72 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o
SELinuxProject#7 0x44c99b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o
SELinuxProject#8 0x475e32 in main (./out/checkpolicy-fuzzer+0x475e32)
SELinuxProject#9 0x7f31b5ea1e49 in __libc_start_main csu/../csu/libc-start.c:314:16
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
cgzones
added a commit
to cgzones/selinux
that referenced
this pull request
Oct 7, 2021
Limit the maximum length of read sizes, like string length of module
version and name or keys and number of symtab entries. This avoids the
fuzzer to report oom events for huge allocations (it also improves the
number of executions per seconds of the fuzzer).
This change only affects the fuzzer build.
==15211== ERROR: libFuzzer: out-of-memory (malloc(3115956666))
To change the out-of-memory limit use -rss_limit_mb=<N>
#0 0x52dc61 in __sanitizer_print_stack_trace (./out/binpolicy-fuzzer+0x52dc61)
SELinuxProject#1 0x475618 in fuzzer::PrintStackTrace() fuzzer.o
SELinuxProject#2 0x458855 in fuzzer::Fuzzer::HandleMalloc(unsigned long) fuzzer.o
SELinuxProject#3 0x45876a in fuzzer::MallocHook(void const volatile*, unsigned long) fuzzer.o
SELinuxProject#4 0x534557 in __sanitizer::RunMallocHooks(void const*, unsigned long) (./out/binpolicy-fuzzer+0x534557)
SELinuxProject#5 0x4aa7d7 in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) (./out/binpolicy-fuzzer+0x4aa7d7)
SELinuxProject#6 0x4aa143 in __asan::asan_malloc(unsigned long, __sanitizer::BufferedStackTrace*) (./out/binpolicy-fuzzer+0x4aa143)
SELinuxProject#7 0x5259cb in malloc (./out/binpolicy-fuzzer+0x5259cb)
SELinuxProject#8 0x59d307 in str_read ./libsepol/src/services.c:1746:8
SELinuxProject#9 0x585b97 in perm_read ./libsepol/src/policydb.c:2063:5
SELinuxProject#10 0x581f8a in common_read ./libsepol/src/policydb.c:2119:7
SELinuxProject#11 0x576681 in policydb_read ./libsepol/src/policydb.c:4417:8
SELinuxProject#12 0x55a214 in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:26:6
SELinuxProject#13 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o
SELinuxProject#14 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o
SELinuxProject#15 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o
SELinuxProject#16 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2)
SELinuxProject#17 0x7fe1ec88a7ec in __libc_start_main csu/../csu/libc-start.c:332:16
SELinuxProject#18 0x423689 in _start (./out/binpolicy-fuzzer+0x423689)
==13584== ERROR: libFuzzer: out-of-memory (malloc(2560137369))
To change the out-of-memory limit use -rss_limit_mb=<N>
#0 0x52dc61 in __sanitizer_print_stack_trace (./out/binpolicy-fuzzer+0x52dc61)
SELinuxProject#1 0x475618 in fuzzer::PrintStackTrace() fuzzer.o
SELinuxProject#2 0x458855 in fuzzer::Fuzzer::HandleMalloc(unsigned long) fuzzer.o
SELinuxProject#3 0x45876a in fuzzer::MallocHook(void const volatile*, unsigned long) fuzzer.o
SELinuxProject#4 0x534557 in __sanitizer::RunMallocHooks(void const*, unsigned long) (./out/binpolicy-fuzzer+0x534557)
SELinuxProject#5 0x4aa7d7 in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) (./out/binpolicy-fuzzer+0x4aa7d7)
SELinuxProject#6 0x4aa143 in __asan::asan_malloc(unsigned long, __sanitizer::BufferedStackTrace*) (./out/binpolicy-fuzzer+0x4aa143)
SELinuxProject#7 0x5259cb in malloc (./out/binpolicy-fuzzer+0x5259cb)
SELinuxProject#8 0x581cc4 in common_read ./libsepol/src/policydb.c:2108:8
SELinuxProject#9 0x576681 in policydb_read ./libsepol/src/policydb.c:4409:8
SELinuxProject#10 0x55a214 in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:26:6
SELinuxProject#11 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o
SELinuxProject#12 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o
SELinuxProject#13 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o
SELinuxProject#14 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2)
SELinuxProject#15 0x7fa6431787ec in __libc_start_main csu/../csu/libc-start.c:332:16
SELinuxProject#16 0x423689 in _start (./out/binpolicy-fuzzer+0x423689)
==12683== ERROR: libFuzzer: out-of-memory (malloc(2526451450))
To change the out-of-memory limit use -rss_limit_mb=<N>
#0 0x52dc61 in __sanitizer_print_stack_trace (./out/binpolicy-fuzzer+0x52dc61)
SELinuxProject#1 0x475618 in fuzzer::PrintStackTrace() fuzzer.o
SELinuxProject#2 0x458855 in fuzzer::Fuzzer::HandleMalloc(unsigned long) fuzzer.o
SELinuxProject#3 0x45876a in fuzzer::MallocHook(void const volatile*, unsigned long) fuzzer.o
SELinuxProject#4 0x534557 in __sanitizer::RunMallocHooks(void const*, unsigned long) (./out/binpolicy-fuzzer+0x534557)
SELinuxProject#5 0x4aa7d7 in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) (./out/binpolicy-fuzzer+0x4aa7d7)
SELinuxProject#6 0x4aa143 in __asan::asan_malloc(unsigned long, __sanitizer::BufferedStackTrace*) (./out/binpolicy-fuzzer+0x4aa143)
SELinuxProject#7 0x5259cb in malloc (./out/binpolicy-fuzzer+0x5259cb)
SELinuxProject#8 0x575f8a in policydb_read ./libsepol/src/policydb.c:4356:18
SELinuxProject#9 0x55a214 in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:26:6
SELinuxProject#10 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o
SELinuxProject#11 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o
SELinuxProject#12 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o
SELinuxProject#13 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2)
SELinuxProject#14 0x7fa737b377ec in __libc_start_main csu/../csu/libc-start.c:332:16
SELinuxProject#15 0x423689 in _start (./out/binpolicy-fuzzer+0x423689)
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
cgzones
added a commit
to cgzones/selinux
that referenced
this pull request
Oct 7, 2021
Add checks for invalid read sizes from a binary policy to guard
allocations.
In the fuzzer build the value will also be bounded to avoid oom reports.
==29857== ERROR: libFuzzer: out-of-memory (malloc(17179868160))
To change the out-of-memory limit use -rss_limit_mb=<N>
#0 0x52dc61 in __sanitizer_print_stack_trace (./out/binpolicy-fuzzer+0x52dc61)
SELinuxProject#1 0x475618 in fuzzer::PrintStackTrace() fuzzer.o
SELinuxProject#2 0x458855 in fuzzer::Fuzzer::HandleMalloc(unsigned long) fuzzer.o
SELinuxProject#3 0x45876a in fuzzer::MallocHook(void const volatile*, unsigned long) fuzzer.o
SELinuxProject#4 0x534557 in __sanitizer::RunMallocHooks(void const*, unsigned long) (./out/binpolicy-fuzzer+0x534557)
SELinuxProject#5 0x4aa7d7 in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) (./out/binpolicy-fuzzer+0x4aa7d7)
SELinuxProject#6 0x4aa143 in __asan::asan_malloc(unsigned long, __sanitizer::BufferedStackTrace*) (./out/binpolicy-fuzzer+0x4aa143)
SELinuxProject#7 0x5259cb in malloc (./out/binpolicy-fuzzer+0x5259cb)
SELinuxProject#8 0x580b5d in mallocarray ./libsepol/src/./private.h:93:9
SELinuxProject#9 0x57c2ed in scope_read ./libsepol/src/policydb.c:4120:7
SELinuxProject#10 0x576b0d in policydb_read ./libsepol/src/policydb.c:4462:9
SELinuxProject#11 0x55a214 in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:26:6
SELinuxProject#12 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o
SELinuxProject#13 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o
SELinuxProject#14 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o
SELinuxProject#15 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2)
SELinuxProject#16 0x7ffad6e107ec in __libc_start_main csu/../csu/libc-start.c:332:16
SELinuxProject#17 0x423689 in _start (./out/binpolicy-fuzzer+0x423689)
==19462== ERROR: libFuzzer: out-of-memory (malloc(18253611008))
To change the out-of-memory limit use -rss_limit_mb=<N>
#0 0x52dc61 in __sanitizer_print_stack_trace (./out/binpolicy-fuzzer+0x52dc61)
SELinuxProject#1 0x475618 in fuzzer::PrintStackTrace() fuzzer.o
SELinuxProject#2 0x458855 in fuzzer::Fuzzer::HandleMalloc(unsigned long) fuzzer.o
SELinuxProject#3 0x45876a in fuzzer::MallocHook(void const volatile*, unsigned long) fuzzer.o
SELinuxProject#4 0x534557 in __sanitizer::RunMallocHooks(void const*, unsigned long) (./out/binpolicy-fuzzer+0x534557)
SELinuxProject#5 0x4aa7d7 in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) (./out/binpolicy-fuzzer+0x4aa7d7)
SELinuxProject#6 0x4aa999 in __asan::asan_calloc(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*) (./out/binpolicy-fuzzer+0x4aa999)
SELinuxProject#7 0x525b63 in __interceptor_calloc (./out/binpolicy-fuzzer+0x525b63)
SELinuxProject#8 0x570938 in policydb_index_others ./libsepol/src/policydb.c:1245:6
SELinuxProject#9 0x5771f3 in policydb_read ./src/policydb.c:4481:6
SELinuxProject#10 0x55a214 in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:26:6
SELinuxProject#11 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o
SELinuxProject#12 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o
SELinuxProject#13 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o
SELinuxProject#14 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2)
SELinuxProject#15 0x7f4d933157ec in __libc_start_main csu/../csu/libc-start.c:332:16
SELinuxProject#16 0x423689 in _start (./out/binpolicy-fuzzer+0x423689)
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
cgzones
added a commit
to cgzones/selinux
that referenced
this pull request
Oct 7, 2021
Free the local access vector list on failure as it does not get moved
into the policy structure.
Direct leak of 16 byte(s) in 1 object(s) allocated from:
#0 0x52596d in malloc (./out/binpolicy-fuzzer+0x52596d)
SELinuxProject#1 0x5b30d2 in cond_insertf ./libsepol/src/conditional.c:682:9
SELinuxProject#2 0x5ac218 in avtab_read_item ./libsepol/src/avtab.c:583:10
SELinuxProject#3 0x5b21f4 in cond_read_av_list ./libsepol/src/conditional.c:725:8
SELinuxProject#4 0x5b21f4 in cond_read_node ./libsepol/src/conditional.c:798:7
SELinuxProject#5 0x5b21f4 in cond_read_list ./libsepol/src/conditional.c:847:7
SELinuxProject#6 0x576b6e in policydb_read ./libsepol/src/policydb.c:4436:8
SELinuxProject#7 0x55a1fe in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:24:6
SELinuxProject#8 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o
SELinuxProject#9 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o
SELinuxProject#10 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o
SELinuxProject#11 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2)
SELinuxProject#12 0x7f47abeb87ec in __libc_start_main csu/../csu/libc-start.c:332:16
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
cgzones
added a commit
to cgzones/selinux
that referenced
this pull request
Oct 7, 2021
Limit the maximum length of read sizes, like string length of module
version and name or keys and number of symtab entries. This avoids the
fuzzer to report oom events for huge allocations (it also improves the
number of executions per seconds of the fuzzer).
This change only affects the fuzzer build.
