Fixed typo/grammatical error #6

cspeterson · 2015-02-08T06:37:25Z

No description provided.

Fixed typo/grammatical error

stephensmalley · 2015-02-12T18:44:29Z

We prefer patches to go to selinux@tycho.nsa.gov, but as this one was trivial I just took it.

cspeterson · 2015-02-12T19:03:52Z

Very sorry, not very familiar with the etiquette of these things. Thanks for letting me contribute, however trivially!

When hll/pp reads an invalid policy module where some scopes use required symbols which are not defined, the program crashes with a segmentation fault in required_scopes_to_cil(): Program received signal SIGSEGV, Segmentation fault. required_scopes_to_cil (decl_stack=0x6040b0, block=0x607780, pdb=0x6042e0, indent=0) at module_to_cil.c:3479 3479 for (j = 0; j < scope_datum->decl_ids_len; j++) { => 0x00007ffff7a7b1a8 <block_to_cil+5224>: 44 8b 58 10 mov 0x10(%rax),%r11d (gdb) bt #0 required_scopes_to_cil (decl_stack=0x6040b0, block=0x607780, pdb=0x6042e0, indent=0) at module_to_cil.c:3479 #1 block_to_cil (pdb=pdb@entry=0x6042e0, block=block@entry=0x607780, stack=stack@entry=0x6040b0, indent=indent@entry=0) at module_to_cil.c:3622 #2 0x00007ffff7a85a18 in global_block_to_cil (stack=0x6040b0, block=0x607780, pdb=0x6042e0) at module_to_cil.c:3738 #3 blocks_to_cil (pdb=0x6042e0) at module_to_cil.c:3764 #4 sepol_module_policydb_to_cil (fp=fp@entry=0x7ffff79d05e0 <_IO_2_1_stdout_>, pdb=0x6042e0, linked=linked@entry=0) at module_to_cil.c:4051 #5 0x00007ffff7a86b55 in sepol_module_package_to_cil (fp=fp@entry=0x7ffff79d05e0 <_IO_2_1_stdout_>, mod_pkg=0x604280) at module_to_cil.c:4080 #6 0x0000000000401acc in main (argc=<optimized out>, argv=<optimized out>) at pp.c:150 (gdb) p scope_datum $1 = (struct scope_datum *) 0x0 Detect such errors and exit with an error return value. Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>

When scope_index_read() fails while attempting to allocate memory for scope_index->class_perms_map, scope_index_destroy() gets called with scope->class_perms_len != 0 and scope->class_perms_map == NULL. This triggers the following segmentation fault (in semodule_package): Program received signal SIGSEGV, Segmentation fault. ebitmap_destroy (e=0x10) at ebitmap.c:362 362 n = e->node; => 0x00007ffff79ff7f6 <ebitmap_destroy+134>: 48 8b 3f mov (%rdi),%rdi (gdb) bt #0 ebitmap_destroy (e=0x10) at ebitmap.c:362 #1 0x00007ffff79e2c37 in scope_index_destroy (scope=0x608860) at avrule_block.c:87 #2 avrule_decl_destroy (x=0x608830) at avrule_block.c:103 #3 0x00007ffff7aae99c in avrule_block_read (fp=0x605090, num_scope_syms=8, block=0x6054e8, p=0x605360) at policydb.c:3598 #4 policydb_read (p=0x605360, fp=fp@entry=0x605090, verbose=verbose@entry=0) at policydb.c:3946 #5 0x00007ffff7ab4ab4 in sepol_policydb_read (p=<optimized out>, pf=pf@entry=0x605090) at policydb_public.c:174 #6 0x0000000000401d33 in main (argc=<optimized out>, argv=0x7fffffffdc88) at semodule_package.c:220 (gdb) f 1 (gdb) p *scope $1 = {scope = {{node = 0x0, highbit = 0}, {node = 0x0, highbit = 0}, {node = 0x0, highbit = 0}, {node = 0x0, highbit = 0}, {node = 0x0, highbit = 0}, {node = 0x0, highbit = 0}, {node = 0x0, highbit = 0}, {node = 0x0, highbit = 0}}, class_perms_map = 0x0, class_perms_len = 4294934272} Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>

When running secilc on the following CIL file, the program tries to free the data associated with type X using cil_destroy_typeattribute(): (macro sys_obj_type ((user ARG1)) (typeattribute X)) (block B (type X) (call sys_obj_type (Y)) ) By adding some printf statements to cil_typeattribute_init(), cil_type_init() and cil_destroy_typeattribute(), the error message I get when using gcc's address sanitizer is: $ secilc -o /dev/null -f /dev/null test.cil -vvvvvv creating TYPE 0x60400000dfd0 Parsing 2017-02-02_crashing_nulptrderef_cil.cil Building AST from Parse Tree creating TYPEATTR 0x60600000e420 creating TYPE 0x60400000df50 Destroying Parse Tree Resolving AST Failed to resolve call statement at 2017-02-02_crashing_nulptrderef_cil.cil:5 Problem at 2017-02-02_crashing_nulptrderef_cil.cil:5 Pass 8 of resolution failed Failed to resolve ast Failed to compile cildb: -2 Destroying TYPEATTR 0x60600000e420, types (nil) name X Destroying TYPEATTR 0x60400000df50, types 0xbebebebe00000000 name X ASAN:DEADLYSIGNAL ================================================================= ==30684==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fc0539d114a bp 0x7ffc1fbcb300 sp 0x7ffc1fbcb2f0 T0) #0 0x7fc0539d1149 in ebitmap_destroy /usr/src/selinux/libsepol/src/ebitmap.c:356 #1 0x7fc053b96201 in cil_destroy_typeattribute ../cil/src/cil_build_ast.c:2370 #2 0x7fc053b42ea4 in cil_destroy_data ../cil/src/cil.c:616 #3 0x7fc053c595bf in cil_tree_node_destroy ../cil/src/cil_tree.c:235 #4 0x7fc053c59819 in cil_tree_children_destroy ../cil/src/cil_tree.c:201 #5 0x7fc053c59958 in cil_tree_subtree_destroy ../cil/src/cil_tree.c:172 #6 0x7fc053c59a27 in cil_tree_destroy ../cil/src/cil_tree.c:165 #7 0x7fc053b44fd7 in cil_db_destroy ../cil/src/cil.c:299 #8 0x4026a1 in main /usr/src/selinux/secilc/secilc.c:335 #9 0x7fc0535e5290 in __libc_start_main (/usr/lib/libc.so.6+0x20290) #10 0x403af9 in _start (/usr/src/selinux/DESTDIR/usr/bin/secilc+0x403af9) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /usr/src/selinux/libsepol/src/ebitmap.c:356 in ebitmap_destroy ==30684==ABORTING When copying the AST tree in cil_resolve_call1(), __cil_copy_node_helper() calls cil_copy_typeattribute() to grab type X in the symbol table of block B, and creates a node with the data of X but with CIL_TYPEATTRIBUTE flavor. This example is a "type confusion" bug between cil_type and cil_typeattribute structures. It can be generalized to any couple of structures sharing the same symbol table (an easy way of finding other couples is by reading the code of cil_flavor_to_symtab_index()). Fix this issue in a "generic" way in __cil_copy_node_helper(), by verifying that the flavor of the found data is the same as expected and triggering an error when it is not. Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>

… fails In mls_semantic_range_expand(), when a call to mls_semantic_level_expand() fails, the function destroys the semantic level instead of the expanded one. This leads to a use-after-free which is reported by gcc's Address Sanitizer: libsepol.mls_semantic_level_expand: mls_semantic_level_expand: invalid sensitivity level found 128/0. libsepol.sepol_module_package_read: invalid module in module package (at section 0) Failed to read policy package ================================================================= ==24456==ERROR: AddressSanitizer: heap-use-after-free on address 0x60200000ee58 at pc 0x7fe6c4fb96b4 bp 0x7fffa5ea6b70 sp 0x7fffa5ea6b60 READ of size 8 at 0x60200000ee58 thread T0 #0 0x7fe6c4fb96b3 in mls_semantic_level_destroy /usr/src/selinux/libsepol/src/mls.c:755 #1 0x7fe6c4fb9b88 in mls_semantic_range_destroy /usr/src/selinux/libsepol/src/mls.c:802 #2 0x7fe6c500e8ab in user_datum_destroy /usr/src/selinux/libsepol/src/policydb.c:535 #3 0x7fe6c500e980 in user_destroy /usr/src/selinux/libsepol/src/policydb.c:1390 #4 0x7fe6c4f36c48 in hashtab_map /usr/src/selinux/libsepol/src/hashtab.c:235 #5 0x7fe6c50152da in symtabs_destroy /usr/src/selinux/libsepol/src/policydb.c:1595 #6 0x7fe6c5015433 in policydb_destroy /usr/src/selinux/libsepol/src/policydb.c:1503 #7 0x7fe6c5040e0d in sepol_policydb_free /usr/src/selinux/libsepol/src/policydb_public.c:82 #8 0x7fe6c4fbc503 in sepol_module_package_free /usr/src/selinux/libsepol/src/module.c:143 #9 0x7fe6c4fefefb in sepol_ppfile_to_module_package /usr/src/selinux/libsepol/src/module_to_cil.c:4293 #10 0x401e51 in main /usr/src/selinux/policycoreutils/hll/pp/pp.c:124 #11 0x7fe6c4add510 in __libc_start_main (/usr/lib/libc.so.6+0x20510) #12 0x402589 in _start (/usr/src/selinux/DESTDIR/usr/libexec/selinux/hll/pp+0x402589) 0x60200000ee58 is located 8 bytes inside of 16-byte region [0x60200000ee50,0x60200000ee60) freed by thread T0 here: #0 0x7fe6c5537ae0 in __interceptor_free /build/gcc-multilib/src/gcc/libsanitizer/asan/asan_malloc_linux.cc:45 #1 0x7fe6c4fb969b in mls_semantic_level_destroy /usr/src/selinux/libsepol/src/mls.c:757 #2 0x7fe6c4f02a57 in mls_semantic_range_expand /usr/src/selinux/libsepol/src/expand.c:948 #3 0x7fe6c5007a98 in policydb_user_cache /usr/src/selinux/libsepol/src/policydb.c:939 #4 0x7fe6c4f36c48 in hashtab_map /usr/src/selinux/libsepol/src/hashtab.c:235 #5 0x7fe6c5013859 in policydb_index_others /usr/src/selinux/libsepol/src/policydb.c:1286 #6 0x7fe6c5020b65 in policydb_read /usr/src/selinux/libsepol/src/policydb.c:4342 #7 0x7fe6c4fc0cdb in sepol_module_package_read /usr/src/selinux/libsepol/src/module.c:618 #8 0x7fe6c4ff008d in sepol_ppfile_to_module_package /usr/src/selinux/libsepol/src/module_to_cil.c:4276 #9 0x401e51 in main /usr/src/selinux/policycoreutils/hll/pp/pp.c:124 #10 0x7fe6c4add510 in __libc_start_main (/usr/lib/libc.so.6+0x20510) previously allocated by thread T0 here: #0 0x7fe6c5537e40 in __interceptor_malloc /build/gcc-multilib/src/gcc/libsanitizer/asan/asan_malloc_linux.cc:62 #1 0x7fe6c5004efc in mls_read_semantic_level_helper /usr/src/selinux/libsepol/src/policydb.c:1976 #2 0x7fe6c500f596 in mls_read_semantic_range_helper /usr/src/selinux/libsepol/src/policydb.c:2010 #3 0x7fe6c500f596 in user_read /usr/src/selinux/libsepol/src/policydb.c:3258 #4 0x7fe6c502055b in policydb_read /usr/src/selinux/libsepol/src/policydb.c:4286 #5 0x7fe6c4fc0cdb in sepol_module_package_read /usr/src/selinux/libsepol/src/module.c:618 #6 0x7fe6c4ff008d in sepol_ppfile_to_module_package /usr/src/selinux/libsepol/src/module_to_cil.c:4276 #7 0x401e51 in main /usr/src/selinux/policycoreutils/hll/pp/pp.c:124 #8 0x7fe6c4add510 in __libc_start_main (/usr/lib/libc.so.6+0x20510) SUMMARY: AddressSanitizer: heap-use-after-free /usr/src/selinux/libsepol/src/mls.c:755 in mls_semantic_level_destroy Shadow bytes around the buggy address: 0x0c047fff9d70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9d80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9d90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9da0: fa fa fa fa fa fa fa fa fa fa 01 fa fa fa 01 fa 0x0c047fff9db0: fa fa 01 fa fa fa 01 fa fa fa 01 fa fa fa 01 fa =>0x0c047fff9dc0: fa fa 00 00 fa fa 00 00 fa fa fd[fd]fa fa fd fd 0x0c047fff9dd0: fa fa fd fd fa fa fd fd fa fa fd fa fa fa fd fd 0x0c047fff9de0: fa fa 04 fa fa fa 00 01 fa fa fd fd fa fa fd fd 0x0c047fff9df0: fa fa fd fd fa fa fd fd fa fa 00 00 fa fa fd fd 0x0c047fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==24456==ABORTING This issue has been found while fuzzing hll/pp with the American Fuzzy Lop. Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>