==15211== ERROR: libFuzzer: out-of-memory (malloc(3115956666))
To change the out-of-memory limit use -rss_limit_mb=<N>
#0 0x52dc61 in __sanitizer_print_stack_trace (./out/binpolicy-fuzzer+0x52dc61)
SELinuxProject#1 0x475618 in fuzzer::PrintStackTrace() fuzzer.o
SELinuxProject#2 0x458855 in fuzzer::Fuzzer::HandleMalloc(unsigned long) fuzzer.o
SELinuxProject#3 0x45876a in fuzzer::MallocHook(void const volatile*, unsigned long) fuzzer.o
SELinuxProject#4 0x534557 in __sanitizer::RunMallocHooks(void const*, unsigned long) (./out/binpolicy-fuzzer+0x534557)
SELinuxProject#5 0x4aa7d7 in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) (./out/binpolicy-fuzzer+0x4aa7d7)
SELinuxProject#6 0x4aa143 in __asan::asan_malloc(unsigned long, __sanitizer::BufferedStackTrace*) (./out/binpolicy-fuzzer+0x4aa143)
SELinuxProject#7 0x5259cb in malloc (./out/binpolicy-fuzzer+0x5259cb)
SELinuxProject#8 0x59d307 in str_read ./libsepol/src/services.c:1746:8
SELinuxProject#9 0x585b97 in perm_read ./libsepol/src/policydb.c:2063:5
SELinuxProject#10 0x581f8a in common_read ./libsepol/src/policydb.c:2119:7
SELinuxProject#11 0x576681 in policydb_read ./libsepol/src/policydb.c:4417:8
SELinuxProject#12 0x55a214 in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:26:6
SELinuxProject#13 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o
SELinuxProject#14 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o
SELinuxProject#15 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o
SELinuxProject#16 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2)
SELinuxProject#17 0x7fe1ec88a7ec in __libc_start_main csu/../csu/libc-start.c:332:16
SELinuxProject#18 0x423689 in _start (./out/binpolicy-fuzzer+0x423689)
==13584== ERROR: libFuzzer: out-of-memory (malloc(2560137369))
To change the out-of-memory limit use -rss_limit_mb=<N>
#0 0x52dc61 in __sanitizer_print_stack_trace (./out/binpolicy-fuzzer+0x52dc61)
SELinuxProject#1 0x475618 in fuzzer::PrintStackTrace() fuzzer.o
SELinuxProject#2 0x458855 in fuzzer::Fuzzer::HandleMalloc(unsigned long) fuzzer.o
SELinuxProject#3 0x45876a in fuzzer::MallocHook(void const volatile*, unsigned long) fuzzer.o
SELinuxProject#4 0x534557 in __sanitizer::RunMallocHooks(void const*, unsigned long) (./out/binpolicy-fuzzer+0x534557)
SELinuxProject#5 0x4aa7d7 in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) (./out/binpolicy-fuzzer+0x4aa7d7)
SELinuxProject#6 0x4aa143 in __asan::asan_malloc(unsigned long, __sanitizer::BufferedStackTrace*) (./out/binpolicy-fuzzer+0x4aa143)
SELinuxProject#7 0x5259cb in malloc (./out/binpolicy-fuzzer+0x5259cb)
SELinuxProject#8 0x581cc4 in common_read ./libsepol/src/policydb.c:2108:8
SELinuxProject#9 0x576681 in policydb_read ./libsepol/src/policydb.c:4409:8
SELinuxProject#10 0x55a214 in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:26:6
SELinuxProject#11 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o
SELinuxProject#12 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o
SELinuxProject#13 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o
SELinuxProject#14 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2)
SELinuxProject#15 0x7fa6431787ec in __libc_start_main csu/../csu/libc-start.c:332:16
SELinuxProject#16 0x423689 in _start (./out/binpolicy-fuzzer+0x423689)
==12683== ERROR: libFuzzer: out-of-memory (malloc(2526451450))
To change the out-of-memory limit use -rss_limit_mb=<N>
#0 0x52dc61 in __sanitizer_print_stack_trace (./out/binpolicy-fuzzer+0x52dc61)
SELinuxProject#1 0x475618 in fuzzer::PrintStackTrace() fuzzer.o
SELinuxProject#2 0x458855 in fuzzer::Fuzzer::HandleMalloc(unsigned long) fuzzer.o
SELinuxProject#3 0x45876a in fuzzer::MallocHook(void const volatile*, unsigned long) fuzzer.o
SELinuxProject#4 0x534557 in __sanitizer::RunMallocHooks(void const*, unsigned long) (./out/binpolicy-fuzzer+0x534557)
SELinuxProject#5 0x4aa7d7 in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) (./out/binpolicy-fuzzer+0x4aa7d7)
SELinuxProject#6 0x4aa143 in __asan::asan_malloc(unsigned long, __sanitizer::BufferedStackTrace*) (./out/binpolicy-fuzzer+0x4aa143)
SELinuxProject#7 0x5259cb in malloc (./out/binpolicy-fuzzer+0x5259cb)
SELinuxProject#8 0x575f8a in policydb_read ./libsepol/src/policydb.c:4356:18
SELinuxProject#9 0x55a214 in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:26:6
SELinuxProject#10 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o
SELinuxProject#11 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o
SELinuxProject#12 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o
SELinuxProject#13 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2)
SELinuxProject#14 0x7fa737b377ec in __libc_start_main csu/../csu/libc-start.c:332:16
SELinuxProject#15 0x423689 in _start (./out/binpolicy-fuzzer+0x423689)
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
cgzones
added a commit
to cgzones/selinux
that referenced
this pull request
Oct 7, 2021
Add checks for invalid read sizes from a binary policy to guard
allocations.
In the fuzzer build the value will also be bounded to avoid oom reports.
==29857== ERROR: libFuzzer: out-of-memory (malloc(17179868160))
To change the out-of-memory limit use -rss_limit_mb=<N>
#0 0x52dc61 in __sanitizer_print_stack_trace (./out/binpolicy-fuzzer+0x52dc61)
SELinuxProject#1 0x475618 in fuzzer::PrintStackTrace() fuzzer.o
SELinuxProject#2 0x458855 in fuzzer::Fuzzer::HandleMalloc(unsigned long) fuzzer.o
SELinuxProject#3 0x45876a in fuzzer::MallocHook(void const volatile*, unsigned long) fuzzer.o
SELinuxProject#4 0x534557 in __sanitizer::RunMallocHooks(void const*, unsigned long) (./out/binpolicy-fuzzer+0x534557)
SELinuxProject#5 0x4aa7d7 in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) (./out/binpolicy-fuzzer+0x4aa7d7)
SELinuxProject#6 0x4aa143 in __asan::asan_malloc(unsigned long, __sanitizer::BufferedStackTrace*) (./out/binpolicy-fuzzer+0x4aa143)
SELinuxProject#7 0x5259cb in malloc (./out/binpolicy-fuzzer+0x5259cb)
SELinuxProject#8 0x580b5d in mallocarray ./libsepol/src/./private.h:93:9
SELinuxProject#9 0x57c2ed in scope_read ./libsepol/src/policydb.c:4120:7
SELinuxProject#10 0x576b0d in policydb_read ./libsepol/src/policydb.c:4462:9
SELinuxProject#11 0x55a214 in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:26:6
SELinuxProject#12 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o
SELinuxProject#13 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o
SELinuxProject#14 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o
SELinuxProject#15 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2)
SELinuxProject#16 0x7ffad6e107ec in __libc_start_main csu/../csu/libc-start.c:332:16
SELinuxProject#17 0x423689 in _start (./out/binpolicy-fuzzer+0x423689)
==19462== ERROR: libFuzzer: out-of-memory (malloc(18253611008))
To change the out-of-memory limit use -rss_limit_mb=<N>
#0 0x52dc61 in __sanitizer_print_stack_trace (./out/binpolicy-fuzzer+0x52dc61)
SELinuxProject#1 0x475618 in fuzzer::PrintStackTrace() fuzzer.o
SELinuxProject#2 0x458855 in fuzzer::Fuzzer::HandleMalloc(unsigned long) fuzzer.o
SELinuxProject#3 0x45876a in fuzzer::MallocHook(void const volatile*, unsigned long) fuzzer.o
SELinuxProject#4 0x534557 in __sanitizer::RunMallocHooks(void const*, unsigned long) (./out/binpolicy-fuzzer+0x534557)
SELinuxProject#5 0x4aa7d7 in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) (./out/binpolicy-fuzzer+0x4aa7d7)
SELinuxProject#6 0x4aa999 in __asan::asan_calloc(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*) (./out/binpolicy-fuzzer+0x4aa999)
SELinuxProject#7 0x525b63 in __interceptor_calloc (./out/binpolicy-fuzzer+0x525b63)
SELinuxProject#8 0x570938 in policydb_index_others ./libsepol/src/policydb.c:1245:6
SELinuxProject#9 0x5771f3 in policydb_read ./src/policydb.c:4481:6
SELinuxProject#10 0x55a214 in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:26:6
SELinuxProject#11 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o
SELinuxProject#12 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o
SELinuxProject#13 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o
SELinuxProject#14 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2)
SELinuxProject#15 0x7f4d933157ec in __libc_start_main csu/../csu/libc-start.c:332:16
SELinuxProject#16 0x423689 in _start (./out/binpolicy-fuzzer+0x423689)
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
cgzones
added a commit
to cgzones/selinux
that referenced
this pull request
Oct 7, 2021
Free the local access vector list on failure as it does not get moved
into the policy structure.
Direct leak of 16 byte(s) in 1 object(s) allocated from:
#0 0x52596d in malloc (./out/binpolicy-fuzzer+0x52596d)
SELinuxProject#1 0x5b30d2 in cond_insertf ./libsepol/src/conditional.c:682:9
SELinuxProject#2 0x5ac218 in avtab_read_item ./libsepol/src/avtab.c:583:10
SELinuxProject#3 0x5b21f4 in cond_read_av_list ./libsepol/src/conditional.c:725:8
SELinuxProject#4 0x5b21f4 in cond_read_node ./libsepol/src/conditional.c:798:7
SELinuxProject#5 0x5b21f4 in cond_read_list ./libsepol/src/conditional.c:847:7
SELinuxProject#6 0x576b6e in policydb_read ./libsepol/src/policydb.c:4436:8
SELinuxProject#7 0x55a1fe in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:24:6
SELinuxProject#8 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o
SELinuxProject#9 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o
SELinuxProject#10 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o
SELinuxProject#11 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2)
SELinuxProject#12 0x7f47abeb87ec in __libc_start_main csu/../csu/libc-start.c:332:16
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
cgzones
added a commit
to cgzones/selinux
that referenced
this pull request
Oct 7, 2021
Add checks for invalid read sizes from a binary policy to guard
allocations.
In the fuzzer build the value will also be bounded to avoid oom reports.
==29857== ERROR: libFuzzer: out-of-memory (malloc(17179868160))
To change the out-of-memory limit use -rss_limit_mb=<N>
#0 0x52dc61 in __sanitizer_print_stack_trace (./out/binpolicy-fuzzer+0x52dc61)
SELinuxProject#1 0x475618 in fuzzer::PrintStackTrace() fuzzer.o
SELinuxProject#2 0x458855 in fuzzer::Fuzzer::HandleMalloc(unsigned long) fuzzer.o
SELinuxProject#3 0x45876a in fuzzer::MallocHook(void const volatile*, unsigned long) fuzzer.o
SELinuxProject#4 0x534557 in __sanitizer::RunMallocHooks(void const*, unsigned long) (./out/binpolicy-fuzzer+0x534557)
SELinuxProject#5 0x4aa7d7 in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) (./out/binpolicy-fuzzer+0x4aa7d7)
SELinuxProject#6 0x4aa143 in __asan::asan_malloc(unsigned long, __sanitizer::BufferedStackTrace*) (./out/binpolicy-fuzzer+0x4aa143)
SELinuxProject#7 0x5259cb in malloc (./out/binpolicy-fuzzer+0x5259cb)
SELinuxProject#8 0x580b5d in mallocarray ./libsepol/src/./private.h:93:9
SELinuxProject#9 0x57c2ed in scope_read ./libsepol/src/policydb.c:4120:7
SELinuxProject#10 0x576b0d in policydb_read ./libsepol/src/policydb.c:4462:9
SELinuxProject#11 0x55a214 in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:26:6
SELinuxProject#12 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o
SELinuxProject#13 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o
SELinuxProject#14 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o
SELinuxProject#15 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2)
SELinuxProject#16 0x7ffad6e107ec in __libc_start_main csu/../csu/libc-start.c:332:16
SELinuxProject#17 0x423689 in _start (./out/binpolicy-fuzzer+0x423689)
==19462== ERROR: libFuzzer: out-of-memory (malloc(18253611008))
To change the out-of-memory limit use -rss_limit_mb=<N>
#0 0x52dc61 in __sanitizer_print_stack_trace (./out/binpolicy-fuzzer+0x52dc61)
SELinuxProject#1 0x475618 in fuzzer::PrintStackTrace() fuzzer.o
SELinuxProject#2 0x458855 in fuzzer::Fuzzer::HandleMalloc(unsigned long) fuzzer.o
SELinuxProject#3 0x45876a in fuzzer::MallocHook(void const volatile*, unsigned long) fuzzer.o
SELinuxProject#4 0x534557 in __sanitizer::RunMallocHooks(void const*, unsigned long) (./out/binpolicy-fuzzer+0x534557)
SELinuxProject#5 0x4aa7d7 in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) (./out/binpolicy-fuzzer+0x4aa7d7)
SELinuxProject#6 0x4aa999 in __asan::asan_calloc(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*) (./out/binpolicy-fuzzer+0x4aa999)
SELinuxProject#7 0x525b63 in __interceptor_calloc (./out/binpolicy-fuzzer+0x525b63)
SELinuxProject#8 0x570938 in policydb_index_others ./libsepol/src/policydb.c:1245:6
SELinuxProject#9 0x5771f3 in policydb_read ./src/policydb.c:4481:6
SELinuxProject#10 0x55a214 in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:26:6
SELinuxProject#11 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o
SELinuxProject#12 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o
SELinuxProject#13 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o
SELinuxProject#14 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2)
SELinuxProject#15 0x7f4d933157ec in __libc_start_main csu/../csu/libc-start.c:332:16
SELinuxProject#16 0x423689 in _start (./out/binpolicy-fuzzer+0x423689)
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
cgzones
added a commit
to cgzones/selinux
that referenced
this pull request
Oct 7, 2021
Free the local access vector list on failure as it does not get moved
into the policy structure.
Direct leak of 16 byte(s) in 1 object(s) allocated from:
#0 0x52596d in malloc (./out/binpolicy-fuzzer+0x52596d)
SELinuxProject#1 0x5b30d2 in cond_insertf ./libsepol/src/conditional.c:682:9
SELinuxProject#2 0x5ac218 in avtab_read_item ./libsepol/src/avtab.c:583:10
SELinuxProject#3 0x5b21f4 in cond_read_av_list ./libsepol/src/conditional.c:725:8
SELinuxProject#4 0x5b21f4 in cond_read_node ./libsepol/src/conditional.c:798:7
SELinuxProject#5 0x5b21f4 in cond_read_list ./libsepol/src/conditional.c:847:7
SELinuxProject#6 0x576b6e in policydb_read ./libsepol/src/policydb.c:4436:8
SELinuxProject#7 0x55a1fe in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:24:6
SELinuxProject#8 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o
SELinuxProject#9 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o
SELinuxProject#10 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o
SELinuxProject#11 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2)
SELinuxProject#12 0x7f47abeb87ec in __libc_start_main csu/../csu/libc-start.c:332:16
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
cgzones
added a commit
to cgzones/selinux
that referenced
this pull request
Oct 7, 2021
Add checks for invalid read sizes from a binary policy to guard
allocations.
In the fuzzer build the value will also be bounded to avoid oom reports.
==29857== ERROR: libFuzzer: out-of-memory (malloc(17179868160))
To change the out-of-memory limit use -rss_limit_mb=<N>
#0 0x52dc61 in __sanitizer_print_stack_trace (./out/binpolicy-fuzzer+0x52dc61)
SELinuxProject#1 0x475618 in fuzzer::PrintStackTrace() fuzzer.o
SELinuxProject#2 0x458855 in fuzzer::Fuzzer::HandleMalloc(unsigned long) fuzzer.o
SELinuxProject#3 0x45876a in fuzzer::MallocHook(void const volatile*, unsigned long) fuzzer.o
SELinuxProject#4 0x534557 in __sanitizer::RunMallocHooks(void const*, unsigned long) (./out/binpolicy-fuzzer+0x534557)
SELinuxProject#5 0x4aa7d7 in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) (./out/binpolicy-fuzzer+0x4aa7d7)
SELinuxProject#6 0x4aa143 in __asan::asan_malloc(unsigned long, __sanitizer::BufferedStackTrace*) (./out/binpolicy-fuzzer+0x4aa143)
SELinuxProject#7 0x5259cb in malloc (./out/binpolicy-fuzzer+0x5259cb)
SELinuxProject#8 0x580b5d in mallocarray ./libsepol/src/./private.h:93:9
SELinuxProject#9 0x57c2ed in scope_read ./libsepol/src/policydb.c:4120:7
SELinuxProject#10 0x576b0d in policydb_read ./libsepol/src/policydb.c:4462:9
SELinuxProject#11 0x55a214 in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:26:6
SELinuxProject#12 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o
SELinuxProject#13 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o
SELinuxProject#14 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o
SELinuxProject#15 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2)
SELinuxProject#16 0x7ffad6e107ec in __libc_start_main csu/../csu/libc-start.c:332:16
SELinuxProject#17 0x423689 in _start (./out/binpolicy-fuzzer+0x423689)
==19462== ERROR: libFuzzer: out-of-memory (malloc(18253611008))
To change the out-of-memory limit use -rss_limit_mb=<N>
#0 0x52dc61 in __sanitizer_print_stack_trace (./out/binpolicy-fuzzer+0x52dc61)
SELinuxProject#1 0x475618 in fuzzer::PrintStackTrace() fuzzer.o
SELinuxProject#2 0x458855 in fuzzer::Fuzzer::HandleMalloc(unsigned long) fuzzer.o
SELinuxProject#3 0x45876a in fuzzer::MallocHook(void const volatile*, unsigned long) fuzzer.o
SELinuxProject#4 0x534557 in __sanitizer::RunMallocHooks(void const*, unsigned long) (./out/binpolicy-fuzzer+0x534557)
SELinuxProject#5 0x4aa7d7 in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) (./out/binpolicy-fuzzer+0x4aa7d7)
SELinuxProject#6 0x4aa999 in __asan::asan_calloc(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*) (./out/binpolicy-fuzzer+0x4aa999)
SELinuxProject#7 0x525b63 in __interceptor_calloc (./out/binpolicy-fuzzer+0x525b63)
SELinuxProject#8 0x570938 in policydb_index_others ./libsepol/src/policydb.c:1245:6
SELinuxProject#9 0x5771f3 in policydb_read ./src/policydb.c:4481:6
SELinuxProject#10 0x55a214 in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:26:6
SELinuxProject#11 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o
SELinuxProject#12 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o
SELinuxProject#13 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o
SELinuxProject#14 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2)
SELinuxProject#15 0x7f4d933157ec in __libc_start_main csu/../csu/libc-start.c:332:16
SELinuxProject#16 0x423689 in _start (./out/binpolicy-fuzzer+0x423689)
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
cgzones
added a commit
to cgzones/selinux
that referenced
this pull request
Oct 7, 2021
Free the local access vector list on failure as it does not get moved
into the policy structure.
Direct leak of 16 byte(s) in 1 object(s) allocated from:
#0 0x52596d in malloc (./out/binpolicy-fuzzer+0x52596d)
SELinuxProject#1 0x5b30d2 in cond_insertf ./libsepol/src/conditional.c:682:9
SELinuxProject#2 0x5ac218 in avtab_read_item ./libsepol/src/avtab.c:583:10
SELinuxProject#3 0x5b21f4 in cond_read_av_list ./libsepol/src/conditional.c:725:8
SELinuxProject#4 0x5b21f4 in cond_read_node ./libsepol/src/conditional.c:798:7
SELinuxProject#5 0x5b21f4 in cond_read_list ./libsepol/src/conditional.c:847:7
SELinuxProject#6 0x576b6e in policydb_read ./libsepol/src/policydb.c:4436:8
SELinuxProject#7 0x55a1fe in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:24:6
SELinuxProject#8 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o
SELinuxProject#9 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o
SELinuxProject#10 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o
SELinuxProject#11 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2)
SELinuxProject#12 0x7f47abeb87ec in __libc_start_main csu/../csu/libc-start.c:332:16
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
cgzones
added a commit
to cgzones/selinux
that referenced
this pull request
Oct 8, 2021
Limit the maximum length of read sizes, like string length of module
version and name or keys and number of symtab entries. This avoids the
fuzzer to report oom events for huge allocations (it also improves the
number of executions per seconds of the fuzzer).
This change only affects the fuzzer build.
==15211== ERROR: libFuzzer: out-of-memory (malloc(3115956666))
To change the out-of-memory limit use -rss_limit_mb=<N>
#0 0x52dc61 in __sanitizer_print_stack_trace (./out/binpolicy-fuzzer+0x52dc61)
SELinuxProject#1 0x475618 in fuzzer::PrintStackTrace() fuzzer.o
SELinuxProject#2 0x458855 in fuzzer::Fuzzer::HandleMalloc(unsigned long) fuzzer.o
SELinuxProject#3 0x45876a in fuzzer::MallocHook(void const volatile*, unsigned long) fuzzer.o
SELinuxProject#4 0x534557 in __sanitizer::RunMallocHooks(void const*, unsigned long) (./out/binpolicy-fuzzer+0x534557)
SELinuxProject#5 0x4aa7d7 in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) (./out/binpolicy-fuzzer+0x4aa7d7)
SELinuxProject#6 0x4aa143 in __asan::asan_malloc(unsigned long, __sanitizer::BufferedStackTrace*) (./out/binpolicy-fuzzer+0x4aa143)
SELinuxProject#7 0x5259cb in malloc (./out/binpolicy-fuzzer+0x5259cb)
SELinuxProject#8 0x59d307 in str_read ./libsepol/src/services.c:1746:8
SELinuxProject#9 0x585b97 in perm_read ./libsepol/src/policydb.c:2063:5
SELinuxProject#10 0x581f8a in common_read ./libsepol/src/policydb.c:2119:7
SELinuxProject#11 0x576681 in policydb_read ./libsepol/src/policydb.c:4417:8
SELinuxProject#12 0x55a214 in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:26:6
SELinuxProject#13 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o
SELinuxProject#14 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o
SELinuxProject#15 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o
SELinuxProject#16 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2)
SELinuxProject#17 0x7fe1ec88a7ec in __libc_start_main csu/../csu/libc-start.c:332:16
SELinuxProject#18 0x423689 in _start (./out/binpolicy-fuzzer+0x423689)
==13584== ERROR: libFuzzer: out-of-memory (malloc(2560137369))
To change the out-of-memory limit use -rss_limit_mb=<N>
#0 0x52dc61 in __sanitizer_print_stack_trace (./out/binpolicy-fuzzer+0x52dc61)
SELinuxProject#1 0x475618 in fuzzer::PrintStackTrace() fuzzer.o
SELinuxProject#2 0x458855 in fuzzer::Fuzzer::HandleMalloc(unsigned long) fuzzer.o
SELinuxProject#3 0x45876a in fuzzer::MallocHook(void const volatile*, unsigned long) fuzzer.o
SELinuxProject#4 0x534557 in __sanitizer::RunMallocHooks(void const*, unsigned long) (./out/binpolicy-fuzzer+0x534557)
SELinuxProject#5 0x4aa7d7 in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) (./out/binpolicy-fuzzer+0x4aa7d7)
SELinuxProject#6 0x4aa143 in __asan::asan_malloc(unsigned long, __sanitizer::BufferedStackTrace*) (./out/binpolicy-fuzzer+0x4aa143)
SELinuxProject#7 0x5259cb in malloc (./out/binpolicy-fuzzer+0x5259cb)
SELinuxProject#8 0x581cc4 in common_read ./libsepol/src/policydb.c:2108:8
SELinuxProject#9 0x576681 in policydb_read ./libsepol/src/policydb.c:4409:8
SELinuxProject#10 0x55a214 in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:26:6
SELinuxProject#11 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o
SELinuxProject#12 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o
SELinuxProject#13 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o
SELinuxProject#14 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2)
SELinuxProject#15 0x7fa6431787ec in __libc_start_main csu/../csu/libc-start.c:332:16
SELinuxProject#16 0x423689 in _start (./out/binpolicy-fuzzer+0x423689)
==12683== ERROR: libFuzzer: out-of-memory (malloc(2526451450))
To change the out-of-memory limit use -rss_limit_mb=<N>
#0 0x52dc61 in __sanitizer_print_stack_trace (./out/binpolicy-fuzzer+0x52dc61)
SELinuxProject#1 0x475618 in fuzzer::PrintStackTrace() fuzzer.o
SELinuxProject#2 0x458855 in fuzzer::Fuzzer::HandleMalloc(unsigned long) fuzzer.o
SELinuxProject#3 0x45876a in fuzzer::MallocHook(void const volatile*, unsigned long) fuzzer.o
SELinuxProject#4 0x534557 in __sanitizer::RunMallocHooks(void const*, unsigned long) (./out/binpolicy-fuzzer+0x534557)
SELinuxProject#5 0x4aa7d7 in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) (./out/binpolicy-fuzzer+0x4aa7d7)
SELinuxProject#6 0x4aa143 in __asan::asan_malloc(unsigned long, __sanitizer::BufferedStackTrace*) (./out/binpolicy-fuzzer+0x4aa143)
SELinuxProject#7 0x5259cb in malloc (./out/binpolicy-fuzzer+0x5259cb)
SELinuxProject#8 0x575f8a in policydb_read ./libsepol/src/policydb.c:4356:18
SELinuxProject#9 0x55a214 in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:26:6
SELinuxProject#10 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o
SELinuxProject#11 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o
SELinuxProject#12 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o
SELinuxProject#13 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2)
SELinuxProject#14 0x7fa737b377ec in __libc_start_main csu/../csu/libc-start.c:332:16
SELinuxProject#15 0x423689 in _start (./out/binpolicy-fuzzer+0x423689)
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
cgzones
added a commit
to cgzones/selinux
that referenced
this pull request
Oct 8, 2021
Add checks for invalid read sizes from a binary policy to guard
allocations.
In the fuzzer build the value will also be bounded to avoid oom reports.
==29857== ERROR: libFuzzer: out-of-memory (malloc(17179868160))
To change the out-of-memory limit use -rss_limit_mb=<N>
#0 0x52dc61 in __sanitizer_print_stack_trace (./out/binpolicy-fuzzer+0x52dc61)
SELinuxProject#1 0x475618 in fuzzer::PrintStackTrace() fuzzer.o
SELinuxProject#2 0x458855 in fuzzer::Fuzzer::HandleMalloc(unsigned long) fuzzer.o
SELinuxProject#3 0x45876a in fuzzer::MallocHook(void const volatile*, unsigned long) fuzzer.o
SELinuxProject#4 0x534557 in __sanitizer::RunMallocHooks(void const*, unsigned long) (./out/binpolicy-fuzzer+0x534557)
SELinuxProject#5 0x4aa7d7 in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) (./out/binpolicy-fuzzer+0x4aa7d7)
SELinuxProject#6 0x4aa143 in __asan::asan_malloc(unsigned long, __sanitizer::BufferedStackTrace*) (./out/binpolicy-fuzzer+0x4aa143)
SELinuxProject#7 0x5259cb in malloc (./out/binpolicy-fuzzer+0x5259cb)
SELinuxProject#8 0x580b5d in mallocarray ./libsepol/src/./private.h:93:9
SELinuxProject#9 0x57c2ed in scope_read ./libsepol/src/policydb.c:4120:7
SELinuxProject#10 0x576b0d in policydb_read ./libsepol/src/policydb.c:4462:9
SELinuxProject#11 0x55a214 in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:26:6
SELinuxProject#12 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o
SELinuxProject#13 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o
SELinuxProject#14 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o
SELinuxProject#15 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2)
SELinuxProject#16 0x7ffad6e107ec in __libc_start_main csu/../csu/libc-start.c:332:16
SELinuxProject#17 0x423689 in _start (./out/binpolicy-fuzzer+0x423689)
==19462== ERROR: libFuzzer: out-of-memory (malloc(18253611008))
To change the out-of-memory limit use -rss_limit_mb=<N>
#0 0x52dc61 in __sanitizer_print_stack_trace (./out/binpolicy-fuzzer+0x52dc61)
SELinuxProject#1 0x475618 in fuzzer::PrintStackTrace() fuzzer.o
SELinuxProject#2 0x458855 in fuzzer::Fuzzer::HandleMalloc(unsigned long) fuzzer.o
SELinuxProject#3 0x45876a in fuzzer::MallocHook(void const volatile*, unsigned long) fuzzer.o
SELinuxProject#4 0x534557 in __sanitizer::RunMallocHooks(void const*, unsigned long) (./out/binpolicy-fuzzer+0x534557)
SELinuxProject#5 0x4aa7d7 in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) (./out/binpolicy-fuzzer+0x4aa7d7)
SELinuxProject#6 0x4aa999 in __asan::asan_calloc(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*) (./out/binpolicy-fuzzer+0x4aa999)
SELinuxProject#7 0x525b63 in __interceptor_calloc (./out/binpolicy-fuzzer+0x525b63)
SELinuxProject#8 0x570938 in policydb_index_others ./libsepol/src/policydb.c:1245:6
SELinuxProject#9 0x5771f3 in policydb_read ./src/policydb.c:4481:6
SELinuxProject#10 0x55a214 in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:26:6
SELinuxProject#11 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o
SELinuxProject#12 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o
SELinuxProject#13 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o
SELinuxProject#14 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2)
SELinuxProject#15 0x7f4d933157ec in __libc_start_main csu/../csu/libc-start.c:332:16
SELinuxProject#16 0x423689 in _start (./out/binpolicy-fuzzer+0x423689)
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
cgzones
added a commit
to cgzones/selinux
that referenced
this pull request
Oct 8, 2021
Free the local access vector list on failure as it does not get moved
into the policy structure.