On Fedora 32 executing scripts/ci/fedora-test-runner.sh, semodule crashes: [root@localhost selinux-testsuite]# make test make -C policy load make[1]: Entering directory '/root/selinux-testsuite/policy' # Test for "expand-check = 0" in /etc/selinux/semanage.conf # General policy build make[2]: Entering directory '/root/selinux-testsuite/policy/test_policy' Compiling targeted test_policy module Creating targeted test_policy.pp policy package rm tmp/test_policy.mod.fc make[2]: Leaving directory '/root/selinux-testsuite/policy/test_policy' # General policy load domain_fd_use --> off /usr/sbin/semodule -i test_policy/test_policy.pp test_mlsconstrain.cil test_overlay_defaultrange.cil test_add_levels.cil test_glblub.cil make[1]: *** [Makefile:174: load] Aborted (core dumped) (gdb) bt #0 0x00007f608fe4fa25 in raise () from /lib64/libc.so.6 SELinuxProject#1 0x00007f608fe38895 in abort () from /lib64/libc.so.6 SELinuxProject#2 0x00007f6090028aca in __addvsi3.cold () from /lib64/libsepol.so.1 SELinuxProject#3 0x00007f6090096f59 in __avrule_xperm_setrangebits (low=30, high=30, xperms=0x8b9eea0) at ../cil/src/cil_binary.c:1551 SELinuxProject#4 0x00007f60900970dd in __cil_permx_bitmap_to_sepol_xperms_list (xperms=0xb650a30, xperms_list=0x7ffce2653b18) at ../cil/src/cil_binary.c:1596 SELinuxProject#5 0x00007f6090097286 in __cil_avrulex_ioctl_to_policydb (k=0xb8ec200 "@\023\214\022\006", datum=0xb650a30, args=0x239a640) at ../cil/src/cil_binary.c:1649 SELinuxProject#6 0x00007f609003f1e5 in hashtab_map (h=0x41f8710, apply=0x7f60900971da <__cil_avrulex_ioctl_to_policydb>, args=0x239a640) at hashtab.c:234 SELinuxProject#7 0x00007f609009ea19 in cil_binary_create_allocated_pdb (db=0x2394f10, policydb=0x239a640) at ../cil/src/cil_binary.c:4969 SELinuxProject#8 0x00007f609009d19d in cil_binary_create (db=0x2394f10, policydb=0x7ffce2653d30) at ../cil/src/cil_binary.c:4329 SELinuxProject#9 0x00007f609008ec23 in cil_build_policydb_create_pdb (db=0x2394f10, sepol_db=0x7ffce2653d30) at ../cil/src/cil.c:631 SELinuxProject#10 0x00007f608fff4bf3 in semanage_direct_commit () from /lib64/libsemanage.so.1 SELinuxProject#11 0x00007f608fff9fae in semanage_commit () from /lib64/libsemanage.so.1 SELinuxProject#12 0x0000000000403e2b in main (argc=7, argv=0x7ffce2655058) at semodule.c:753 (gdb) f 3 SELinuxProject#3 0x00007f6090096f59 in __avrule_xperm_setrangebits (low=30, high=30, xperms=0x8b9eea0) at ../cil/src/cil_binary.c:1551 1551 xperms->perms[i] |= XPERM_SETBITS(h) - XPERM_SETBITS(low); This is due to XPERM_SETBITS(h) with h = 31: #define XPERM_SETBITS(x) ((1 << (x & 0x1f)) - 1) Using "1U" to make the type unsigned fixes the crash. Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>

When compiling SELinux userspace tools with -ftrapv (this option generates traps for signed overflow on addition, subtraction, multiplication operations, instead of silently wrapping around), semodule crashes when running the tests from scripts/ci/fedora-test-runner.sh in a Fedora 32 virtual machine: [root@localhost selinux-testsuite]# make test make -C policy load make[1]: Entering directory '/root/selinux-testsuite/policy' # Test for "expand-check = 0" in /etc/selinux/semanage.conf # General policy build make[2]: Entering directory '/root/selinux-testsuite/policy/test_policy' Compiling targeted test_policy module Creating targeted test_policy.pp policy package rm tmp/test_policy.mod.fc make[2]: Leaving directory '/root/selinux-testsuite/policy/test_policy' # General policy load domain_fd_use --> off /usr/sbin/semodule -i test_policy/test_policy.pp test_mlsconstrain.cil test_overlay_defaultrange.cil test_add_levels.cil test_glblub.cil make[1]: *** [Makefile:174: load] Aborted (core dumped) Using "coredumpctl gdb" leads to the following strack trace: (gdb) bt #0 0x00007f608fe4fa25 in raise () from /lib64/libc.so.6 SELinuxProject#1 0x00007f608fe38895 in abort () from /lib64/libc.so.6 SELinuxProject#2 0x00007f6090028aca in __addvsi3.cold () from /lib64/libsepol.so.1 SELinuxProject#3 0x00007f6090096f59 in __avrule_xperm_setrangebits (low=30, high=30, xperms=0x8b9eea0) at ../cil/src/cil_binary.c:1551 SELinuxProject#4 0x00007f60900970dd in __cil_permx_bitmap_to_sepol_xperms_list (xperms=0xb650a30, xperms_list=0x7ffce2653b18) at ../cil/src/cil_binary.c:1596 SELinuxProject#5 0x00007f6090097286 in __cil_avrulex_ioctl_to_policydb (k=0xb8ec200 "@\023\214\022\006", datum=0xb650a30, args=0x239a640) at ../cil/src/cil_binary.c:1649 SELinuxProject#6 0x00007f609003f1e5 in hashtab_map (h=0x41f8710, apply=0x7f60900971da <__cil_avrulex_ioctl_to_policydb>, args=0x239a640) at hashtab.c:234 SELinuxProject#7 0x00007f609009ea19 in cil_binary_create_allocated_pdb (db=0x2394f10, policydb=0x239a640) at ../cil/src/cil_binary.c:4969 SELinuxProject#8 0x00007f609009d19d in cil_binary_create (db=0x2394f10, policydb=0x7ffce2653d30) at ../cil/src/cil_binary.c:4329 SELinuxProject#9 0x00007f609008ec23 in cil_build_policydb_create_pdb (db=0x2394f10, sepol_db=0x7ffce2653d30) at ../cil/src/cil.c:631 SELinuxProject#10 0x00007f608fff4bf3 in semanage_direct_commit () from /lib64/libsemanage.so.1 SELinuxProject#11 0x00007f608fff9fae in semanage_commit () from /lib64/libsemanage.so.1 SELinuxProject#12 0x0000000000403e2b in main (argc=7, argv=0x7ffce2655058) at semodule.c:753 (gdb) f 3 SELinuxProject#3 0x00007f6090096f59 in __avrule_xperm_setrangebits (low=30, high=30, xperms=0x8b9eea0) at ../cil/src/cil_binary.c:1551 1551 xperms->perms[i] |= XPERM_SETBITS(h) - XPERM_SETBITS(low); A signed integer overflow therefore occurs in XPERM_SETBITS(h): #define XPERM_SETBITS(x) ((1 << (x & 0x1f)) - 1) This macro is expanded with h=31, so "(1 << 31)-1" is computed: * (1 << 31) = -0x80000000 is the lowest signed 32-bit integer value * (1 << 31)-1 overflows the capacity of a signed 32-bit integer and result in 0x7fffffff (which is unsigned) Using unsigned integers (with "1U") fixes the crash, as (1U << 31) = 0x80000000U has no overflowing issues. Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>

When compiling SELinux userspace tools with -ftrapv (this option generates traps for signed overflow on addition, subtraction, multiplication operations, instead of silently wrapping around), semodule crashes when running the tests from scripts/ci/fedora-test-runner.sh in a Fedora 32 virtual machine: [root@localhost selinux-testsuite]# make test make -C policy load make[1]: Entering directory '/root/selinux-testsuite/policy' # Test for "expand-check = 0" in /etc/selinux/semanage.conf # General policy build make[2]: Entering directory '/root/selinux-testsuite/policy/test_policy' Compiling targeted test_policy module Creating targeted test_policy.pp policy package rm tmp/test_policy.mod.fc make[2]: Leaving directory '/root/selinux-testsuite/policy/test_policy' # General policy load domain_fd_use --> off /usr/sbin/semodule -i test_policy/test_policy.pp test_mlsconstrain.cil test_overlay_defaultrange.cil test_add_levels.cil test_glblub.cil make[1]: *** [Makefile:174: load] Aborted (core dumped) Using "coredumpctl gdb" leads to the following strack trace: (gdb) bt #0 0x00007f608fe4fa25 in raise () from /lib64/libc.so.6 SELinuxProject#1 0x00007f608fe38895 in abort () from /lib64/libc.so.6 SELinuxProject#2 0x00007f6090028aca in __addvsi3.cold () from /lib64/libsepol.so.1 SELinuxProject#3 0x00007f6090096f59 in __avrule_xperm_setrangebits (low=30, high=30, xperms=0x8b9eea0) at ../cil/src/cil_binary.c:1551 SELinuxProject#4 0x00007f60900970dd in __cil_permx_bitmap_to_sepol_xperms_list (xperms=0xb650a30, xperms_list=0x7ffce2653b18) at ../cil/src/cil_binary.c:1596 SELinuxProject#5 0x00007f6090097286 in __cil_avrulex_ioctl_to_policydb (k=0xb8ec200 "@\023\214\022\006", datum=0xb650a30, args=0x239a640) at ../cil/src/cil_binary.c:1649 SELinuxProject#6 0x00007f609003f1e5 in hashtab_map (h=0x41f8710, apply=0x7f60900971da <__cil_avrulex_ioctl_to_policydb>, args=0x239a640) at hashtab.c:234 SELinuxProject#7 0x00007f609009ea19 in cil_binary_create_allocated_pdb (db=0x2394f10, policydb=0x239a640) at ../cil/src/cil_binary.c:4969 SELinuxProject#8 0x00007f609009d19d in cil_binary_create (db=0x2394f10, policydb=0x7ffce2653d30) at ../cil/src/cil_binary.c:4329 SELinuxProject#9 0x00007f609008ec23 in cil_build_policydb_create_pdb (db=0x2394f10, sepol_db=0x7ffce2653d30) at ../cil/src/cil.c:631 SELinuxProject#10 0x00007f608fff4bf3 in semanage_direct_commit () from /lib64/libsemanage.so.1 SELinuxProject#11 0x00007f608fff9fae in semanage_commit () from /lib64/libsemanage.so.1 SELinuxProject#12 0x0000000000403e2b in main (argc=7, argv=0x7ffce2655058) at semodule.c:753 (gdb) f 3 SELinuxProject#3 0x00007f6090096f59 in __avrule_xperm_setrangebits (low=30, high=30, xperms=0x8b9eea0) at ../cil/src/cil_binary.c:1551 1551 xperms->perms[i] |= XPERM_SETBITS(h) - XPERM_SETBITS(low); A signed integer overflow therefore occurs in XPERM_SETBITS(h): #define XPERM_SETBITS(x) ((1 << (x & 0x1f)) - 1) This macro is expanded with h=31, so "(1 << 31) - 1" is computed: * (1 << 31) = -0x80000000 is the lowest signed 32-bit integer value * (1 << 31) - 1 overflows the capacity of a signed 32-bit integer and results in 0x7fffffff (which is unsigned) Using unsigned integers (with "1U") fixes the crash, as (1U << 31) = 0x80000000U has no overflowing issues. Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>