Direct leak of 16 byte(s) in 1 object(s) allocated from:
#0 0x52596d in malloc (./out/binpolicy-fuzzer+0x52596d)
SELinuxProject#1 0x5b30d2 in cond_insertf ./libsepol/src/conditional.c:682:9
SELinuxProject#2 0x5ac218 in avtab_read_item ./libsepol/src/avtab.c:583:10
SELinuxProject#3 0x5b21f4 in cond_read_av_list ./libsepol/src/conditional.c:725:8
SELinuxProject#4 0x5b21f4 in cond_read_node ./libsepol/src/conditional.c:798:7
SELinuxProject#5 0x5b21f4 in cond_read_list ./libsepol/src/conditional.c:847:7
SELinuxProject#6 0x576b6e in policydb_read ./libsepol/src/policydb.c:4436:8
SELinuxProject#7 0x55a1fe in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:24:6
SELinuxProject#8 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o
SELinuxProject#9 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o
SELinuxProject#10 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o
SELinuxProject#11 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2)
SELinuxProject#12 0x7f47abeb87ec in __libc_start_main csu/../csu/libc-start.c:332:16
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
fishilico
pushed a commit
to fishilico/selinux
that referenced
this pull request
Nov 11, 2021
Handle gaps in the user table while printing a policy configuration.
==24424==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x0000004bdc55 bp 0x7ffc8790b810 sp 0x7ffc8790afb0 T0)
==24424==The signal is caused by a READ memory access.
==24424==Hint: address points to the zero page.
#0 0x4bdc55 in __interceptor_strcmp (./out/binpolicy-fuzzer+0x4bdc55)
SELinuxProject#1 0x5ebdf6 in strs_cmp ./libsepol/src/kernel_to_common.c:253:9
SELinuxProject#2 0x505669 in __interceptor_qsort (./out/binpolicy-fuzzer+0x505669)
SELinuxProject#3 0x5ebd84 in strs_sort ./libsepol/src/kernel_to_common.c:261:2
SELinuxProject#4 0x564550 in write_user_decl_rules_to_conf ./libsepol/src/kernel_to_conf.c:2333:2
SELinuxProject#5 0x55b137 in sepol_kernel_policydb_to_conf ./libsepol/src/kernel_to_conf.c:3190:7
SELinuxProject#6 0x55a34f in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:38:9
SELinuxProject#7 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o
SELinuxProject#8 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o
SELinuxProject#9 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o
SELinuxProject#10 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2)
SELinuxProject#11 0x7f530128d7ec in __libc_start_main csu/../csu/libc-start.c:332:16
SELinuxProject#12 0x423689 in _start (./out/binpolicy-fuzzer+0x423689)
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
fishilico
pushed a commit
to fishilico/selinux
that referenced
this pull request
Nov 11, 2021
==80903==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000005c0 at pc 0x0000005696c8 bp 0x7ffdb11ea560 sp 0x7ffdb11ea558
READ of size 8 at 0x6020000005c0 thread T0
#0 0x5696c7 in avtab_node_to_str ./libsepol/src/kernel_to_conf.c:1736:9
SELinuxProject#1 0x569013 in map_avtab_write_helper ./libsepol/src/kernel_to_conf.c:1767:10
SELinuxProject#2 0x5ab837 in avtab_map ./libsepol/src/avtab.c:347:10
SELinuxProject#3 0x561f9a in write_avtab_flavor_to_conf ./libsepol/src/kernel_to_conf.c:1798:7
SELinuxProject#4 0x561f9a in write_avtab_to_conf ./libsepol/src/kernel_to_conf.c:1819:8
SELinuxProject#5 0x55afba in sepol_kernel_policydb_to_conf ./libsepol/src/kernel_to_conf.c:3159:7
SELinuxProject#6 0x55a34f in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:38:9
SELinuxProject#7 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o
SELinuxProject#8 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o
SELinuxProject#9 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o
SELinuxProject#10 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2)
SELinuxProject#11 0x7f97a83fd7ec in __libc_start_main csu/../csu/libc-start.c:332:16
SELinuxProject#12 0x423689 in _start (./out/binpolicy-fuzzer+0x423689)
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
fishilico
pushed a commit
to fishilico/selinux
that referenced
this pull request
Nov 11, 2021
Check the literal contexts in ocontext statements are defined.
==91274==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f60b0afe8c6 bp 0x7ffd42edc990 sp 0x7ffd42edc148 T0)
==91274==The signal is caused by a READ memory access.
==91274==Hint: address points to the zero page.
#0 0x7f60b0afe8c6 string/../sysdeps/x86_64/multiarch/../strlen.S:120
SELinuxProject#1 0x4bd128 in __interceptor_strlen (./out/binpolicy-fuzzer+0x4bd128)
SELinuxProject#2 0x5eb387 in create_str_helper ./libsepol/src/kernel_to_common.c:69:10
SELinuxProject#3 0x5eb11e in create_str ./libsepol/src/kernel_to_common.c:99:8
SELinuxProject#4 0x56ad7b in context_to_str ./libsepol/src/kernel_to_conf.c:2408:9
SELinuxProject#5 0x56a717 in write_sid_context_rules_to_conf ./libsepol/src/kernel_to_conf.c:2441:9
SELinuxProject#6 0x55b26c in write_selinux_isid_rules_to_conf ./libsepol/src/kernel_to_conf.c:2476:9
SELinuxProject#7 0x55b26c in sepol_kernel_policydb_to_conf ./libsepol/src/kernel_to_conf.c:3206:8
SELinuxProject#8 0x55a34f in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:38:9
SELinuxProject#9 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o
SELinuxProject#10 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o
SELinuxProject#11 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o
SELinuxProject#12 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2)
SELinuxProject#13 0x7f60b0a887ec in __libc_start_main csu/../csu/libc-start.c:332:16
SELinuxProject#14 0x423689 in _start (./out/binpolicy-fuzzer+0x423689)
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
cgzones
added a commit
to cgzones/selinux
that referenced
this pull request
Dec 9, 2021
Limit the maximum length of read sizes, like string length of module
version and name or keys and number of symtab entries. This avoids the
fuzzer to report oom events for huge allocations (it also improves the
number of executions per seconds of the fuzzer).
This change only affects the fuzzer build.
==15211== ERROR: libFuzzer: out-of-memory (malloc(3115956666))
To change the out-of-memory limit use -rss_limit_mb=<N>
#0 0x52dc61 in __sanitizer_print_stack_trace (./out/binpolicy-fuzzer+0x52dc61)
SELinuxProject#1 0x475618 in fuzzer::PrintStackTrace() fuzzer.o
SELinuxProject#2 0x458855 in fuzzer::Fuzzer::HandleMalloc(unsigned long) fuzzer.o
SELinuxProject#3 0x45876a in fuzzer::MallocHook(void const volatile*, unsigned long) fuzzer.o
SELinuxProject#4 0x534557 in __sanitizer::RunMallocHooks(void const*, unsigned long) (./out/binpolicy-fuzzer+0x534557)
SELinuxProject#5 0x4aa7d7 in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) (./out/binpolicy-fuzzer+0x4aa7d7)
SELinuxProject#6 0x4aa143 in __asan::asan_malloc(unsigned long, __sanitizer::BufferedStackTrace*) (./out/binpolicy-fuzzer+0x4aa143)
SELinuxProject#7 0x5259cb in malloc (./out/binpolicy-fuzzer+0x5259cb)
SELinuxProject#8 0x59d307 in str_read ./libsepol/src/services.c:1746:8
SELinuxProject#9 0x585b97 in perm_read ./libsepol/src/policydb.c:2063:5
SELinuxProject#10 0x581f8a in common_read ./libsepol/src/policydb.c:2119:7
SELinuxProject#11 0x576681 in policydb_read ./libsepol/src/policydb.c:4417:8
SELinuxProject#12 0x55a214 in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:26:6
SELinuxProject#13 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o
SELinuxProject#14 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o
SELinuxProject#15 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o
SELinuxProject#16 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2)
SELinuxProject#17 0x7fe1ec88a7ec in __libc_start_main csu/../csu/libc-start.c:332:16
SELinuxProject#18 0x423689 in _start (./out/binpolicy-fuzzer+0x423689)
==12683== ERROR: libFuzzer: out-of-memory (malloc(2526451450))
To change the out-of-memory limit use -rss_limit_mb=<N>
#0 0x52dc61 in __sanitizer_print_stack_trace (./out/binpolicy-fuzzer+0x52dc61)
SELinuxProject#1 0x475618 in fuzzer::PrintStackTrace() fuzzer.o
SELinuxProject#2 0x458855 in fuzzer::Fuzzer::HandleMalloc(unsigned long) fuzzer.o
SELinuxProject#3 0x45876a in fuzzer::MallocHook(void const volatile*, unsigned long) fuzzer.o
SELinuxProject#4 0x534557 in __sanitizer::RunMallocHooks(void const*, unsigned long) (./out/binpolicy-fuzzer+0x534557)
SELinuxProject#5 0x4aa7d7 in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) (./out/binpolicy-fuzzer+0x4aa7d7)
SELinuxProject#6 0x4aa143 in __asan::asan_malloc(unsigned long, __sanitizer::BufferedStackTrace*) (./out/binpolicy-fuzzer+0x4aa143)
SELinuxProject#7 0x5259cb in malloc (./out/binpolicy-fuzzer+0x5259cb)
SELinuxProject#8 0x575f8a in policydb_read ./libsepol/src/policydb.c:4356:18
SELinuxProject#9 0x55a214 in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:26:6
SELinuxProject#10 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o
SELinuxProject#11 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o
SELinuxProject#12 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o
SELinuxProject#13 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2)
SELinuxProject#14 0x7fa737b377ec in __libc_start_main csu/../csu/libc-start.c:332:16
SELinuxProject#15 0x423689 in _start (./out/binpolicy-fuzzer+0x423689)
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
cgzones
added a commit
to cgzones/selinux
that referenced
this pull request
Dec 9, 2021
Add checks for invalid read sizes from a binary policy to guard
allocations.
The common and class permission counts needs to be limited more strict
otherwise a too high count of common or class permissions can lead to
permission values with a too high value, which can lead to overflows
in shift operations.
In the fuzzer build the value will also be bounded to avoid oom reports.
==29857== ERROR: libFuzzer: out-of-memory (malloc(17179868160))
To change the out-of-memory limit use -rss_limit_mb=<N>
#0 0x52dc61 in __sanitizer_print_stack_trace (./out/binpolicy-fuzzer+0x52dc61)
SELinuxProject#1 0x475618 in fuzzer::PrintStackTrace() fuzzer.o
SELinuxProject#2 0x458855 in fuzzer::Fuzzer::HandleMalloc(unsigned long) fuzzer.o
SELinuxProject#3 0x45876a in fuzzer::MallocHook(void const volatile*, unsigned long) fuzzer.o
SELinuxProject#4 0x534557 in __sanitizer::RunMallocHooks(void const*, unsigned long) (./out/binpolicy-fuzzer+0x534557)
SELinuxProject#5 0x4aa7d7 in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) (./out/binpolicy-fuzzer+0x4aa7d7)
SELinuxProject#6 0x4aa143 in __asan::asan_malloc(unsigned long, __sanitizer::BufferedStackTrace*) (./out/binpolicy-fuzzer+0x4aa143)
SELinuxProject#7 0x5259cb in malloc (./out/binpolicy-fuzzer+0x5259cb)
SELinuxProject#8 0x580b5d in mallocarray ./libsepol/src/./private.h:93:9
SELinuxProject#9 0x57c2ed in scope_read ./libsepol/src/policydb.c:4120:7
SELinuxProject#10 0x576b0d in policydb_read ./libsepol/src/policydb.c:4462:9
SELinuxProject#11 0x55a214 in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:26:6
SELinuxProject#12 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o
SELinuxProject#13 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o
SELinuxProject#14 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o
SELinuxProject#15 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2)
SELinuxProject#16 0x7ffad6e107ec in __libc_start_main csu/../csu/libc-start.c:332:16
SELinuxProject#17 0x423689 in _start (./out/binpolicy-fuzzer+0x423689)
==19462== ERROR: libFuzzer: out-of-memory (malloc(18253611008))
To change the out-of-memory limit use -rss_limit_mb=<N>
#0 0x52dc61 in __sanitizer_print_stack_trace (./out/binpolicy-fuzzer+0x52dc61)
SELinuxProject#1 0x475618 in fuzzer::PrintStackTrace() fuzzer.o
SELinuxProject#2 0x458855 in fuzzer::Fuzzer::HandleMalloc(unsigned long) fuzzer.o
SELinuxProject#3 0x45876a in fuzzer::MallocHook(void const volatile*, unsigned long) fuzzer.o
SELinuxProject#4 0x534557 in __sanitizer::RunMallocHooks(void const*, unsigned long) (./out/binpolicy-fuzzer+0x534557)
SELinuxProject#5 0x4aa7d7 in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) (./out/binpolicy-fuzzer+0x4aa7d7)
SELinuxProject#6 0x4aa999 in __asan::asan_calloc(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*) (./out/binpolicy-fuzzer+0x4aa999)
SELinuxProject#7 0x525b63 in __interceptor_calloc (./out/binpolicy-fuzzer+0x525b63)
SELinuxProject#8 0x570938 in policydb_index_others ./libsepol/src/policydb.c:1245:6
SELinuxProject#9 0x5771f3 in policydb_read ./src/policydb.c:4481:6
SELinuxProject#10 0x55a214 in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:26:6
SELinuxProject#11 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o
SELinuxProject#12 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o
SELinuxProject#13 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o
SELinuxProject#14 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2)
SELinuxProject#15 0x7f4d933157ec in __libc_start_main csu/../csu/libc-start.c:332:16
SELinuxProject#16 0x423689 in _start (./out/binpolicy-fuzzer+0x423689)
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
---
v3:
- use PERM_SYMTAB_SIZE instead of bare 32 as limit
cgzones
added a commit
to cgzones/selinux
that referenced
this pull request
Dec 9, 2021
Free the local access vector list on failure as it does not get moved
into the policy structure.
Drop the now redundant, but non-exhaustive, resource cleanup in
cond_insertf().
Direct leak of 16 byte(s) in 1 object(s) allocated from:
#0 0x52596d in malloc (./out/binpolicy-fuzzer+0x52596d)
SELinuxProject#1 0x5b30d2 in cond_insertf ./libsepol/src/conditional.c:682:9
SELinuxProject#2 0x5ac218 in avtab_read_item ./libsepol/src/avtab.c:583:10
SELinuxProject#3 0x5b21f4 in cond_read_av_list ./libsepol/src/conditional.c:725:8
SELinuxProject#4 0x5b21f4 in cond_read_node ./libsepol/src/conditional.c:798:7
SELinuxProject#5 0x5b21f4 in cond_read_list ./libsepol/src/conditional.c:847:7
SELinuxProject#6 0x576b6e in policydb_read ./libsepol/src/policydb.c:4436:8
SELinuxProject#7 0x55a1fe in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:24:6
SELinuxProject#8 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o
SELinuxProject#9 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o
SELinuxProject#10 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o
SELinuxProject#11 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2)
SELinuxProject#12 0x7f47abeb87ec in __libc_start_main csu/../csu/libc-start.c:332:16
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
---
v2:
drop redundant cleanup in cond_insertf()
cgzones
added a commit
to cgzones/selinux
that referenced
this pull request
Dec 9, 2021
Check if the sid value is saturated to guard dependent allocations.
==19967== ERROR: libFuzzer: out-of-memory (malloc(7784628224))
#0 0x52dc61 in __sanitizer_print_stack_trace (./out/binpolicy-fuzzer+0x52dc61)
SELinuxProject#1 0x475618 in fuzzer::PrintStackTrace() fuzzer.o
SELinuxProject#2 0x458855 in fuzzer::Fuzzer::HandleMalloc(unsigned long) fuzzer.o
SELinuxProject#3 0x45876a in fuzzer::MallocHook(void const volatile*, unsigned long) fuzzer.o
SELinuxProject#4 0x534557 in __sanitizer::RunMallocHooks(void const*, unsigned long) (./out/binpolicy-fuzzer+0x534557)
SELinuxProject#5 0x4aa7d7 in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) (./out/binpolicy-fuzzer+0x4aa7d7)
SELinuxProject#6 0x4aabe3 in __asan::Allocator::Reallocate(void*, unsigned long, __sanitizer::BufferedStackTrace*) (./out/binpolicy-fuzzer+0x4aabe3)
SELinuxProject#7 0x4aaa32 in __asan::asan_reallocarray(void*, unsigned long, unsigned long, __sanitizer::BufferedStackTrace*) (./out/binpolicy-fuzzer+0x4aaa32)
SELinuxProject#8 0x525f8e in __interceptor_reallocarray (./out/binpolicy-fuzzer+0x525f8e)
SELinuxProject#9 0x5ebad3 in strs_add_at_index ./libsepol/src/kernel_to_common.c:224:9
SELinuxProject#10 0x5680eb in write_sids_to_conf ./libsepol/src/kernel_to_conf.c:466:8
SELinuxProject#11 0x55c1c0 in write_sid_decl_rules_to_conf ./libsepol/src/kernel_to_conf.c:498:8
SELinuxProject#12 0x55ad36 in sepol_kernel_policydb_to_conf ./libsepol/src/kernel_to_conf.c:3083:7
SELinuxProject#13 0x55a34f in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:38:9
SELinuxProject#14 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o
SELinuxProject#15 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o
SELinuxProject#16 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o
SELinuxProject#17 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2)
SELinuxProject#18 0x7f085ac657ec in __libc_start_main csu/../csu/libc-start.c:332:16
SELinuxProject#19 0x423689 in _start (./out/binpolicy-fuzzer+0x423689)
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
cgzones
added a commit
to cgzones/selinux
that referenced
this pull request
Dec 9, 2021
Handle gaps in the user table while printing a policy configuration.
==24424==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x0000004bdc55 bp 0x7ffc8790b810 sp 0x7ffc8790afb0 T0)
==24424==The signal is caused by a READ memory access.
==24424==Hint: address points to the zero page.
#0 0x4bdc55 in __interceptor_strcmp (./out/binpolicy-fuzzer+0x4bdc55)
SELinuxProject#1 0x5ebdf6 in strs_cmp ./libsepol/src/kernel_to_common.c:253:9
SELinuxProject#2 0x505669 in __interceptor_qsort (./out/binpolicy-fuzzer+0x505669)
SELinuxProject#3 0x5ebd84 in strs_sort ./libsepol/src/kernel_to_common.c:261:2
SELinuxProject#4 0x564550 in write_user_decl_rules_to_conf ./libsepol/src/kernel_to_conf.c:2333:2
SELinuxProject#5 0x55b137 in sepol_kernel_policydb_to_conf ./libsepol/src/kernel_to_conf.c:3190:7
SELinuxProject#6 0x55a34f in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:38:9
SELinuxProject#7 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o
SELinuxProject#8 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o
SELinuxProject#9 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o
SELinuxProject#10 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2)
SELinuxProject#11 0x7f530128d7ec in __libc_start_main csu/../csu/libc-start.c:332:16
SELinuxProject#12 0x423689 in _start (./out/binpolicy-fuzzer+0x423689)
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
cgzones
added a commit
to cgzones/selinux
that referenced
this pull request
Dec 9, 2021
==80903==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000005c0 at pc 0x0000005696c8 bp 0x7ffdb11ea560 sp 0x7ffdb11ea558
READ of size 8 at 0x6020000005c0 thread T0
#0 0x5696c7 in avtab_node_to_str ./libsepol/src/kernel_to_conf.c:1736:9
SELinuxProject#1 0x569013 in map_avtab_write_helper ./libsepol/src/kernel_to_conf.c:1767:10
SELinuxProject#2 0x5ab837 in avtab_map ./libsepol/src/avtab.c:347:10
SELinuxProject#3 0x561f9a in write_avtab_flavor_to_conf ./libsepol/src/kernel_to_conf.c:1798:7
SELinuxProject#4 0x561f9a in write_avtab_to_conf ./libsepol/src/kernel_to_conf.c:1819:8
SELinuxProject#5 0x55afba in sepol_kernel_policydb_to_conf ./libsepol/src/kernel_to_conf.c:3159:7
SELinuxProject#6 0x55a34f in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:38:9
SELinuxProject#7 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o
SELinuxProject#8 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o
SELinuxProject#9 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o
SELinuxProject#10 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2)
SELinuxProject#11 0x7f97a83fd7ec in __libc_start_main csu/../csu/libc-start.c:332:16
SELinuxProject#12 0x423689 in _start (./out/binpolicy-fuzzer+0x423689)
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
cgzones
added a commit
to cgzones/selinux
that referenced
this pull request
Dec 9, 2021
Check the literal contexts in ocontext statements are defined.
==91274==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f60b0afe8c6 bp 0x7ffd42edc990 sp 0x7ffd42edc148 T0)
==91274==The signal is caused by a READ memory access.
==91274==Hint: address points to the zero page.
#0 0x7f60b0afe8c6 string/../sysdeps/x86_64/multiarch/../strlen.S:120
SELinuxProject#1 0x4bd128 in __interceptor_strlen (./out/binpolicy-fuzzer+0x4bd128)
SELinuxProject#2 0x5eb387 in create_str_helper ./libsepol/src/kernel_to_common.c:69:10
SELinuxProject#3 0x5eb11e in create_str ./libsepol/src/kernel_to_common.c:99:8
SELinuxProject#4 0x56ad7b in context_to_str ./libsepol/src/kernel_to_conf.c:2408:9
SELinuxProject#5 0x56a717 in write_sid_context_rules_to_conf ./libsepol/src/kernel_to_conf.c:2441:9
SELinuxProject#6 0x55b26c in write_selinux_isid_rules_to_conf ./libsepol/src/kernel_to_conf.c:2476:9
SELinuxProject#7 0x55b26c in sepol_kernel_policydb_to_conf ./libsepol/src/kernel_to_conf.c:3206:8
SELinuxProject#8 0x55a34f in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:38:9
SELinuxProject#9 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o
SELinuxProject#10 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o
SELinuxProject#11 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o
SELinuxProject#12 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2)
SELinuxProject#13 0x7f60b0a887ec in __libc_start_main csu/../csu/libc-start.c:332:16
SELinuxProject#14 0x423689 in _start (./out/binpolicy-fuzzer+0x423689)
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
---
v3:
only check FS and NETIF ocons in selinux policies (not xen)
v2:
also check in base modules
jwcart2
pushed a commit
to jwcart2/selinux
that referenced
this pull request
Dec 15, 2021
Limit the maximum length of read sizes, like string length of module
version and name or keys and number of symtab entries. This avoids the
fuzzer to report oom events for huge allocations (it also improves the
number of executions per seconds of the fuzzer).
This change only affects the fuzzer build.
==15211== ERROR: libFuzzer: out-of-memory (malloc(3115956666))
To change the out-of-memory limit use -rss_limit_mb=<N>
#0 0x52dc61 in __sanitizer_print_stack_trace (./out/binpolicy-fuzzer+0x52dc61)
#1 0x475618 in fuzzer::PrintStackTrace() fuzzer.o
SELinuxProject#2 0x458855 in fuzzer::Fuzzer::HandleMalloc(unsigned long) fuzzer.o
SELinuxProject#3 0x45876a in fuzzer::MallocHook(void const volatile*, unsigned long) fuzzer.o
SELinuxProject#4 0x534557 in __sanitizer::RunMallocHooks(void const*, unsigned long) (./out/binpolicy-fuzzer+0x534557)
SELinuxProject#5 0x4aa7d7 in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) (./out/binpolicy-fuzzer+0x4aa7d7)
SELinuxProject#6 0x4aa143 in __asan::asan_malloc(unsigned long, __sanitizer::BufferedStackTrace*) (./out/binpolicy-fuzzer+0x4aa143)
SELinuxProject#7 0x5259cb in malloc (./out/binpolicy-fuzzer+0x5259cb)
SELinuxProject#8 0x59d307 in str_read ./libsepol/src/services.c:1746:8
SELinuxProject#9 0x585b97 in perm_read ./libsepol/src/policydb.c:2063:5
SELinuxProject#10 0x581f8a in common_read ./libsepol/src/policydb.c:2119:7
SELinuxProject#11 0x576681 in policydb_read ./libsepol/src/policydb.c:4417:8
SELinuxProject#12 0x55a214 in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:26:6
SELinuxProject#13 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o
SELinuxProject#14 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o
SELinuxProject#15 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o
SELinuxProject#16 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2)
SELinuxProject#17 0x7fe1ec88a7ec in __libc_start_main csu/../csu/libc-start.c:332:16
SELinuxProject#18 0x423689 in _start (./out/binpolicy-fuzzer+0x423689)
==12683== ERROR: libFuzzer: out-of-memory (malloc(2526451450))
To change the out-of-memory limit use -rss_limit_mb=<N>
#0 0x52dc61 in __sanitizer_print_stack_trace (./out/binpolicy-fuzzer+0x52dc61)
#1 0x475618 in fuzzer::PrintStackTrace() fuzzer.o
SELinuxProject#2 0x458855 in fuzzer::Fuzzer::HandleMalloc(unsigned long) fuzzer.o
SELinuxProject#3 0x45876a in fuzzer::MallocHook(void const volatile*, unsigned long) fuzzer.o
SELinuxProject#4 0x534557 in __sanitizer::RunMallocHooks(void const*, unsigned long) (./out/binpolicy-fuzzer+0x534557)
SELinuxProject#5 0x4aa7d7 in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) (./out/binpolicy-fuzzer+0x4aa7d7)
SELinuxProject#6 0x4aa143 in __asan::asan_malloc(unsigned long, __sanitizer::BufferedStackTrace*) (./out/binpolicy-fuzzer+0x4aa143)
SELinuxProject#7 0x5259cb in malloc (./out/binpolicy-fuzzer+0x5259cb)
SELinuxProject#8 0x575f8a in policydb_read ./libsepol/src/policydb.c:4356:18
SELinuxProject#9 0x55a214 in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:26:6
SELinuxProject#10 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o
SELinuxProject#11 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o
SELinuxProject#12 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o
SELinuxProject#13 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2)
SELinuxProject#14 0x7fa737b377ec in __libc_start_main csu/../csu/libc-start.c:332:16
SELinuxProject#15 0x423689 in _start (./out/binpolicy-fuzzer+0x423689)
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
jwcart2
pushed a commit
to jwcart2/selinux
that referenced
this pull request
Dec 15, 2021
Add checks for invalid read sizes from a binary policy to guard
allocations.