When compiling SELinux userspace tools with -ftrapv (this option generates traps for signed overflow on addition, subtraction, multiplication operations, instead of silently wrapping around), semodule crashes when running the tests from scripts/ci/fedora-test-runner.sh in a Fedora 32 virtual machine: [root@localhost selinux-testsuite]# make test make -C policy load make[1]: Entering directory '/root/selinux-testsuite/policy' # Test for "expand-check = 0" in /etc/selinux/semanage.conf # General policy build make[2]: Entering directory '/root/selinux-testsuite/policy/test_policy' Compiling targeted test_policy module Creating targeted test_policy.pp policy package rm tmp/test_policy.mod.fc make[2]: Leaving directory '/root/selinux-testsuite/policy/test_policy' # General policy load domain_fd_use --> off /usr/sbin/semodule -i test_policy/test_policy.pp test_mlsconstrain.cil test_overlay_defaultrange.cil test_add_levels.cil test_glblub.cil make[1]: *** [Makefile:174: load] Aborted (core dumped) Using "coredumpctl gdb" leads to the following strack trace: (gdb) bt #0 0x00007f608fe4fa25 in raise () from /lib64/libc.so.6 #1 0x00007f608fe38895 in abort () from /lib64/libc.so.6 #2 0x00007f6090028aca in __addvsi3.cold () from /lib64/libsepol.so.1 #3 0x00007f6090096f59 in __avrule_xperm_setrangebits (low=30, high=30, xperms=0x8b9eea0) at ../cil/src/cil_binary.c:1551 #4 0x00007f60900970dd in __cil_permx_bitmap_to_sepol_xperms_list (xperms=0xb650a30, xperms_list=0x7ffce2653b18) at ../cil/src/cil_binary.c:1596 #5 0x00007f6090097286 in __cil_avrulex_ioctl_to_policydb (k=0xb8ec200 "@\023\214\022\006", datum=0xb650a30, args=0x239a640) at ../cil/src/cil_binary.c:1649 #6 0x00007f609003f1e5 in hashtab_map (h=0x41f8710, apply=0x7f60900971da <__cil_avrulex_ioctl_to_policydb>, args=0x239a640) at hashtab.c:234 #7 0x00007f609009ea19 in cil_binary_create_allocated_pdb (db=0x2394f10, policydb=0x239a640) at ../cil/src/cil_binary.c:4969 #8 0x00007f609009d19d in cil_binary_create (db=0x2394f10, policydb=0x7ffce2653d30) at ../cil/src/cil_binary.c:4329 #9 0x00007f609008ec23 in cil_build_policydb_create_pdb (db=0x2394f10, sepol_db=0x7ffce2653d30) at ../cil/src/cil.c:631 #10 0x00007f608fff4bf3 in semanage_direct_commit () from /lib64/libsemanage.so.1 #11 0x00007f608fff9fae in semanage_commit () from /lib64/libsemanage.so.1 #12 0x0000000000403e2b in main (argc=7, argv=0x7ffce2655058) at semodule.c:753 (gdb) f 3 #3 0x00007f6090096f59 in __avrule_xperm_setrangebits (low=30, high=30, xperms=0x8b9eea0) at ../cil/src/cil_binary.c:1551 1551 xperms->perms[i] |= XPERM_SETBITS(h) - XPERM_SETBITS(low); A signed integer overflow therefore occurs in XPERM_SETBITS(h): #define XPERM_SETBITS(x) ((1 << (x & 0x1f)) - 1) This macro is expanded with h=31, so "(1 << 31) - 1" is computed: * (1 << 31) = -0x80000000 is the lowest signed 32-bit integer value * (1 << 31) - 1 overflows the capacity of a signed 32-bit integer and results in 0x7fffffff (which is unsigned) Using unsigned integers (with "1U") fixes the crash, as (1U << 31) = 0x80000000U has no overflowing issues. Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org> Acked-by: Petr Lautrbach <plautrba@redhat.com>

It was found in google/oss-fuzz#4790: ``` Invalid token '' at line 2 of fuzz NEW_FUNC[1/2]: 0x67fff0 in yy_get_previous_state /src/selinux/libsepol/src/../cil/src/cil_lexer.c:1143 NEW_FUNC[2/2]: 0x6803e0 in yy_try_NUL_trans /src/selinux/libsepol/src/../cil/src/cil_lexer.c:1176 ================================================================= ==12==ERROR: AddressSanitizer: heap-use-after-free on address 0x602000007992 at pc 0x000000681800 bp 0x7ffccddee530 sp 0x7ffccddee528 WRITE of size 1 at 0x602000007992 thread T0 SCARINESS: 41 (1-byte-write-heap-use-after-free) #0 0x6817ff in cil_yy_switch_to_buffer /src/selinux/libsepol/src/../cil/src/cil_lexer.c:1315:17 #1 0x6820cc in cil_yy_scan_buffer /src/selinux/libsepol/src/../cil/src/cil_lexer.c:1571:2 SELinuxProject#2 0x682662 in cil_lexer_setup /src/selinux/libsepol/src/../cil/src/cil_lexer.l:73:6 SELinuxProject#3 0x5cf2ae in cil_parser /src/selinux/libsepol/src/../cil/src/cil_parser.c:220:2 SELinuxProject#4 0x56d5e2 in cil_add_file /src/selinux/libsepol/src/../cil/src/cil.c:514:7 SELinuxProject#5 0x556e91 in LLVMFuzzerTestOneInput /src/secilc-fuzzer.c:434:7 SELinuxProject#6 0x459ab1 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:599:15 SELinuxProject#7 0x45a755 in fuzzer::Fuzzer::TryDetectingAMemoryLeak(unsigned char const*, unsigned long, bool) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:675:3 SELinuxProject#8 0x45acd9 in fuzzer::Fuzzer::MutateAndTestOne() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:747:5 SELinuxProject#9 0x45b875 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocator<fuzzer::SizedFile> >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:883:5 SELinuxProject#10 0x4499fb in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:906:6 SELinuxProject#11 0x473a32 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10 SELinuxProject#12 0x7f982296d83f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2083f) SELinuxProject#13 0x41e758 in _start (/out/secilc-fuzzer+0x41e758) DEDUP_TOKEN: cil_yy_switch_to_buffer--cil_yy_scan_buffer--cil_lexer_setup 0x602000007992 is located 2 bytes inside of 4-byte region [0x602000007990,0x602000007994) freed by thread T0 here: #0 0x521ef2 in free /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:127:3 #1 0x56d630 in cil_add_file /src/selinux/libsepol/src/../cil/src/cil.c:526:2 SELinuxProject#2 0x556e91 in LLVMFuzzerTestOneInput /src/secilc-fuzzer.c:434:7 SELinuxProject#3 0x459ab1 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:599:15 SELinuxProject#4 0x458fba in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:505:3 SELinuxProject#5 0x45acc7 in fuzzer::Fuzzer::MutateAndTestOne() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:745:19 SELinuxProject#6 0x45b875 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocator<fuzzer::SizedFile> >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:883:5 SELinuxProject#7 0x4499fb in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:906:6 SELinuxProject#8 0x473a32 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10 SELinuxProject#9 0x7f982296d83f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2083f) DEDUP_TOKEN: free--cil_add_file--LLVMFuzzerTestOneInput previously allocated by thread T0 here: #0 0x52215d in malloc /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3 #1 0x5cecb8 in cil_malloc /src/selinux/libsepol/src/../cil/src/cil_mem.c:39:14 SELinuxProject#2 0x56d584 in cil_add_file /src/selinux/libsepol/src/../cil/src/cil.c:510:11 SELinuxProject#3 0x556e91 in LLVMFuzzerTestOneInput /src/secilc-fuzzer.c:434:7 SELinuxProject#4 0x459ab1 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:599:15 SELinuxProject#5 0x458fba in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:505:3 SELinuxProject#6 0x45acc7 in fuzzer::Fuzzer::MutateAndTestOne() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:745:19 SELinuxProject#7 0x45b875 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocator<fuzzer::SizedFile> >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:883:5 SELinuxProject#8 0x4499fb in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:906:6 SELinuxProject#9 0x473a32 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10 SELinuxProject#10 0x7f982296d83f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2083f) DEDUP_TOKEN: malloc--cil_malloc--cil_add_file SUMMARY: AddressSanitizer: heap-use-after-free /src/selinux/libsepol/src/../cil/src/cil_lexer.c:1315:17 in cil_yy_switch_to_buffer Shadow bytes around the buggy address: 0x0c047fff8ee0: fa fa fd fa fa fa fd fd fa fa fd fa fa fa fd fd 0x0c047fff8ef0: fa fa fd fa fa fa fd fd fa fa fd fa fa fa fd fd 0x0c047fff8f00: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fd 0x0c047fff8f10: fa fa fd fa fa fa fd fd fa fa fd fa fa fa fd fd 0x0c047fff8f20: fa fa fd fa fa fa fd fd fa fa fd fa fa fa fd fa =>0x0c047fff8f30: fa fa[fd]fa fa fa fd fa fa fa fd fa fa fa fd fa 0x0c047fff8f40: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa 0x0c047fff8f50: fa fa fd fa fa fa fd fd fa fa fd fa fa fa fd fa 0x0c047fff8f60: fa fa fd fd fa fa fd fa fa fa fd fd fa fa fd fa 0x0c047fff8f70: fa fa 00 00 fa fa 02 fa fa fa 02 fa fa fa 00 fa 0x0c047fff8f80: fa fa 03 fa fa fa 00 fa fa fa 03 fa fa fa 00 fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==12==ABORTING ``` Signed-off-by: Evgeny Vereshchagin <evvers@ya.ru>