The common and class permission counts needs to be limited more strict
otherwise a too high count of common or class permissions can lead to
permission values with a too high value, which can lead to overflows
in shift operations.
In the fuzzer build the value will also be bounded to avoid oom reports.
==29857== ERROR: libFuzzer: out-of-memory (malloc(17179868160))
To change the out-of-memory limit use -rss_limit_mb=<N>
#0 0x52dc61 in __sanitizer_print_stack_trace (./out/binpolicy-fuzzer+0x52dc61)
#1 0x475618 in fuzzer::PrintStackTrace() fuzzer.o
SELinuxProject#2 0x458855 in fuzzer::Fuzzer::HandleMalloc(unsigned long) fuzzer.o
SELinuxProject#3 0x45876a in fuzzer::MallocHook(void const volatile*, unsigned long) fuzzer.o
SELinuxProject#4 0x534557 in __sanitizer::RunMallocHooks(void const*, unsigned long) (./out/binpolicy-fuzzer+0x534557)
SELinuxProject#5 0x4aa7d7 in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) (./out/binpolicy-fuzzer+0x4aa7d7)
SELinuxProject#6 0x4aa143 in __asan::asan_malloc(unsigned long, __sanitizer::BufferedStackTrace*) (./out/binpolicy-fuzzer+0x4aa143)
SELinuxProject#7 0x5259cb in malloc (./out/binpolicy-fuzzer+0x5259cb)
SELinuxProject#8 0x580b5d in mallocarray ./libsepol/src/./private.h:93:9
SELinuxProject#9 0x57c2ed in scope_read ./libsepol/src/policydb.c:4120:7
SELinuxProject#10 0x576b0d in policydb_read ./libsepol/src/policydb.c:4462:9
SELinuxProject#11 0x55a214 in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:26:6
SELinuxProject#12 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o
SELinuxProject#13 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o
SELinuxProject#14 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o
SELinuxProject#15 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2)
SELinuxProject#16 0x7ffad6e107ec in __libc_start_main csu/../csu/libc-start.c:332:16
SELinuxProject#17 0x423689 in _start (./out/binpolicy-fuzzer+0x423689)
==19462== ERROR: libFuzzer: out-of-memory (malloc(18253611008))
To change the out-of-memory limit use -rss_limit_mb=<N>
#0 0x52dc61 in __sanitizer_print_stack_trace (./out/binpolicy-fuzzer+0x52dc61)
#1 0x475618 in fuzzer::PrintStackTrace() fuzzer.o
SELinuxProject#2 0x458855 in fuzzer::Fuzzer::HandleMalloc(unsigned long) fuzzer.o
SELinuxProject#3 0x45876a in fuzzer::MallocHook(void const volatile*, unsigned long) fuzzer.o
SELinuxProject#4 0x534557 in __sanitizer::RunMallocHooks(void const*, unsigned long) (./out/binpolicy-fuzzer+0x534557)
SELinuxProject#5 0x4aa7d7 in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) (./out/binpolicy-fuzzer+0x4aa7d7)
SELinuxProject#6 0x4aa999 in __asan::asan_calloc(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*) (./out/binpolicy-fuzzer+0x4aa999)
SELinuxProject#7 0x525b63 in __interceptor_calloc (./out/binpolicy-fuzzer+0x525b63)
SELinuxProject#8 0x570938 in policydb_index_others ./libsepol/src/policydb.c:1245:6
SELinuxProject#9 0x5771f3 in policydb_read ./src/policydb.c:4481:6
SELinuxProject#10 0x55a214 in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:26:6
SELinuxProject#11 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o
SELinuxProject#12 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o
SELinuxProject#13 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o
SELinuxProject#14 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2)
SELinuxProject#15 0x7f4d933157ec in __libc_start_main csu/../csu/libc-start.c:332:16
SELinuxProject#16 0x423689 in _start (./out/binpolicy-fuzzer+0x423689)
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
jwcart2
pushed a commit
to jwcart2/selinux
that referenced
this pull request
Dec 15, 2021
Free the local access vector list on failure as it does not get moved
into the policy structure.
Drop the now redundant, but non-exhaustive, resource cleanup in
cond_insertf().
Direct leak of 16 byte(s) in 1 object(s) allocated from:
#0 0x52596d in malloc (./out/binpolicy-fuzzer+0x52596d)
#1 0x5b30d2 in cond_insertf ./libsepol/src/conditional.c:682:9
SELinuxProject#2 0x5ac218 in avtab_read_item ./libsepol/src/avtab.c:583:10
SELinuxProject#3 0x5b21f4 in cond_read_av_list ./libsepol/src/conditional.c:725:8
SELinuxProject#4 0x5b21f4 in cond_read_node ./libsepol/src/conditional.c:798:7
SELinuxProject#5 0x5b21f4 in cond_read_list ./libsepol/src/conditional.c:847:7
SELinuxProject#6 0x576b6e in policydb_read ./libsepol/src/policydb.c:4436:8
SELinuxProject#7 0x55a1fe in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:24:6
SELinuxProject#8 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o
SELinuxProject#9 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o
SELinuxProject#10 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o
SELinuxProject#11 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2)
SELinuxProject#12 0x7f47abeb87ec in __libc_start_main csu/../csu/libc-start.c:332:16
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
jwcart2
pushed a commit
to jwcart2/selinux
that referenced
this pull request
Dec 15, 2021
Check if the sid value is saturated to guard dependent allocations.
==19967== ERROR: libFuzzer: out-of-memory (malloc(7784628224))
#0 0x52dc61 in __sanitizer_print_stack_trace (./out/binpolicy-fuzzer+0x52dc61)
#1 0x475618 in fuzzer::PrintStackTrace() fuzzer.o
SELinuxProject#2 0x458855 in fuzzer::Fuzzer::HandleMalloc(unsigned long) fuzzer.o
SELinuxProject#3 0x45876a in fuzzer::MallocHook(void const volatile*, unsigned long) fuzzer.o
SELinuxProject#4 0x534557 in __sanitizer::RunMallocHooks(void const*, unsigned long) (./out/binpolicy-fuzzer+0x534557)
SELinuxProject#5 0x4aa7d7 in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) (./out/binpolicy-fuzzer+0x4aa7d7)
SELinuxProject#6 0x4aabe3 in __asan::Allocator::Reallocate(void*, unsigned long, __sanitizer::BufferedStackTrace*) (./out/binpolicy-fuzzer+0x4aabe3)
SELinuxProject#7 0x4aaa32 in __asan::asan_reallocarray(void*, unsigned long, unsigned long, __sanitizer::BufferedStackTrace*) (./out/binpolicy-fuzzer+0x4aaa32)
SELinuxProject#8 0x525f8e in __interceptor_reallocarray (./out/binpolicy-fuzzer+0x525f8e)
SELinuxProject#9 0x5ebad3 in strs_add_at_index ./libsepol/src/kernel_to_common.c:224:9
SELinuxProject#10 0x5680eb in write_sids_to_conf ./libsepol/src/kernel_to_conf.c:466:8
SELinuxProject#11 0x55c1c0 in write_sid_decl_rules_to_conf ./libsepol/src/kernel_to_conf.c:498:8
SELinuxProject#12 0x55ad36 in sepol_kernel_policydb_to_conf ./libsepol/src/kernel_to_conf.c:3083:7
SELinuxProject#13 0x55a34f in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:38:9
SELinuxProject#14 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o
SELinuxProject#15 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o
SELinuxProject#16 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o
SELinuxProject#17 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2)
SELinuxProject#18 0x7f085ac657ec in __libc_start_main csu/../csu/libc-start.c:332:16
SELinuxProject#19 0x423689 in _start (./out/binpolicy-fuzzer+0x423689)
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
jwcart2
pushed a commit
to jwcart2/selinux
that referenced
this pull request
Dec 15, 2021
Handle gaps in the user table while printing a policy configuration.
==24424==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x0000004bdc55 bp 0x7ffc8790b810 sp 0x7ffc8790afb0 T0)
==24424==The signal is caused by a READ memory access.
==24424==Hint: address points to the zero page.
#0 0x4bdc55 in __interceptor_strcmp (./out/binpolicy-fuzzer+0x4bdc55)
#1 0x5ebdf6 in strs_cmp ./libsepol/src/kernel_to_common.c:253:9
SELinuxProject#2 0x505669 in __interceptor_qsort (./out/binpolicy-fuzzer+0x505669)
SELinuxProject#3 0x5ebd84 in strs_sort ./libsepol/src/kernel_to_common.c:261:2
SELinuxProject#4 0x564550 in write_user_decl_rules_to_conf ./libsepol/src/kernel_to_conf.c:2333:2
SELinuxProject#5 0x55b137 in sepol_kernel_policydb_to_conf ./libsepol/src/kernel_to_conf.c:3190:7
SELinuxProject#6 0x55a34f in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:38:9
SELinuxProject#7 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o
SELinuxProject#8 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o
SELinuxProject#9 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o
SELinuxProject#10 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2)
SELinuxProject#11 0x7f530128d7ec in __libc_start_main csu/../csu/libc-start.c:332:16
SELinuxProject#12 0x423689 in _start (./out/binpolicy-fuzzer+0x423689)
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
jwcart2
pushed a commit
to jwcart2/selinux
that referenced
this pull request
Dec 15, 2021
==80903==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000005c0 at pc 0x0000005696c8 bp 0x7ffdb11ea560 sp 0x7ffdb11ea558
READ of size 8 at 0x6020000005c0 thread T0
#0 0x5696c7 in avtab_node_to_str ./libsepol/src/kernel_to_conf.c:1736:9
#1 0x569013 in map_avtab_write_helper ./libsepol/src/kernel_to_conf.c:1767:10
SELinuxProject#2 0x5ab837 in avtab_map ./libsepol/src/avtab.c:347:10
SELinuxProject#3 0x561f9a in write_avtab_flavor_to_conf ./libsepol/src/kernel_to_conf.c:1798:7
SELinuxProject#4 0x561f9a in write_avtab_to_conf ./libsepol/src/kernel_to_conf.c:1819:8
SELinuxProject#5 0x55afba in sepol_kernel_policydb_to_conf ./libsepol/src/kernel_to_conf.c:3159:7
SELinuxProject#6 0x55a34f in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:38:9
SELinuxProject#7 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o
SELinuxProject#8 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o
SELinuxProject#9 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o
SELinuxProject#10 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2)
SELinuxProject#11 0x7f97a83fd7ec in __libc_start_main csu/../csu/libc-start.c:332:16
SELinuxProject#12 0x423689 in _start (./out/binpolicy-fuzzer+0x423689)
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
jwcart2
pushed a commit
to jwcart2/selinux
that referenced
this pull request
Dec 15, 2021
Check the literal contexts in ocontext statements are defined.
==91274==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f60b0afe8c6 bp 0x7ffd42edc990 sp 0x7ffd42edc148 T0)
==91274==The signal is caused by a READ memory access.
==91274==Hint: address points to the zero page.
#0 0x7f60b0afe8c6 string/../sysdeps/x86_64/multiarch/../strlen.S:120
#1 0x4bd128 in __interceptor_strlen (./out/binpolicy-fuzzer+0x4bd128)
SELinuxProject#2 0x5eb387 in create_str_helper ./libsepol/src/kernel_to_common.c:69:10
SELinuxProject#3 0x5eb11e in create_str ./libsepol/src/kernel_to_common.c:99:8
SELinuxProject#4 0x56ad7b in context_to_str ./libsepol/src/kernel_to_conf.c:2408:9
SELinuxProject#5 0x56a717 in write_sid_context_rules_to_conf ./libsepol/src/kernel_to_conf.c:2441:9
SELinuxProject#6 0x55b26c in write_selinux_isid_rules_to_conf ./libsepol/src/kernel_to_conf.c:2476:9
SELinuxProject#7 0x55b26c in sepol_kernel_policydb_to_conf ./libsepol/src/kernel_to_conf.c:3206:8
SELinuxProject#8 0x55a34f in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:38:9
SELinuxProject#9 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o
SELinuxProject#10 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o
SELinuxProject#11 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o
SELinuxProject#12 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2)
SELinuxProject#13 0x7f60b0a887ec in __libc_start_main csu/../csu/libc-start.c:332:16
SELinuxProject#14 0x423689 in _start (./out/binpolicy-fuzzer+0x423689)
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
jwcart2
pushed a commit
that referenced
this pull request
Dec 17, 2021
Limit the maximum length of read sizes, like string length of module
version and name or keys and number of symtab entries. This avoids the
fuzzer to report oom events for huge allocations (it also improves the
number of executions per seconds of the fuzzer).
This change only affects the fuzzer build.
==15211== ERROR: libFuzzer: out-of-memory (malloc(3115956666))
To change the out-of-memory limit use -rss_limit_mb=<N>
#0 0x52dc61 in __sanitizer_print_stack_trace (./out/binpolicy-fuzzer+0x52dc61)
#1 0x475618 in fuzzer::PrintStackTrace() fuzzer.o
#2 0x458855 in fuzzer::Fuzzer::HandleMalloc(unsigned long) fuzzer.o
#3 0x45876a in fuzzer::MallocHook(void const volatile*, unsigned long) fuzzer.o
#4 0x534557 in __sanitizer::RunMallocHooks(void const*, unsigned long) (./out/binpolicy-fuzzer+0x534557)
#5 0x4aa7d7 in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) (./out/binpolicy-fuzzer+0x4aa7d7)
#6 0x4aa143 in __asan::asan_malloc(unsigned long, __sanitizer::BufferedStackTrace*) (./out/binpolicy-fuzzer+0x4aa143)
#7 0x5259cb in malloc (./out/binpolicy-fuzzer+0x5259cb)
#8 0x59d307 in str_read ./libsepol/src/services.c:1746:8
#9 0x585b97 in perm_read ./libsepol/src/policydb.c:2063:5
#10 0x581f8a in common_read ./libsepol/src/policydb.c:2119:7
#11 0x576681 in policydb_read ./libsepol/src/policydb.c:4417:8
#12 0x55a214 in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:26:6
#13 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o
#14 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o
#15 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o
#16 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2)
#17 0x7fe1ec88a7ec in __libc_start_main csu/../csu/libc-start.c:332:16
#18 0x423689 in _start (./out/binpolicy-fuzzer+0x423689)
==12683== ERROR: libFuzzer: out-of-memory (malloc(2526451450))
To change the out-of-memory limit use -rss_limit_mb=<N>
#0 0x52dc61 in __sanitizer_print_stack_trace (./out/binpolicy-fuzzer+0x52dc61)
#1 0x475618 in fuzzer::PrintStackTrace() fuzzer.o
#2 0x458855 in fuzzer::Fuzzer::HandleMalloc(unsigned long) fuzzer.o
#3 0x45876a in fuzzer::MallocHook(void const volatile*, unsigned long) fuzzer.o
#4 0x534557 in __sanitizer::RunMallocHooks(void const*, unsigned long) (./out/binpolicy-fuzzer+0x534557)
#5 0x4aa7d7 in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) (./out/binpolicy-fuzzer+0x4aa7d7)
#6 0x4aa143 in __asan::asan_malloc(unsigned long, __sanitizer::BufferedStackTrace*) (./out/binpolicy-fuzzer+0x4aa143)
#7 0x5259cb in malloc (./out/binpolicy-fuzzer+0x5259cb)
#8 0x575f8a in policydb_read ./libsepol/src/policydb.c:4356:18
#9 0x55a214 in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:26:6
#10 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o
#11 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o
#12 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o
#13 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2)
#14 0x7fa737b377ec in __libc_start_main csu/../csu/libc-start.c:332:16
#15 0x423689 in _start (./out/binpolicy-fuzzer+0x423689)
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
jwcart2
pushed a commit
that referenced
this pull request
Dec 17, 2021
Add checks for invalid read sizes from a binary policy to guard
allocations.
The common and class permission counts needs to be limited more strict
otherwise a too high count of common or class permissions can lead to
permission values with a too high value, which can lead to overflows
in shift operations.
In the fuzzer build the value will also be bounded to avoid oom reports.
==29857== ERROR: libFuzzer: out-of-memory (malloc(17179868160))
To change the out-of-memory limit use -rss_limit_mb=<N>
#0 0x52dc61 in __sanitizer_print_stack_trace (./out/binpolicy-fuzzer+0x52dc61)
#1 0x475618 in fuzzer::PrintStackTrace() fuzzer.o
#2 0x458855 in fuzzer::Fuzzer::HandleMalloc(unsigned long) fuzzer.o
#3 0x45876a in fuzzer::MallocHook(void const volatile*, unsigned long) fuzzer.o
#4 0x534557 in __sanitizer::RunMallocHooks(void const*, unsigned long) (./out/binpolicy-fuzzer+0x534557)
#5 0x4aa7d7 in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) (./out/binpolicy-fuzzer+0x4aa7d7)
#6 0x4aa143 in __asan::asan_malloc(unsigned long, __sanitizer::BufferedStackTrace*) (./out/binpolicy-fuzzer+0x4aa143)
#7 0x5259cb in malloc (./out/binpolicy-fuzzer+0x5259cb)
#8 0x580b5d in mallocarray ./libsepol/src/./private.h:93:9
#9 0x57c2ed in scope_read ./libsepol/src/policydb.c:4120:7
#10 0x576b0d in policydb_read ./libsepol/src/policydb.c:4462:9
#11 0x55a214 in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:26:6
#12 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o
#13 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o
#14 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o
#15 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2)
#16 0x7ffad6e107ec in __libc_start_main csu/../csu/libc-start.c:332:16
#17 0x423689 in _start (./out/binpolicy-fuzzer+0x423689)
==19462== ERROR: libFuzzer: out-of-memory (malloc(18253611008))
To change the out-of-memory limit use -rss_limit_mb=<N>
#0 0x52dc61 in __sanitizer_print_stack_trace (./out/binpolicy-fuzzer+0x52dc61)
#1 0x475618 in fuzzer::PrintStackTrace() fuzzer.o
#2 0x458855 in fuzzer::Fuzzer::HandleMalloc(unsigned long) fuzzer.o
#3 0x45876a in fuzzer::MallocHook(void const volatile*, unsigned long) fuzzer.o
#4 0x534557 in __sanitizer::RunMallocHooks(void const*, unsigned long) (./out/binpolicy-fuzzer+0x534557)
#5 0x4aa7d7 in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) (./out/binpolicy-fuzzer+0x4aa7d7)
#6 0x4aa999 in __asan::asan_calloc(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*) (./out/binpolicy-fuzzer+0x4aa999)
#7 0x525b63 in __interceptor_calloc (./out/binpolicy-fuzzer+0x525b63)
#8 0x570938 in policydb_index_others ./libsepol/src/policydb.c:1245:6
#9 0x5771f3 in policydb_read ./src/policydb.c:4481:6
#10 0x55a214 in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:26:6
#11 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o
#12 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o
#13 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o
#14 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2)
#15 0x7f4d933157ec in __libc_start_main csu/../csu/libc-start.c:332:16
#16 0x423689 in _start (./out/binpolicy-fuzzer+0x423689)
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
jwcart2
pushed a commit
that referenced
this pull request
Dec 17, 2021
Free the local access vector list on failure as it does not get moved
into the policy structure.
Drop the now redundant, but non-exhaustive, resource cleanup in
cond_insertf().
Direct leak of 16 byte(s) in 1 object(s) allocated from:
#0 0x52596d in malloc (./out/binpolicy-fuzzer+0x52596d)
#1 0x5b30d2 in cond_insertf ./libsepol/src/conditional.c:682:9
#2 0x5ac218 in avtab_read_item ./libsepol/src/avtab.c:583:10
#3 0x5b21f4 in cond_read_av_list ./libsepol/src/conditional.c:725:8
#4 0x5b21f4 in cond_read_node ./libsepol/src/conditional.c:798:7
#5 0x5b21f4 in cond_read_list ./libsepol/src/conditional.c:847:7
#6 0x576b6e in policydb_read ./libsepol/src/policydb.c:4436:8
#7 0x55a1fe in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:24:6
#8 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o
#9 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o
#10 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o
#11 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2)
#12 0x7f47abeb87ec in __libc_start_main csu/../csu/libc-start.c:332:16
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
jwcart2
pushed a commit
that referenced
this pull request
Dec 17, 2021
Check if the sid value is saturated to guard dependent allocations.
==19967== ERROR: libFuzzer: out-of-memory (malloc(7784628224))
#0 0x52dc61 in __sanitizer_print_stack_trace (./out/binpolicy-fuzzer+0x52dc61)
#1 0x475618 in fuzzer::PrintStackTrace() fuzzer.o
#2 0x458855 in fuzzer::Fuzzer::HandleMalloc(unsigned long) fuzzer.o
#3 0x45876a in fuzzer::MallocHook(void const volatile*, unsigned long) fuzzer.o
#4 0x534557 in __sanitizer::RunMallocHooks(void const*, unsigned long) (./out/binpolicy-fuzzer+0x534557)
#5 0x4aa7d7 in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) (./out/binpolicy-fuzzer+0x4aa7d7)
#6 0x4aabe3 in __asan::Allocator::Reallocate(void*, unsigned long, __sanitizer::BufferedStackTrace*) (./out/binpolicy-fuzzer+0x4aabe3)
#7 0x4aaa32 in __asan::asan_reallocarray(void*, unsigned long, unsigned long, __sanitizer::BufferedStackTrace*) (./out/binpolicy-fuzzer+0x4aaa32)
#8 0x525f8e in __interceptor_reallocarray (./out/binpolicy-fuzzer+0x525f8e)
#9 0x5ebad3 in strs_add_at_index ./libsepol/src/kernel_to_common.c:224:9
#10 0x5680eb in write_sids_to_conf ./libsepol/src/kernel_to_conf.c:466:8
#11 0x55c1c0 in write_sid_decl_rules_to_conf ./libsepol/src/kernel_to_conf.c:498:8
#12 0x55ad36 in sepol_kernel_policydb_to_conf ./libsepol/src/kernel_to_conf.c:3083:7
#13 0x55a34f in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:38:9
#14 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o
#15 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o
#16 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o
#17 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2)
#18 0x7f085ac657ec in __libc_start_main csu/../csu/libc-start.c:332:16
#19 0x423689 in _start (./out/binpolicy-fuzzer+0x423689)
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
jwcart2
pushed a commit
that referenced
this pull request
Dec 17, 2021
Handle gaps in the user table while printing a policy configuration.
==24424==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x0000004bdc55 bp 0x7ffc8790b810 sp 0x7ffc8790afb0 T0)
==24424==The signal is caused by a READ memory access.
==24424==Hint: address points to the zero page.
#0 0x4bdc55 in __interceptor_strcmp (./out/binpolicy-fuzzer+0x4bdc55)
#1 0x5ebdf6 in strs_cmp ./libsepol/src/kernel_to_common.c:253:9
#2 0x505669 in __interceptor_qsort (./out/binpolicy-fuzzer+0x505669)
#3 0x5ebd84 in strs_sort ./libsepol/src/kernel_to_common.c:261:2
#4 0x564550 in write_user_decl_rules_to_conf ./libsepol/src/kernel_to_conf.c:2333:2
#5 0x55b137 in sepol_kernel_policydb_to_conf ./libsepol/src/kernel_to_conf.c:3190:7
#6 0x55a34f in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:38:9
#7 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o
#8 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o
#9 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o
#10 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2)
#11 0x7f530128d7ec in __libc_start_main csu/../csu/libc-start.c:332:16
#12 0x423689 in _start (./out/binpolicy-fuzzer+0x423689)
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
jwcart2
pushed a commit
that referenced
this pull request
Dec 17, 2021
==80903==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000005c0 at pc 0x0000005696c8 bp 0x7ffdb11ea560 sp 0x7ffdb11ea558
READ of size 8 at 0x6020000005c0 thread T0
#0 0x5696c7 in avtab_node_to_str ./libsepol/src/kernel_to_conf.c:1736:9
#1 0x569013 in map_avtab_write_helper ./libsepol/src/kernel_to_conf.c:1767:10
#2 0x5ab837 in avtab_map ./libsepol/src/avtab.c:347:10
#3 0x561f9a in write_avtab_flavor_to_conf ./libsepol/src/kernel_to_conf.c:1798:7
#4 0x561f9a in write_avtab_to_conf ./libsepol/src/kernel_to_conf.c:1819:8
#5 0x55afba in sepol_kernel_policydb_to_conf ./libsepol/src/kernel_to_conf.c:3159:7
#6 0x55a34f in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:38:9
#7 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o
#8 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o
#9 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o
#10 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2)
#11 0x7f97a83fd7ec in __libc_start_main csu/../csu/libc-start.c:332:16
#12 0x423689 in _start (./out/binpolicy-fuzzer+0x423689)
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
jwcart2
pushed a commit
that referenced
this pull request
Dec 17, 2021
Check the literal contexts in ocontext statements are defined.
==91274==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f60b0afe8c6 bp 0x7ffd42edc990 sp 0x7ffd42edc148 T0)
==91274==The signal is caused by a READ memory access.
==91274==Hint: address points to the zero page.
#0 0x7f60b0afe8c6 string/../sysdeps/x86_64/multiarch/../strlen.S:120
#1 0x4bd128 in __interceptor_strlen (./out/binpolicy-fuzzer+0x4bd128)
#2 0x5eb387 in create_str_helper ./libsepol/src/kernel_to_common.c:69:10
#3 0x5eb11e in create_str ./libsepol/src/kernel_to_common.c:99:8
#4 0x56ad7b in context_to_str ./libsepol/src/kernel_to_conf.c:2408:9
#5 0x56a717 in write_sid_context_rules_to_conf ./libsepol/src/kernel_to_conf.c:2441:9
#6 0x55b26c in write_selinux_isid_rules_to_conf ./libsepol/src/kernel_to_conf.c:2476:9
#7 0x55b26c in sepol_kernel_policydb_to_conf ./libsepol/src/kernel_to_conf.c:3206:8
#8 0x55a34f in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:38:9
#9 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o
#10 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o
#11 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o
#12 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2)
#13 0x7f60b0a887ec in __libc_start_main csu/../csu/libc-start.c:332:16
#14 0x423689 in _start (./out/binpolicy-fuzzer+0x423689)
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
jwcart2
pushed a commit
that referenced
this pull request
Jan 5, 2022
Check the sensitivity is valid and thus the lookup in the name array
`p_sens_val_to_name` is valid.