It was found in google/oss-fuzz#4790: ``` Invalid token '' at line 2 of fuzz NEW_FUNC[1/2]: 0x67fff0 in yy_get_previous_state /src/selinux/libsepol/src/../cil/src/cil_lexer.c:1143 NEW_FUNC[2/2]: 0x6803e0 in yy_try_NUL_trans /src/selinux/libsepol/src/../cil/src/cil_lexer.c:1176 ================================================================= ==12==ERROR: AddressSanitizer: heap-use-after-free on address 0x602000007992 at pc 0x000000681800 bp 0x7ffccddee530 sp 0x7ffccddee528 WRITE of size 1 at 0x602000007992 thread T0 SCARINESS: 41 (1-byte-write-heap-use-after-free) #0 0x6817ff in cil_yy_switch_to_buffer /src/selinux/libsepol/src/../cil/src/cil_lexer.c:1315:17 SELinuxProject#1 0x6820cc in cil_yy_scan_buffer /src/selinux/libsepol/src/../cil/src/cil_lexer.c:1571:2 SELinuxProject#2 0x682662 in cil_lexer_setup /src/selinux/libsepol/src/../cil/src/cil_lexer.l:73:6 SELinuxProject#3 0x5cf2ae in cil_parser /src/selinux/libsepol/src/../cil/src/cil_parser.c:220:2 SELinuxProject#4 0x56d5e2 in cil_add_file /src/selinux/libsepol/src/../cil/src/cil.c:514:7 SELinuxProject#5 0x556e91 in LLVMFuzzerTestOneInput /src/secilc-fuzzer.c:434:7 SELinuxProject#6 0x459ab1 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:599:15 SELinuxProject#7 0x45a755 in fuzzer::Fuzzer::TryDetectingAMemoryLeak(unsigned char const*, unsigned long, bool) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:675:3 SELinuxProject#8 0x45acd9 in fuzzer::Fuzzer::MutateAndTestOne() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:747:5 SELinuxProject#9 0x45b875 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocator<fuzzer::SizedFile> >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:883:5 SELinuxProject#10 0x4499fb in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:906:6 SELinuxProject#11 0x473a32 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10 SELinuxProject#12 0x7f982296d83f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2083f) SELinuxProject#13 0x41e758 in _start (/out/secilc-fuzzer+0x41e758) DEDUP_TOKEN: cil_yy_switch_to_buffer--cil_yy_scan_buffer--cil_lexer_setup 0x602000007992 is located 2 bytes inside of 4-byte region [0x602000007990,0x602000007994) freed by thread T0 here: #0 0x521ef2 in free /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:127:3 SELinuxProject#1 0x56d630 in cil_add_file /src/selinux/libsepol/src/../cil/src/cil.c:526:2 SELinuxProject#2 0x556e91 in LLVMFuzzerTestOneInput /src/secilc-fuzzer.c:434:7 SELinuxProject#3 0x459ab1 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:599:15 SELinuxProject#4 0x458fba in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:505:3 SELinuxProject#5 0x45acc7 in fuzzer::Fuzzer::MutateAndTestOne() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:745:19 SELinuxProject#6 0x45b875 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocator<fuzzer::SizedFile> >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:883:5 SELinuxProject#7 0x4499fb in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:906:6 SELinuxProject#8 0x473a32 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10 SELinuxProject#9 0x7f982296d83f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2083f) DEDUP_TOKEN: free--cil_add_file--LLVMFuzzerTestOneInput previously allocated by thread T0 here: #0 0x52215d in malloc /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3 SELinuxProject#1 0x5cecb8 in cil_malloc /src/selinux/libsepol/src/../cil/src/cil_mem.c:39:14 SELinuxProject#2 0x56d584 in cil_add_file /src/selinux/libsepol/src/../cil/src/cil.c:510:11 SELinuxProject#3 0x556e91 in LLVMFuzzerTestOneInput /src/secilc-fuzzer.c:434:7 SELinuxProject#4 0x459ab1 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:599:15 SELinuxProject#5 0x458fba in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:505:3 SELinuxProject#6 0x45acc7 in fuzzer::Fuzzer::MutateAndTestOne() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:745:19 SELinuxProject#7 0x45b875 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocator<fuzzer::SizedFile> >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:883:5 SELinuxProject#8 0x4499fb in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:906:6 SELinuxProject#9 0x473a32 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10 SELinuxProject#10 0x7f982296d83f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2083f) DEDUP_TOKEN: malloc--cil_malloc--cil_add_file SUMMARY: AddressSanitizer: heap-use-after-free /src/selinux/libsepol/src/../cil/src/cil_lexer.c:1315:17 in cil_yy_switch_to_buffer Shadow bytes around the buggy address: 0x0c047fff8ee0: fa fa fd fa fa fa fd fd fa fa fd fa fa fa fd fd 0x0c047fff8ef0: fa fa fd fa fa fa fd fd fa fa fd fa fa fa fd fd 0x0c047fff8f00: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fd 0x0c047fff8f10: fa fa fd fa fa fa fd fd fa fa fd fa fa fa fd fd 0x0c047fff8f20: fa fa fd fa fa fa fd fd fa fa fd fa fa fa fd fa =>0x0c047fff8f30: fa fa[fd]fa fa fa fd fa fa fa fd fa fa fa fd fa 0x0c047fff8f40: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa 0x0c047fff8f50: fa fa fd fa fa fa fd fd fa fa fd fa fa fa fd fa 0x0c047fff8f60: fa fa fd fd fa fa fd fa fa fa fd fd fa fa fd fa 0x0c047fff8f70: fa fa 00 00 fa fa 02 fa fa fa 02 fa fa fa 00 fa 0x0c047fff8f80: fa fa 03 fa fa fa 00 fa fa fa 03 fa fa fa 00 fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==12==ABORTING ``` Signed-off-by: Evgeny Vereshchagin <evvers@ya.ru>

It was found in google/oss-fuzz#4790: ``` Invalid token '' at line 2 of fuzz NEW_FUNC[1/2]: 0x67fff0 in yy_get_previous_state /src/selinux/libsepol/src/../cil/src/cil_lexer.c:1143 NEW_FUNC[2/2]: 0x6803e0 in yy_try_NUL_trans /src/selinux/libsepol/src/../cil/src/cil_lexer.c:1176 ================================================================= ==12==ERROR: AddressSanitizer: heap-use-after-free on address 0x602000007992 at pc 0x000000681800 bp 0x7ffccddee530 sp 0x7ffccddee528 WRITE of size 1 at 0x602000007992 thread T0 SCARINESS: 41 (1-byte-write-heap-use-after-free) #0 0x6817ff in cil_yy_switch_to_buffer /src/selinux/libsepol/src/../cil/src/cil_lexer.c:1315:17 #1 0x6820cc in cil_yy_scan_buffer /src/selinux/libsepol/src/../cil/src/cil_lexer.c:1571:2 #2 0x682662 in cil_lexer_setup /src/selinux/libsepol/src/../cil/src/cil_lexer.l:73:6 #3 0x5cf2ae in cil_parser /src/selinux/libsepol/src/../cil/src/cil_parser.c:220:2 #4 0x56d5e2 in cil_add_file /src/selinux/libsepol/src/../cil/src/cil.c:514:7 #5 0x556e91 in LLVMFuzzerTestOneInput /src/secilc-fuzzer.c:434:7 #6 0x459ab1 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:599:15 #7 0x45a755 in fuzzer::Fuzzer::TryDetectingAMemoryLeak(unsigned char const*, unsigned long, bool) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:675:3 #8 0x45acd9 in fuzzer::Fuzzer::MutateAndTestOne() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:747:5 #9 0x45b875 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocator<fuzzer::SizedFile> >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:883:5 #10 0x4499fb in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:906:6 #11 0x473a32 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10 #12 0x7f982296d83f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2083f) #13 0x41e758 in _start (/out/secilc-fuzzer+0x41e758) DEDUP_TOKEN: cil_yy_switch_to_buffer--cil_yy_scan_buffer--cil_lexer_setup 0x602000007992 is located 2 bytes inside of 4-byte region [0x602000007990,0x602000007994) freed by thread T0 here: #0 0x521ef2 in free /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:127:3 #1 0x56d630 in cil_add_file /src/selinux/libsepol/src/../cil/src/cil.c:526:2 #2 0x556e91 in LLVMFuzzerTestOneInput /src/secilc-fuzzer.c:434:7 #3 0x459ab1 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:599:15 #4 0x458fba in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:505:3 #5 0x45acc7 in fuzzer::Fuzzer::MutateAndTestOne() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:745:19 #6 0x45b875 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocator<fuzzer::SizedFile> >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:883:5 #7 0x4499fb in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:906:6 #8 0x473a32 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10 #9 0x7f982296d83f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2083f) DEDUP_TOKEN: free--cil_add_file--LLVMFuzzerTestOneInput previously allocated by thread T0 here: #0 0x52215d in malloc /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3 #1 0x5cecb8 in cil_malloc /src/selinux/libsepol/src/../cil/src/cil_mem.c:39:14 #2 0x56d584 in cil_add_file /src/selinux/libsepol/src/../cil/src/cil.c:510:11 #3 0x556e91 in LLVMFuzzerTestOneInput /src/secilc-fuzzer.c:434:7 #4 0x459ab1 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:599:15 #5 0x458fba in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:505:3 #6 0x45acc7 in fuzzer::Fuzzer::MutateAndTestOne() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:745:19 #7 0x45b875 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocator<fuzzer::SizedFile> >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:883:5 #8 0x4499fb in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:906:6 #9 0x473a32 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10 #10 0x7f982296d83f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2083f) DEDUP_TOKEN: malloc--cil_malloc--cil_add_file SUMMARY: AddressSanitizer: heap-use-after-free /src/selinux/libsepol/src/../cil/src/cil_lexer.c:1315:17 in cil_yy_switch_to_buffer Shadow bytes around the buggy address: 0x0c047fff8ee0: fa fa fd fa fa fa fd fd fa fa fd fa fa fa fd fd 0x0c047fff8ef0: fa fa fd fa fa fa fd fd fa fa fd fa fa fa fd fd 0x0c047fff8f00: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fd 0x0c047fff8f10: fa fa fd fa fa fa fd fd fa fa fd fa fa fa fd fd 0x0c047fff8f20: fa fa fd fa fa fa fd fd fa fa fd fa fa fa fd fa =>0x0c047fff8f30: fa fa[fd]fa fa fa fd fa fa fa fd fa fa fa fd fa 0x0c047fff8f40: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa 0x0c047fff8f50: fa fa fd fa fa fa fd fd fa fa fd fa fa fa fd fa 0x0c047fff8f60: fa fa fd fd fa fa fd fa fa fa fd fd fa fa fd fa 0x0c047fff8f70: fa fa 00 00 fa fa 02 fa fa fa 02 fa fa fa 00 fa 0x0c047fff8f80: fa fa 03 fa fa fa 00 fa fa fa 03 fa fa fa 00 fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==12==ABORTING ``` Signed-off-by: Evgeny Vereshchagin <evvers@ya.ru> Acked-by: Nicolas Iooss <nicolas.iooss@m4x.org>