Found by oss-fuzz (#42729, #42730, #42735, #42741)
==54784==The signal is caused by a READ memory access.
#0 0x5a10f3 in mls_semantic_level_expand ./selinux/libsepol/src/expand.c:934:11
#1 0x53839e in policydb_user_cache ./selinux/libsepol/src/policydb.c:972:7
#2 0x5c6325 in hashtab_map ./selinux/libsepol/src/hashtab.c:236:10
#3 0x5392e9 in policydb_index_others ./selinux/libsepol/src/policydb.c:1274:6
#4 0x53f90a in policydb_read ./selinux/libsepol/src/policydb.c:4496:6
#5 0x50c679 in LLVMFuzzerTestOneInput ./selinux/libsepol/fuzz/binpolicy-fuzzer.c:35:6
#6 0x4409e3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (./selinux/out/binpolicy-fuzzer+0x4409e3)
#7 0x4295bf in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (./selinux/out/binpolicy-fuzzer+0x4295bf)
#8 0x42f850 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (./selinux/out/binpolicy-fuzzer+0x42f850)
#9 0x45b6d2 in main (./selinux/out/binpolicy-fuzzer+0x45b6d2)
#10 0x7f059fcd71c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#11 0x7f059fcd7277 in __libc_start_main csu/../csu/libc-start.c:409:3
#12 0x423900 in _start (./out/binpolicy-fuzzer+0x423900)
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
cgzones
added a commit
to cgzones/selinux
that referenced
this pull request
Mar 31, 2022
class s
sid e
class s { y }
sensitivity i alias { d };
==13999==ERROR: AddressSanitizer: heap-use-after-free on address 0x6030000008b8 at pc 0x000000594081 bp 0x7ffcd296ad80 sp 0x7ffcd296ad78
READ of size 8 at 0x6030000008b8 thread T0
#0 0x594080 in ebitmap_destroy ./libsepol/src/ebitmap.c:379:9
SELinuxProject#1 0x61d546 in mls_level_destroy ./DESTDIR/usr/include/sepol/policydb/mls_types.h:98:2
SELinuxProject#2 0x61d546 in sens_destroy ./libsepol/src/policydb.c:1380:2
SELinuxProject#3 0x5bc9d5 in hashtab_map ./libsepol/src/hashtab.c:234:10
SELinuxProject#4 0x60cbf1 in symtabs_destroy ./libsepol/src/policydb.c:1581:9
SELinuxProject#5 0x60cbf1 in policydb_destroy ./libsepol/src/policydb.c:1489:2
SELinuxProject#6 0x55aaa2 in LLVMFuzzerTestOneInput ./checkpolicy/fuzz/checkpolicy-fuzzer.c:209:2
SELinuxProject#7 0x45af33 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o
SELinuxProject#8 0x446a72 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o
SELinuxProject#9 0x44c99b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o
SELinuxProject#10 0x475e32 in main (./out/checkpolicy-fuzzer+0x475e32)
SELinuxProject#11 0x7f31b5ea1e49 in __libc_start_main csu/../csu/libc-start.c:314:16
SELinuxProject#12 0x4236e9 in _start (./out/checkpolicy-fuzzer+0x4236e9)
0x6030000008b8 is located 8 bytes inside of 24-byte region [0x6030000008b0,0x6030000008c8)
freed by thread T0 here:
#0 0x525762 in __interceptor_free (./out/checkpolicy-fuzzer+0x525762)
SELinuxProject#1 0x61d566 in sens_destroy ./libsepol/src/policydb.c:1381:2
SELinuxProject#2 0x5bc9d5 in hashtab_map ./libsepol/src/hashtab.c:234:10
SELinuxProject#3 0x60cbf1 in symtabs_destroy ./libsepol/src/policydb.c:1581:9
SELinuxProject#4 0x60cbf1 in policydb_destroy ./libsepol/src/policydb.c:1489:2
SELinuxProject#5 0x55aaa2 in LLVMFuzzerTestOneInput ./checkpolicy/fuzz/checkpolicy-fuzzer.c:209:2
SELinuxProject#6 0x45af33 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o
SELinuxProject#7 0x446a72 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o
SELinuxProject#8 0x44c99b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o
SELinuxProject#9 0x475e32 in main (./out/checkpolicy-fuzzer+0x475e32)
SELinuxProject#10 0x7f31b5ea1e49 in __libc_start_main csu/../csu/libc-start.c:314:16
previously allocated by thread T0 here:
#0 0x5259cd in malloc (./out/checkpolicy-fuzzer+0x5259cd)
SELinuxProject#1 0x56be7e in define_sens ./checkpolicy/policy_define.c:744:26
SELinuxProject#2 0x583ed4 in yyparse ./checkpolicy/policy_parse.y:261:30
SELinuxProject#3 0x55a5a0 in read_source_policy ./checkpolicy/fuzz/checkpolicy-fuzzer.c:96:6
SELinuxProject#4 0x55a5a0 in LLVMFuzzerTestOneInput ./checkpolicy/fuzz/checkpolicy-fuzzer.c:162:6
SELinuxProject#5 0x45af33 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o
SELinuxProject#6 0x446a72 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o
SELinuxProject#7 0x44c99b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o
SELinuxProject#8 0x475e32 in main (./out/checkpolicy-fuzzer+0x475e32)
SELinuxProject#9 0x7f31b5ea1e49 in __libc_start_main csu/../csu/libc-start.c:314:16
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
cgzones
added a commit
to cgzones/selinux
that referenced
this pull request
Apr 20, 2022
class s
sid e
class s { y }
sensitivity i alias { d };
==13999==ERROR: AddressSanitizer: heap-use-after-free on address 0x6030000008b8 at pc 0x000000594081 bp 0x7ffcd296ad80 sp 0x7ffcd296ad78
READ of size 8 at 0x6030000008b8 thread T0
#0 0x594080 in ebitmap_destroy ./libsepol/src/ebitmap.c:379:9
SELinuxProject#1 0x61d546 in mls_level_destroy ./DESTDIR/usr/include/sepol/policydb/mls_types.h:98:2
SELinuxProject#2 0x61d546 in sens_destroy ./libsepol/src/policydb.c:1380:2
SELinuxProject#3 0x5bc9d5 in hashtab_map ./libsepol/src/hashtab.c:234:10
SELinuxProject#4 0x60cbf1 in symtabs_destroy ./libsepol/src/policydb.c:1581:9
SELinuxProject#5 0x60cbf1 in policydb_destroy ./libsepol/src/policydb.c:1489:2
SELinuxProject#6 0x55aaa2 in LLVMFuzzerTestOneInput ./checkpolicy/fuzz/checkpolicy-fuzzer.c:209:2
SELinuxProject#7 0x45af33 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o
SELinuxProject#8 0x446a72 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o
SELinuxProject#9 0x44c99b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o
SELinuxProject#10 0x475e32 in main (./out/checkpolicy-fuzzer+0x475e32)
SELinuxProject#11 0x7f31b5ea1e49 in __libc_start_main csu/../csu/libc-start.c:314:16
SELinuxProject#12 0x4236e9 in _start (./out/checkpolicy-fuzzer+0x4236e9)
0x6030000008b8 is located 8 bytes inside of 24-byte region [0x6030000008b0,0x6030000008c8)
freed by thread T0 here:
#0 0x525762 in __interceptor_free (./out/checkpolicy-fuzzer+0x525762)
SELinuxProject#1 0x61d566 in sens_destroy ./libsepol/src/policydb.c:1381:2
SELinuxProject#2 0x5bc9d5 in hashtab_map ./libsepol/src/hashtab.c:234:10
SELinuxProject#3 0x60cbf1 in symtabs_destroy ./libsepol/src/policydb.c:1581:9
SELinuxProject#4 0x60cbf1 in policydb_destroy ./libsepol/src/policydb.c:1489:2
SELinuxProject#5 0x55aaa2 in LLVMFuzzerTestOneInput ./checkpolicy/fuzz/checkpolicy-fuzzer.c:209:2
SELinuxProject#6 0x45af33 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o
SELinuxProject#7 0x446a72 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o
SELinuxProject#8 0x44c99b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o
SELinuxProject#9 0x475e32 in main (./out/checkpolicy-fuzzer+0x475e32)
SELinuxProject#10 0x7f31b5ea1e49 in __libc_start_main csu/../csu/libc-start.c:314:16
previously allocated by thread T0 here:
#0 0x5259cd in malloc (./out/checkpolicy-fuzzer+0x5259cd)
SELinuxProject#1 0x56be7e in define_sens ./checkpolicy/policy_define.c:744:26
SELinuxProject#2 0x583ed4 in yyparse ./checkpolicy/policy_parse.y:261:30
SELinuxProject#3 0x55a5a0 in read_source_policy ./checkpolicy/fuzz/checkpolicy-fuzzer.c:96:6
SELinuxProject#4 0x55a5a0 in LLVMFuzzerTestOneInput ./checkpolicy/fuzz/checkpolicy-fuzzer.c:162:6
SELinuxProject#5 0x45af33 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o
SELinuxProject#6 0x446a72 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o
SELinuxProject#7 0x44c99b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o
SELinuxProject#8 0x475e32 in main (./out/checkpolicy-fuzzer+0x475e32)
SELinuxProject#9 0x7f31b5ea1e49 in __libc_start_main csu/../csu/libc-start.c:314:16
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
cgzones
added a commit
to cgzones/selinux
that referenced
this pull request
Jun 15, 2022
class s
sid e
class s { y }
sensitivity i alias { d };
==13999==ERROR: AddressSanitizer: heap-use-after-free on address 0x6030000008b8 at pc 0x000000594081 bp 0x7ffcd296ad80 sp 0x7ffcd296ad78
READ of size 8 at 0x6030000008b8 thread T0
#0 0x594080 in ebitmap_destroy ./libsepol/src/ebitmap.c:379:9
SELinuxProject#1 0x61d546 in mls_level_destroy ./DESTDIR/usr/include/sepol/policydb/mls_types.h:98:2
SELinuxProject#2 0x61d546 in sens_destroy ./libsepol/src/policydb.c:1380:2
SELinuxProject#3 0x5bc9d5 in hashtab_map ./libsepol/src/hashtab.c:234:10
SELinuxProject#4 0x60cbf1 in symtabs_destroy ./libsepol/src/policydb.c:1581:9
SELinuxProject#5 0x60cbf1 in policydb_destroy ./libsepol/src/policydb.c:1489:2
SELinuxProject#6 0x55aaa2 in LLVMFuzzerTestOneInput ./checkpolicy/fuzz/checkpolicy-fuzzer.c:209:2
SELinuxProject#7 0x45af33 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o
SELinuxProject#8 0x446a72 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o
SELinuxProject#9 0x44c99b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o
SELinuxProject#10 0x475e32 in main (./out/checkpolicy-fuzzer+0x475e32)
SELinuxProject#11 0x7f31b5ea1e49 in __libc_start_main csu/../csu/libc-start.c:314:16
SELinuxProject#12 0x4236e9 in _start (./out/checkpolicy-fuzzer+0x4236e9)
0x6030000008b8 is located 8 bytes inside of 24-byte region [0x6030000008b0,0x6030000008c8)
freed by thread T0 here:
#0 0x525762 in __interceptor_free (./out/checkpolicy-fuzzer+0x525762)
SELinuxProject#1 0x61d566 in sens_destroy ./libsepol/src/policydb.c:1381:2
SELinuxProject#2 0x5bc9d5 in hashtab_map ./libsepol/src/hashtab.c:234:10
SELinuxProject#3 0x60cbf1 in symtabs_destroy ./libsepol/src/policydb.c:1581:9
SELinuxProject#4 0x60cbf1 in policydb_destroy ./libsepol/src/policydb.c:1489:2
SELinuxProject#5 0x55aaa2 in LLVMFuzzerTestOneInput ./checkpolicy/fuzz/checkpolicy-fuzzer.c:209:2
SELinuxProject#6 0x45af33 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o
SELinuxProject#7 0x446a72 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o
SELinuxProject#8 0x44c99b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o
SELinuxProject#9 0x475e32 in main (./out/checkpolicy-fuzzer+0x475e32)
SELinuxProject#10 0x7f31b5ea1e49 in __libc_start_main csu/../csu/libc-start.c:314:16
previously allocated by thread T0 here:
#0 0x5259cd in malloc (./out/checkpolicy-fuzzer+0x5259cd)
SELinuxProject#1 0x56be7e in define_sens ./checkpolicy/policy_define.c:744:26
SELinuxProject#2 0x583ed4 in yyparse ./checkpolicy/policy_parse.y:261:30
SELinuxProject#3 0x55a5a0 in read_source_policy ./checkpolicy/fuzz/checkpolicy-fuzzer.c:96:6
SELinuxProject#4 0x55a5a0 in LLVMFuzzerTestOneInput ./checkpolicy/fuzz/checkpolicy-fuzzer.c:162:6
SELinuxProject#5 0x45af33 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o
SELinuxProject#6 0x446a72 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o
SELinuxProject#7 0x44c99b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o
SELinuxProject#8 0x475e32 in main (./out/checkpolicy-fuzzer+0x475e32)
SELinuxProject#9 0x7f31b5ea1e49 in __libc_start_main csu/../csu/libc-start.c:314:16
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.