OSS-Fuzz found a Null-dereference READ in the CIL compiler when trying to compile the following policy: (macro m((name n))) (call m(())) When calling the macro, the name (in variable "pc") is NULL, which triggers a NULL pointer dereference when using it as a key in __cil_insert_name(). The stack trace is: #0 0x7f4662655a85 in __strlen_avx2 (/usr/lib/libc.so.6+0x162a85) SELinuxProject#1 0x556d0b6d150c in __interceptor_strlen.part.0 (/selinux/libsepol/fuzz/fuzz-secilc+0x44850c) SELinuxProject#2 0x556d0ba74ed6 in symhash /selinux/libsepol/src/symtab.c:22:9 SELinuxProject#3 0x556d0b9ef50d in hashtab_search /selinux/libsepol/src/hashtab.c:186:11 SELinuxProject#4 0x556d0b928e1f in cil_symtab_get_datum /selinux/libsepol/src/../cil/src/cil_symtab.c:121:37 SELinuxProject#5 0x556d0b8f28f4 in __cil_insert_name /selinux/libsepol/src/../cil/src/cil_resolve_ast.c:96:2 SELinuxProject#6 0x556d0b908184 in cil_resolve_call1 /selinux/libsepol/src/../cil/src/cil_resolve_ast.c:2835:12 SELinuxProject#7 0x556d0b91b404 in __cil_resolve_ast_node /selinux/libsepol/src/../cil/src/cil_resolve_ast.c SELinuxProject#8 0x556d0b91380f in __cil_resolve_ast_node_helper /selinux/libsepol/src/../cil/src/cil_resolve_ast.c:3773:7 SELinuxProject#9 0x556d0b932230 in cil_tree_walk_core /selinux/libsepol/src/../cil/src/cil_tree.c:263:9 SELinuxProject#10 0x556d0b932230 in cil_tree_walk /selinux/libsepol/src/../cil/src/cil_tree.c:307:7 SELinuxProject#11 0x556d0b932326 in cil_tree_walk_core /selinux/libsepol/src/../cil/src/cil_tree.c:275:9 SELinuxProject#12 0x556d0b932326 in cil_tree_walk /selinux/libsepol/src/../cil/src/cil_tree.c:307:7 SELinuxProject#13 0x556d0b911189 in cil_resolve_ast /selinux/libsepol/src/../cil/src/cil_resolve_ast.c:3941:8 SELinuxProject#14 0x556d0b798729 in cil_compile /selinux/libsepol/src/../cil/src/cil.c:550:7 Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28544 Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>

OSS-Fuzz found a Null-dereference READ in the CIL compiler when trying to compile the following policy: (macro m((name n))) (call m(())) When calling the macro, the name (in variable "pc") is NULL, which triggers a NULL pointer dereference when using it as a key in __cil_insert_name(). The stack trace is: #0 0x7f4662655a85 in __strlen_avx2 (/usr/lib/libc.so.6+0x162a85) #1 0x556d0b6d150c in __interceptor_strlen.part.0 (/selinux/libsepol/fuzz/fuzz-secilc+0x44850c) #2 0x556d0ba74ed6 in symhash /selinux/libsepol/src/symtab.c:22:9 #3 0x556d0b9ef50d in hashtab_search /selinux/libsepol/src/hashtab.c:186:11 #4 0x556d0b928e1f in cil_symtab_get_datum /selinux/libsepol/src/../cil/src/cil_symtab.c:121:37 #5 0x556d0b8f28f4 in __cil_insert_name /selinux/libsepol/src/../cil/src/cil_resolve_ast.c:96:2 #6 0x556d0b908184 in cil_resolve_call1 /selinux/libsepol/src/../cil/src/cil_resolve_ast.c:2835:12 #7 0x556d0b91b404 in __cil_resolve_ast_node /selinux/libsepol/src/../cil/src/cil_resolve_ast.c #8 0x556d0b91380f in __cil_resolve_ast_node_helper /selinux/libsepol/src/../cil/src/cil_resolve_ast.c:3773:7 #9 0x556d0b932230 in cil_tree_walk_core /selinux/libsepol/src/../cil/src/cil_tree.c:263:9 #10 0x556d0b932230 in cil_tree_walk /selinux/libsepol/src/../cil/src/cil_tree.c:307:7 #11 0x556d0b932326 in cil_tree_walk_core /selinux/libsepol/src/../cil/src/cil_tree.c:275:9 #12 0x556d0b932326 in cil_tree_walk /selinux/libsepol/src/../cil/src/cil_tree.c:307:7 #13 0x556d0b911189 in cil_resolve_ast /selinux/libsepol/src/../cil/src/cil_resolve_ast.c:3941:8 #14 0x556d0b798729 in cil_compile /selinux/libsepol/src/../cil/src/cil.c:550:7 Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28544 Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>

Nicolas Iooss reports: A few months ago, OSS-Fuzz found a crash in the CIL compiler, which got reported as https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28648 (the title is misleading, or is caused by another issue that conflicts with the one I report in this message). Here is a minimized CIL policy which reproduces the issue: (class CLASS (PERM)) (classorder (CLASS)) (sid SID) (sidorder (SID)) (user USER) (role ROLE) (type TYPE) (category CAT) (categoryorder (CAT)) (sensitivity SENS) (sensitivityorder (SENS)) (sensitivitycategory SENS (CAT)) (allow TYPE self (CLASS (PERM))) (roletype ROLE TYPE) (userrole USER ROLE) (userlevel USER (SENS)) (userrange USER ((SENS)(SENS (CAT)))) (sidcontext SID (USER ROLE TYPE ((SENS)(SENS)))) (classpermission CLAPERM) (optional OPT (roletype nonexistingrole nonexistingtype) (classpermissionset CLAPERM (CLASS (PERM))) ) The CIL policy fuzzer (which mimics secilc built with clang Address Sanitizer) reports: ==36541==ERROR: AddressSanitizer: heap-use-after-free on address 0x603000004f98 at pc 0x56445134c842 bp 0x7ffe2a256590 sp 0x7ffe2a256588 READ of size 8 at 0x603000004f98 thread T0 #0 0x56445134c841 in __cil_verify_classperms /selinux/libsepol/src/../cil/src/cil_verify.c:1620:8 SELinuxProject#1 0x56445134a43e in __cil_verify_classpermission /selinux/libsepol/src/../cil/src/cil_verify.c:1650:9 SELinuxProject#2 0x56445134a43e in __cil_pre_verify_helper /selinux/libsepol/src/../cil/src/cil_verify.c:1715:8 SELinuxProject#3 0x5644513225ac in cil_tree_walk_core /selinux/libsepol/src/../cil/src/cil_tree.c:272:9 SELinuxProject#4 0x564451322ab1 in cil_tree_walk /selinux/libsepol/src/../cil/src/cil_tree.c:316:7 SELinuxProject#5 0x5644513226af in cil_tree_walk_core /selinux/libsepol/src/../cil/src/cil_tree.c:284:9 SELinuxProject#6 0x564451322ab1 in cil_tree_walk /selinux/libsepol/src/../cil/src/cil_tree.c:316:7 SELinuxProject#7 0x5644512b88fd in cil_pre_verify /selinux/libsepol/src/../cil/src/cil_post.c:2510:7 SELinuxProject#8 0x5644512b88fd in cil_post_process /selinux/libsepol/src/../cil/src/cil_post.c:2524:7 SELinuxProject#9 0x5644511856ff in cil_compile /selinux/libsepol/src/../cil/src/cil.c:564:7 The classperms list of a classpermission rule is created and filled in when classpermissionset rules are processed, so it doesn't own any part of the list and shouldn't retain any of it when it is reset. Destroy the classperms list (without destroying the data in it) when resetting a classpermission rule. Reported-by: Nicolas Iooss <nicolas.iooss@m4x.org> Signed-off-by: James Carter <jwcart2@gmail.com>

Nicolas Iooss reports: A few months ago, OSS-Fuzz found a crash in the CIL compiler, which got reported as https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28648 (the title is misleading, or is caused by another issue that conflicts with the one I report in this message). Here is a minimized CIL policy which reproduces the issue: (class CLASS (PERM)) (classorder (CLASS)) (sid SID) (sidorder (SID)) (user USER) (role ROLE) (type TYPE) (category CAT) (categoryorder (CAT)) (sensitivity SENS) (sensitivityorder (SENS)) (sensitivitycategory SENS (CAT)) (allow TYPE self (CLASS (PERM))) (roletype ROLE TYPE) (userrole USER ROLE) (userlevel USER (SENS)) (userrange USER ((SENS)(SENS (CAT)))) (sidcontext SID (USER ROLE TYPE ((SENS)(SENS)))) (classpermission CLAPERM) (optional OPT (roletype nonexistingrole nonexistingtype) (classpermissionset CLAPERM (CLASS (PERM))) ) The CIL policy fuzzer (which mimics secilc built with clang Address Sanitizer) reports: ==36541==ERROR: AddressSanitizer: heap-use-after-free on address 0x603000004f98 at pc 0x56445134c842 bp 0x7ffe2a256590 sp 0x7ffe2a256588 READ of size 8 at 0x603000004f98 thread T0 #0 0x56445134c841 in __cil_verify_classperms /selinux/libsepol/src/../cil/src/cil_verify.c:1620:8 #1 0x56445134a43e in __cil_verify_classpermission /selinux/libsepol/src/../cil/src/cil_verify.c:1650:9 SELinuxProject#2 0x56445134a43e in __cil_pre_verify_helper /selinux/libsepol/src/../cil/src/cil_verify.c:1715:8 SELinuxProject#3 0x5644513225ac in cil_tree_walk_core /selinux/libsepol/src/../cil/src/cil_tree.c:272:9 SELinuxProject#4 0x564451322ab1 in cil_tree_walk /selinux/libsepol/src/../cil/src/cil_tree.c:316:7 SELinuxProject#5 0x5644513226af in cil_tree_walk_core /selinux/libsepol/src/../cil/src/cil_tree.c:284:9 SELinuxProject#6 0x564451322ab1 in cil_tree_walk /selinux/libsepol/src/../cil/src/cil_tree.c:316:7 SELinuxProject#7 0x5644512b88fd in cil_pre_verify /selinux/libsepol/src/../cil/src/cil_post.c:2510:7 SELinuxProject#8 0x5644512b88fd in cil_post_process /selinux/libsepol/src/../cil/src/cil_post.c:2524:7 SELinuxProject#9 0x5644511856ff in cil_compile /selinux/libsepol/src/../cil/src/cil.c:564:7 The classperms list of a classpermission rule is created and filled in when classpermissionset rules are processed, so it doesn't own any part of the list and shouldn't retain any of it when it is reset. Destroy the classperms list (without destroying the data in it) when resetting a classpermission rule. Reported-by: Nicolas Iooss <nicolas.iooss@m4x.org> Signed-off-by: James Carter <jwcart2@gmail.com>

Nicolas Iooss reports: A few months ago, OSS-Fuzz found a crash in the CIL compiler, which got reported as https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28648 (the title is misleading, or is caused by another issue that conflicts with the one I report in this message). Here is a minimized CIL policy which reproduces the issue: (class CLASS (PERM)) (classorder (CLASS)) (sid SID) (sidorder (SID)) (user USER) (role ROLE) (type TYPE) (category CAT) (categoryorder (CAT)) (sensitivity SENS) (sensitivityorder (SENS)) (sensitivitycategory SENS (CAT)) (allow TYPE self (CLASS (PERM))) (roletype ROLE TYPE) (userrole USER ROLE) (userlevel USER (SENS)) (userrange USER ((SENS)(SENS (CAT)))) (sidcontext SID (USER ROLE TYPE ((SENS)(SENS)))) (classpermission CLAPERM) (optional OPT (roletype nonexistingrole nonexistingtype) (classpermissionset CLAPERM (CLASS (PERM))) ) The CIL policy fuzzer (which mimics secilc built with clang Address Sanitizer) reports: ==36541==ERROR: AddressSanitizer: heap-use-after-free on address 0x603000004f98 at pc 0x56445134c842 bp 0x7ffe2a256590 sp 0x7ffe2a256588 READ of size 8 at 0x603000004f98 thread T0 #0 0x56445134c841 in __cil_verify_classperms /selinux/libsepol/src/../cil/src/cil_verify.c:1620:8 #1 0x56445134a43e in __cil_verify_classpermission /selinux/libsepol/src/../cil/src/cil_verify.c:1650:9 #2 0x56445134a43e in __cil_pre_verify_helper /selinux/libsepol/src/../cil/src/cil_verify.c:1715:8 #3 0x5644513225ac in cil_tree_walk_core /selinux/libsepol/src/../cil/src/cil_tree.c:272:9 #4 0x564451322ab1 in cil_tree_walk /selinux/libsepol/src/../cil/src/cil_tree.c:316:7 #5 0x5644513226af in cil_tree_walk_core /selinux/libsepol/src/../cil/src/cil_tree.c:284:9 #6 0x564451322ab1 in cil_tree_walk /selinux/libsepol/src/../cil/src/cil_tree.c:316:7 #7 0x5644512b88fd in cil_pre_verify /selinux/libsepol/src/../cil/src/cil_post.c:2510:7 #8 0x5644512b88fd in cil_post_process /selinux/libsepol/src/../cil/src/cil_post.c:2524:7 #9 0x5644511856ff in cil_compile /selinux/libsepol/src/../cil/src/cil.c:564:7 The classperms list of a classpermission rule is created and filled in when classpermissionset rules are processed, so it doesn't own any part of the list and shouldn't retain any of it when it is reset. Destroy the classperms list (without destroying the data in it) when resetting a classpermission rule. Reported-by: Nicolas Iooss <nicolas.iooss@m4x.org> Signed-off-by: James Carter <jwcart2@gmail.com>

In the define_te_avtab_ioctl function: 1. the parameter avrule_template has been copies to new elements which added to avrule list through the function avrule_cpy, so it should free avrule_template. 2. And for rangelist, it does not free the allocated memory. The memory leak can by found by using memory sanitizer: ================================================================= ==20021==ERROR: LeakSanitizer: detected memory leaks Direct leak of 10336 byte(s) in 76 object(s) allocated from: #0 0x7f8f96d9cb50 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb50) SELinuxProject#1 0x55c2e9447fb3 in define_te_avtab_xperms_helper /mnt/sources/tools/selinux/checkpolicy/policy_define.c:2046 SELinuxProject#2 0x55c2e944a6ca in define_te_avtab_extended_perms /mnt/sources/tools/selinux/checkpolicy/policy_define.c:2479 SELinuxProject#3 0x55c2e943126b in yyparse /mnt/sources/tools/selinux/checkpolicy/policy_parse.y:494 SELinuxProject#4 0x55c2e9440221 in read_source_policy /mnt/sources/tools/selinux/checkpolicy/parse_util.c:64 SELinuxProject#5 0x55c2e945a3df in main /mnt/sources/tools/selinux/checkpolicy/checkpolicy.c:619 SELinuxProject#6 0x7f8f968eeb96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96) Direct leak of 240 byte(s) in 15 object(s) allocated from: #0 0x7f8f96d9cb50 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb50) SELinuxProject#1 0x55c2e9446cd9 in avrule_sort_ioctls /mnt/sources/tools/selinux/checkpolicy/policy_define.c:1846 SELinuxProject#2 0x55c2e9447d8f in avrule_ioctl_ranges /mnt/sources/tools/selinux/checkpolicy/policy_define.c:2020 SELinuxProject#3 0x55c2e944a0de in define_te_avtab_ioctl /mnt/sources/tools/selinux/checkpolicy/policy_define.c:2409 SELinuxProject#4 0x55c2e944a744 in define_te_avtab_extended_perms /mnt/sources/tools/selinux/checkpolicy/policy_define.c:2485 SELinuxProject#5 0x55c2e94312bf in yyparse /mnt/sources/tools/selinux/checkpolicy/policy_parse.y:503 SELinuxProject#6 0x55c2e9440221 in read_source_policy /mnt/sources/tools/selinux/checkpolicy/parse_util.c:64 SELinuxProject#7 0x55c2e945a3df in main /mnt/sources/tools/selinux/checkpolicy/checkpolicy.c:619 SELinuxProject#8 0x7f8f968eeb96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96) Signed-off-by: liwugang <liwugang@163.com>

hierarchy.c:638:8: runtime error: applying zero offset to null pointer #0 0x60e6a7 in hierarchy_add_role_callback /home/christian/Coding/workspaces/selinux_userland/libsepol/src/hierarchy.c:638:8 SELinuxProject#1 0x607201 in hashtab_map /home/christian/Coding/workspaces/selinux_userland/libsepol/src/hashtab.c:234:10 SELinuxProject#2 0x60c823 in hierarchy_add_bounds /home/christian/Coding/workspaces/selinux_userland/libsepol/src/hierarchy.c:653:7 SELinuxProject#3 0x60fbf5 in hierarchy_check_constraints /home/christian/Coding/workspaces/selinux_userland/libsepol/src/hierarchy.c:674:7 SELinuxProject#4 0x557023 in LLVMFuzzerTestOneInput /home/christian/Coding/workspaces/selinux_userland/checkpolicy/checkmodule-fuzzer.c:115:6 SELinuxProject#5 0x45cf31 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/christian/Coding/workspaces/selinux_userland/checkpolicy/checkmodule-fuzzer+0x45cf31) SELinuxProject#6 0x45e546 in fuzzer::Fuzzer::ReadAndExecuteSeedCorpora(std::__Fuzzer::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocator<fuzzer::SizedFile> >&) (/home/christian/Coding/workspaces/selinux_userland/checkpolicy/checkmodule-fuzzer+0x45e546) SELinuxProject#7 0x45e9d9 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocator<fuzzer::SizedFile> >&) (/home/christian/Coding/workspaces/selinux_userland/checkpolicy/checkmodule-fuzzer+0x45e9d9) SELinuxProject#8 0x44cfc6 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/christian/Coding/workspaces/selinux_userland/checkpolicy/checkmodule-fuzzer+0x44cfc6) SELinuxProject#9 0x476ee2 in main (/home/christian/Coding/workspaces/selinux_userland/checkpolicy/checkmodule-fuzzer+0x476ee2) SELinuxProject#10 0x7fdbc2259d09 in __libc_start_main csu/../csu/libc-start.c:308:16 SELinuxProject#11 0x4216f9 in _start (/home/christian/Coding/workspaces/selinux_userland/checkpolicy/checkmodule-fuzzer+0x4216f9) Signed-off-by: Christian Göttsche <cgzones@googlemail.com>

The internal Sha1Update() functions only handles buffers up to a size of UINT32_MAX, due to its usage of the type uint32_t. This causes issues when processing more than UINT32_MAX bytes, e.g. with a specfile larger than 4G. 0aa974a ("libselinux: limit has buffer size") tried to address this issue, but failed since the overflow check if (digest->hashbuf_size + buf_len < digest->hashbuf_size) { will be done in the widest common type, which is size_t, the type of `buf_len`. Revert the type of `hashbuf_size` to size_t and instead process the data in blocks of supported size. Reverts: 0aa974a ("libselinux: limit has buffer size") Signed-off-by: Christian Göttsche <cgzones@googlemail.com> --- UBSAN reports without block processing: hashbuf_size of uint32_t label_support.c:158:23: runtime error: implicit conversion from type 'unsigned long' of value 4294968207 (64-bit, unsigned) to type 'uint32_t' (aka 'unsigned int') changed the value to 911 (32-bit, unsigned) #0 0x4ecdbd in digest_add_specfile /home/christian/Coding/workspaces/selinux_userland/libselinux/src/label_support.c:158:23 SELinuxProject#1 0x4e0d83 in selabel_subs_init /home/christian/Coding/workspaces/selinux_userland/libselinux/src/label_file.c:666:6 SELinuxProject#2 0x4d5c48 in init /home/christian/Coding/workspaces/selinux_userland/libselinux/src/label_file.c:738:12 SELinuxProject#3 0x4d5c48 in selabel_file_init /home/christian/Coding/workspaces/selinux_userland/libselinux/src/label_file.c:1304:9 SELinuxProject#4 0x4cfdde in selabel_open /home/christian/Coding/workspaces/selinux_userland/libselinux/src/label.c:228:6 SELinuxProject#5 0x4ce76c in main /home/christian/Coding/workspaces/selinux_userland/libselinux/utils/selabel_digest.c:130:8 SELinuxProject#6 0x77b65848a1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16 SELinuxProject#7 0x77b65848a277 in __libc_start_main csu/../csu/libc-start.c:409:3 SELinuxProject#8 0x41f4c0 in _start (/home/christian/Coding/workspaces/selinux_userland/libselinux/utils/selabel_digest+0x41f4c0) hashbuf_size of size_t label_support.c:125:40: runtime error: implicit conversion from type 'size_t' (aka 'unsigned long') of value 4298262406 (64-bit, unsigned) to type 'uint32_t' (aka 'unsigned int') changed the value to 3295110 (32-bit, unsigned) #0 0x4ec468 in digest_gen_hash /home/christian/Coding/workspaces/selinux_userland/libselinux/src/label_support.c:125:40 SELinuxProject#1 0x4d6dd3 in init /home/christian/Coding/workspaces/selinux_userland/libselinux/src/label_file.c:793:2 SELinuxProject#2 0x4d6dd3 in selabel_file_init /home/christian/Coding/workspaces/selinux_userland/libselinux/src/label_file.c:1304:9 SELinuxProject#3 0x4cfdde in selabel_open /home/christian/Coding/workspaces/selinux_userland/libselinux/src/label.c:228:6 SELinuxProject#4 0x4ce76c in main /home/christian/Coding/workspaces/selinux_userland/libselinux/utils/selabel_digest.c:130:8 SELinuxProject#5 0x749229c371c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16 SELinuxProject#6 0x749229c37277 in __libc_start_main csu/../csu/libc-start.c:409:3 SELinuxProject#7 0x41f4c0 in _start (/home/christian/Coding/workspaces/selinux_userland/libselinux/utils/selabel_digest+0x41f4c0)

Free the allocated avrule in define_te_avtab_xperms_helper() on failures. Also free the target classes ebitmap on allocation failure. Direct leak of 136 byte(s) in 1 object(s) allocated from: #0 0x49bb5d in __interceptor_malloc (./checkpolicy/checkpolicy+0x49bb5d) SELinuxProject#1 0x4e6eea in define_te_avtab_xperms_helper ./checkpolicy/policy_define.c:2041:24 SELinuxProject#2 0x4e6eea in define_te_avtab_extended_perms ./checkpolicy/policy_define.c:2487:6 SELinuxProject#3 0x4cef0b in yyparse ./checkpolicy/policy_parse.y:494:30 SELinuxProject#4 0x4e0575 in read_source_policy ./checkpolicy/parse_util.c:63:6 SELinuxProject#5 0x4ff121 in main ./checkpolicy/checkpolicy.c:616:7 SELinuxProject#6 0x7fe31628b7ec in __libc_start_main csu/../csu/libc-start.c:332:16 Indirect leak of 32 byte(s) in 1 object(s) allocated from: #0 0x4877b4 in strdup (./checkpolicy/checkpolicy+0x4877b4) SELinuxProject#1 0x4e6fa7 in define_te_avtab_xperms_helper ./checkpolicy/policy_define.c:2051:28 SELinuxProject#2 0x4e6fa7 in define_te_avtab_extended_perms ./checkpolicy/policy_define.c:2487:6 SELinuxProject#3 0x4cef0b in yyparse ./checkpolicy/policy_parse.y:494:30 SELinuxProject#4 0x4e0575 in read_source_policy ./checkpolicy/parse_util.c:63:6 SELinuxProject#5 0x4ff121 in main ./checkpolicy/checkpolicy.c:616:7 SELinuxProject#6 0x7fe31628b7ec in __libc_start_main csu/../csu/libc-start.c:332:16 Indirect leak of 24 byte(s) in 1 object(s) allocated from: #0 0x49bb5d in __interceptor_malloc (./checkpolicy/checkpolicy+0x49bb5d) SELinuxProject#1 0x50f2fa in ebitmap_set_bit ./libsepol/src/ebitmap.c:346:27 SELinuxProject#2 0x4eb632 in set_types ./checkpolicy/policy_define.c SELinuxProject#3 0x4e7055 in define_te_avtab_xperms_helper ./checkpolicy/policy_define.c:2059:7 SELinuxProject#4 0x4e7055 in define_te_avtab_extended_perms ./checkpolicy/policy_define.c:2487:6 SELinuxProject#5 0x4cef0b in yyparse ./checkpolicy/policy_parse.y:494:30 SELinuxProject#6 0x4e0575 in read_source_policy ./checkpolicy/parse_util.c:63:6 SELinuxProject#7 0x4ff121 in main ./checkpolicy/checkpolicy.c:616:7 SELinuxProject#8 0x7fe31628b7ec in __libc_start_main csu/../csu/libc-start.c:332:16 Signed-off-by: Christian Göttsche <cgzones@googlemail.com>

class s sid e class s { y } sensitivity i alias { d }; ==13999==ERROR: AddressSanitizer: heap-use-after-free on address 0x6030000008b8 at pc 0x000000594081 bp 0x7ffcd296ad80 sp 0x7ffcd296ad78 READ of size 8 at 0x6030000008b8 thread T0 #0 0x594080 in ebitmap_destroy ./libsepol/src/ebitmap.c:379:9 SELinuxProject#1 0x61d546 in mls_level_destroy ./DESTDIR/usr/include/sepol/policydb/mls_types.h:98:2 SELinuxProject#2 0x61d546 in sens_destroy ./libsepol/src/policydb.c:1380:2 SELinuxProject#3 0x5bc9d5 in hashtab_map ./libsepol/src/hashtab.c:234:10 SELinuxProject#4 0x60cbf1 in symtabs_destroy ./libsepol/src/policydb.c:1581:9 SELinuxProject#5 0x60cbf1 in policydb_destroy ./libsepol/src/policydb.c:1489:2 SELinuxProject#6 0x55aaa2 in LLVMFuzzerTestOneInput ./checkpolicy/fuzz/checkpolicy-fuzzer.c:209:2 SELinuxProject#7 0x45af33 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o SELinuxProject#8 0x446a72 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o SELinuxProject#9 0x44c99b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o SELinuxProject#10 0x475e32 in main (./out/checkpolicy-fuzzer+0x475e32) SELinuxProject#11 0x7f31b5ea1e49 in __libc_start_main csu/../csu/libc-start.c:314:16 SELinuxProject#12 0x4236e9 in _start (./out/checkpolicy-fuzzer+0x4236e9) 0x6030000008b8 is located 8 bytes inside of 24-byte region [0x6030000008b0,0x6030000008c8) freed by thread T0 here: #0 0x525762 in __interceptor_free (./out/checkpolicy-fuzzer+0x525762) SELinuxProject#1 0x61d566 in sens_destroy ./libsepol/src/policydb.c:1381:2 SELinuxProject#2 0x5bc9d5 in hashtab_map ./libsepol/src/hashtab.c:234:10 SELinuxProject#3 0x60cbf1 in symtabs_destroy ./libsepol/src/policydb.c:1581:9 SELinuxProject#4 0x60cbf1 in policydb_destroy ./libsepol/src/policydb.c:1489:2 SELinuxProject#5 0x55aaa2 in LLVMFuzzerTestOneInput ./checkpolicy/fuzz/checkpolicy-fuzzer.c:209:2 SELinuxProject#6 0x45af33 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o SELinuxProject#7 0x446a72 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o SELinuxProject#8 0x44c99b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o SELinuxProject#9 0x475e32 in main (./out/checkpolicy-fuzzer+0x475e32) SELinuxProject#10 0x7f31b5ea1e49 in __libc_start_main csu/../csu/libc-start.c:314:16 previously allocated by thread T0 here: #0 0x5259cd in malloc (./out/checkpolicy-fuzzer+0x5259cd) SELinuxProject#1 0x56be7e in define_sens ./checkpolicy/policy_define.c:744:26 SELinuxProject#2 0x583ed4 in yyparse ./checkpolicy/policy_parse.y:261:30 SELinuxProject#3 0x55a5a0 in read_source_policy ./checkpolicy/fuzz/checkpolicy-fuzzer.c:96:6 SELinuxProject#4 0x55a5a0 in LLVMFuzzerTestOneInput ./checkpolicy/fuzz/checkpolicy-fuzzer.c:162:6 SELinuxProject#5 0x45af33 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o SELinuxProject#6 0x446a72 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o SELinuxProject#7 0x44c99b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o SELinuxProject#8 0x475e32 in main (./out/checkpolicy-fuzzer+0x475e32) SELinuxProject#9 0x7f31b5ea1e49 in __libc_start_main csu/../csu/libc-start.c:314:16 Signed-off-by: Christian Göttsche <cgzones@googlemail.com>

class process sid tl class process { transition } sensitivity s0; dominance { s0 } category c0; level s0; mlsconstrain process transition t1 eq t2; role e; user sys_useallowr roles e level s0 range s0:c0; user sys_useallowr roles e level s0 range s0; sid e se:s:s Direct leak of 16 byte(s) in 1 object(s) allocated from: #0 0x5259cd in malloc (./out/checkpolicy-fuzzer+0x5259cd) SELinuxProject#1 0x606369 in mls_semantic_level_cpy ./libsepol/src/mls.c:768:30 SELinuxProject#2 0x57bb08 in define_user ./checkpolicy/policy_define.c:4377:8 SELinuxProject#3 0x585955 in yyparse ./checkpolicy/policy_parse.y:657:30 SELinuxProject#4 0x55a7d7 in read_source_policy ./checkpolicy/fuzz/checkpolicy-fuzzer.c:108:6 SELinuxProject#5 0x55a7d7 in LLVMFuzzerTestOneInput ./checkpolicy/fuzz/checkpolicy-fuzzer.c:162:6 SELinuxProject#6 0x45af33 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o SELinuxProject#7 0x446a72 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o SELinuxProject#8 0x44c99b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o SELinuxProject#9 0x475e32 in main (./out/checkpolicy-fuzzer+0x475e32) SELinuxProject#10 0x7febb0536e49 in __libc_start_main csu/../csu/libc-start.c:314:16 Signed-off-by: Christian Göttsche <cgzones@googlemail.com>

Free the allocated avrule in define_te_avtab_xperms_helper() on failures. Also free the target classes ebitmap on allocation failure. Direct leak of 136 byte(s) in 1 object(s) allocated from: #0 0x49bb5d in __interceptor_malloc (./checkpolicy/checkpolicy+0x49bb5d) SELinuxProject#1 0x4e6eea in define_te_avtab_xperms_helper ./checkpolicy/policy_define.c:2041:24 SELinuxProject#2 0x4e6eea in define_te_avtab_extended_perms ./checkpolicy/policy_define.c:2487:6 SELinuxProject#3 0x4cef0b in yyparse ./checkpolicy/policy_parse.y:494:30 SELinuxProject#4 0x4e0575 in read_source_policy ./checkpolicy/parse_util.c:63:6 SELinuxProject#5 0x4ff121 in main ./checkpolicy/checkpolicy.c:616:7 SELinuxProject#6 0x7fe31628b7ec in __libc_start_main csu/../csu/libc-start.c:332:16 Indirect leak of 32 byte(s) in 1 object(s) allocated from: #0 0x4877b4 in strdup (./checkpolicy/checkpolicy+0x4877b4) SELinuxProject#1 0x4e6fa7 in define_te_avtab_xperms_helper ./checkpolicy/policy_define.c:2051:28 SELinuxProject#2 0x4e6fa7 in define_te_avtab_extended_perms ./checkpolicy/policy_define.c:2487:6 SELinuxProject#3 0x4cef0b in yyparse ./checkpolicy/policy_parse.y:494:30 SELinuxProject#4 0x4e0575 in read_source_policy ./checkpolicy/parse_util.c:63:6 SELinuxProject#5 0x4ff121 in main ./checkpolicy/checkpolicy.c:616:7 SELinuxProject#6 0x7fe31628b7ec in __libc_start_main csu/../csu/libc-start.c:332:16 Indirect leak of 24 byte(s) in 1 object(s) allocated from: #0 0x49bb5d in __interceptor_malloc (./checkpolicy/checkpolicy+0x49bb5d) SELinuxProject#1 0x50f2fa in ebitmap_set_bit ./libsepol/src/ebitmap.c:346:27 SELinuxProject#2 0x4eb632 in set_types ./checkpolicy/policy_define.c SELinuxProject#3 0x4e7055 in define_te_avtab_xperms_helper ./checkpolicy/policy_define.c:2059:7 SELinuxProject#4 0x4e7055 in define_te_avtab_extended_perms ./checkpolicy/policy_define.c:2487:6 SELinuxProject#5 0x4cef0b in yyparse ./checkpolicy/policy_parse.y:494:30 SELinuxProject#6 0x4e0575 in read_source_policy ./checkpolicy/parse_util.c:63:6 SELinuxProject#7 0x4ff121 in main ./checkpolicy/checkpolicy.c:616:7 SELinuxProject#8 0x7fe31628b7ec in __libc_start_main csu/../csu/libc-start.c:332:16 Signed-off-by: Christian Göttsche <cgzones@googlemail.com>

class s sid e class s { y } sensitivity i alias { d }; ==13999==ERROR: AddressSanitizer: heap-use-after-free on address 0x6030000008b8 at pc 0x000000594081 bp 0x7ffcd296ad80 sp 0x7ffcd296ad78 READ of size 8 at 0x6030000008b8 thread T0 #0 0x594080 in ebitmap_destroy ./libsepol/src/ebitmap.c:379:9 SELinuxProject#1 0x61d546 in mls_level_destroy ./DESTDIR/usr/include/sepol/policydb/mls_types.h:98:2 SELinuxProject#2 0x61d546 in sens_destroy ./libsepol/src/policydb.c:1380:2 SELinuxProject#3 0x5bc9d5 in hashtab_map ./libsepol/src/hashtab.c:234:10 SELinuxProject#4 0x60cbf1 in symtabs_destroy ./libsepol/src/policydb.c:1581:9 SELinuxProject#5 0x60cbf1 in policydb_destroy ./libsepol/src/policydb.c:1489:2 SELinuxProject#6 0x55aaa2 in LLVMFuzzerTestOneInput ./checkpolicy/fuzz/checkpolicy-fuzzer.c:209:2 SELinuxProject#7 0x45af33 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o SELinuxProject#8 0x446a72 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o SELinuxProject#9 0x44c99b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o SELinuxProject#10 0x475e32 in main (./out/checkpolicy-fuzzer+0x475e32) SELinuxProject#11 0x7f31b5ea1e49 in __libc_start_main csu/../csu/libc-start.c:314:16 SELinuxProject#12 0x4236e9 in _start (./out/checkpolicy-fuzzer+0x4236e9) 0x6030000008b8 is located 8 bytes inside of 24-byte region [0x6030000008b0,0x6030000008c8) freed by thread T0 here: #0 0x525762 in __interceptor_free (./out/checkpolicy-fuzzer+0x525762) SELinuxProject#1 0x61d566 in sens_destroy ./libsepol/src/policydb.c:1381:2 SELinuxProject#2 0x5bc9d5 in hashtab_map ./libsepol/src/hashtab.c:234:10 SELinuxProject#3 0x60cbf1 in symtabs_destroy ./libsepol/src/policydb.c:1581:9 SELinuxProject#4 0x60cbf1 in policydb_destroy ./libsepol/src/policydb.c:1489:2 SELinuxProject#5 0x55aaa2 in LLVMFuzzerTestOneInput ./checkpolicy/fuzz/checkpolicy-fuzzer.c:209:2 SELinuxProject#6 0x45af33 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o SELinuxProject#7 0x446a72 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o SELinuxProject#8 0x44c99b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o SELinuxProject#9 0x475e32 in main (./out/checkpolicy-fuzzer+0x475e32) SELinuxProject#10 0x7f31b5ea1e49 in __libc_start_main csu/../csu/libc-start.c:314:16 previously allocated by thread T0 here: #0 0x5259cd in malloc (./out/checkpolicy-fuzzer+0x5259cd) SELinuxProject#1 0x56be7e in define_sens ./checkpolicy/policy_define.c:744:26 SELinuxProject#2 0x583ed4 in yyparse ./checkpolicy/policy_parse.y:261:30 SELinuxProject#3 0x55a5a0 in read_source_policy ./checkpolicy/fuzz/checkpolicy-fuzzer.c:96:6 SELinuxProject#4 0x55a5a0 in LLVMFuzzerTestOneInput ./checkpolicy/fuzz/checkpolicy-fuzzer.c:162:6 SELinuxProject#5 0x45af33 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o SELinuxProject#6 0x446a72 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o SELinuxProject#7 0x44c99b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o SELinuxProject#8 0x475e32 in main (./out/checkpolicy-fuzzer+0x475e32) SELinuxProject#9 0x7f31b5ea1e49 in __libc_start_main csu/../csu/libc-start.c:314:16 Signed-off-by: Christian Göttsche <cgzones@googlemail.com>

class process sid tl class process { transition } sensitivity s0; dominance { s0 } category c0; level s0; mlsconstrain process transition t1 eq t2; role e; user sys_useallowr roles e level s0 range s0:c0; user sys_useallowr roles e level s0 range s0; sid e se:s:s Direct leak of 16 byte(s) in 1 object(s) allocated from: #0 0x5259cd in malloc (./out/checkpolicy-fuzzer+0x5259cd) SELinuxProject#1 0x606369 in mls_semantic_level_cpy ./libsepol/src/mls.c:768:30 SELinuxProject#2 0x57bb08 in define_user ./checkpolicy/policy_define.c:4377:8 SELinuxProject#3 0x585955 in yyparse ./checkpolicy/policy_parse.y:657:30 SELinuxProject#4 0x55a7d7 in read_source_policy ./checkpolicy/fuzz/checkpolicy-fuzzer.c:108:6 SELinuxProject#5 0x55a7d7 in LLVMFuzzerTestOneInput ./checkpolicy/fuzz/checkpolicy-fuzzer.c:162:6 SELinuxProject#6 0x45af33 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o SELinuxProject#7 0x446a72 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o SELinuxProject#8 0x44c99b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o SELinuxProject#9 0x475e32 in main (./out/checkpolicy-fuzzer+0x475e32) SELinuxProject#10 0x7febb0536e49 in __libc_start_main csu/../csu/libc-start.c:314:16 Signed-off-by: Christian Göttsche <cgzones@googlemail.com>

Free the allocated avrule in define_te_avtab_xperms_helper() on failures. Also free the target classes ebitmap on allocation failure. Direct leak of 136 byte(s) in 1 object(s) allocated from: #0 0x49bb5d in __interceptor_malloc (./checkpolicy/checkpolicy+0x49bb5d) SELinuxProject#1 0x4e6eea in define_te_avtab_xperms_helper ./checkpolicy/policy_define.c:2041:24 SELinuxProject#2 0x4e6eea in define_te_avtab_extended_perms ./checkpolicy/policy_define.c:2487:6 SELinuxProject#3 0x4cef0b in yyparse ./checkpolicy/policy_parse.y:494:30 SELinuxProject#4 0x4e0575 in read_source_policy ./checkpolicy/parse_util.c:63:6 SELinuxProject#5 0x4ff121 in main ./checkpolicy/checkpolicy.c:616:7 SELinuxProject#6 0x7fe31628b7ec in __libc_start_main csu/../csu/libc-start.c:332:16 Indirect leak of 32 byte(s) in 1 object(s) allocated from: #0 0x4877b4 in strdup (./checkpolicy/checkpolicy+0x4877b4) SELinuxProject#1 0x4e6fa7 in define_te_avtab_xperms_helper ./checkpolicy/policy_define.c:2051:28 SELinuxProject#2 0x4e6fa7 in define_te_avtab_extended_perms ./checkpolicy/policy_define.c:2487:6 SELinuxProject#3 0x4cef0b in yyparse ./checkpolicy/policy_parse.y:494:30 SELinuxProject#4 0x4e0575 in read_source_policy ./checkpolicy/parse_util.c:63:6 SELinuxProject#5 0x4ff121 in main ./checkpolicy/checkpolicy.c:616:7 SELinuxProject#6 0x7fe31628b7ec in __libc_start_main csu/../csu/libc-start.c:332:16 Indirect leak of 24 byte(s) in 1 object(s) allocated from: #0 0x49bb5d in __interceptor_malloc (./checkpolicy/checkpolicy+0x49bb5d) SELinuxProject#1 0x50f2fa in ebitmap_set_bit ./libsepol/src/ebitmap.c:346:27 SELinuxProject#2 0x4eb632 in set_types ./checkpolicy/policy_define.c SELinuxProject#3 0x4e7055 in define_te_avtab_xperms_helper ./checkpolicy/policy_define.c:2059:7 SELinuxProject#4 0x4e7055 in define_te_avtab_extended_perms ./checkpolicy/policy_define.c:2487:6 SELinuxProject#5 0x4cef0b in yyparse ./checkpolicy/policy_parse.y:494:30 SELinuxProject#6 0x4e0575 in read_source_policy ./checkpolicy/parse_util.c:63:6 SELinuxProject#7 0x4ff121 in main ./checkpolicy/checkpolicy.c:616:7 SELinuxProject#8 0x7fe31628b7ec in __libc_start_main csu/../csu/libc-start.c:332:16 Signed-off-by: Christian Göttsche <cgzones@googlemail.com>

Add return check for regex_data_create() to avoid NULL reference of regex_data (gdb) bt #0 0x00007fbde5caec14 in pthread_mutex_init () from /usr/lib64/libc.so.6 #1 0x00007fbde5e3a489 in regex_data_create () at regex.c:260 SELinuxProject#2 0x00007fbde5e3a4af in regex_prepare_data (regex=regex@entry=0x7fbde4613770, pattern_string=pattern_string@entry=0x563c6799a820 "^/home$", errordata=errordata@entry=0x7ffeb83fa950) at regex.c:76 SELinuxProject#3 0x00007fbde5e32fe6 in compile_regex (errbuf=0x0, spec=0x7fbde4613748) at label_file.h:407 SELinuxProject#4 lookup_all (key=0x563c679974e5 "/var/log/kadmind.log", type=<optimized out>, partial=partial@entry=false, match_count=match_count@entry=0x0, rec=<optimized out>, rec=<optimized out>) at label_file.c:949 SELinuxProject#5 0x00007fbde5e33350 in lookup (rec=<optimized out>, key=<optimized out>, type=<optimized out>) at label_file.c:1092 SELinuxProject#6 0x00007fbde5e31878 in selabel_lookup_common (rec=0x563c67998cc0, translating=1, key=<optimized out>, type=<optimized out>) at label.c:167 Signed-off-by: Jie Lu <lujie54@huawei.com> Acked-by: James Carter <jwcart2@gmail.com>

Add return check for regex_data_create() to avoid NULL reference of regex_data (gdb) bt #0 0x00007fbde5caec14 in pthread_mutex_init () from /usr/lib64/libc.so.6 #1 0x00007fbde5e3a489 in regex_data_create () at regex.c:260 #2 0x00007fbde5e3a4af in regex_prepare_data (regex=regex@entry=0x7fbde4613770, pattern_string=pattern_string@entry=0x563c6799a820 "^/home$", errordata=errordata@entry=0x7ffeb83fa950) at regex.c:76 #3 0x00007fbde5e32fe6 in compile_regex (errbuf=0x0, spec=0x7fbde4613748) at label_file.h:407 #4 lookup_all (key=0x563c679974e5 "/var/log/kadmind.log", type=<optimized out>, partial=partial@entry=false, match_count=match_count@entry=0x0, rec=<optimized out>, rec=<optimized out>) at label_file.c:949 #5 0x00007fbde5e33350 in lookup (rec=<optimized out>, key=<optimized out>, type=<optimized out>) at label_file.c:1092 #6 0x00007fbde5e31878 in selabel_lookup_common (rec=0x563c67998cc0, translating=1, key=<optimized out>, type=<optimized out>) at label.c:167 Signed-off-by: Jie Lu <lujie54@huawei.com> Acked-by: James Carter <jwcart2@gmail.com>

Free the allocated avrule in define_te_avtab_xperms_helper() on failures. Also free the target classes ebitmap on allocation failure. Direct leak of 136 byte(s) in 1 object(s) allocated from: #0 0x49bb5d in __interceptor_malloc (./checkpolicy/checkpolicy+0x49bb5d) SELinuxProject#1 0x4e6eea in define_te_avtab_xperms_helper ./checkpolicy/policy_define.c:2041:24 SELinuxProject#2 0x4e6eea in define_te_avtab_extended_perms ./checkpolicy/policy_define.c:2487:6 SELinuxProject#3 0x4cef0b in yyparse ./checkpolicy/policy_parse.y:494:30 SELinuxProject#4 0x4e0575 in read_source_policy ./checkpolicy/parse_util.c:63:6 SELinuxProject#5 0x4ff121 in main ./checkpolicy/checkpolicy.c:616:7 SELinuxProject#6 0x7fe31628b7ec in __libc_start_main csu/../csu/libc-start.c:332:16 Indirect leak of 32 byte(s) in 1 object(s) allocated from: #0 0x4877b4 in strdup (./checkpolicy/checkpolicy+0x4877b4) SELinuxProject#1 0x4e6fa7 in define_te_avtab_xperms_helper ./checkpolicy/policy_define.c:2051:28 SELinuxProject#2 0x4e6fa7 in define_te_avtab_extended_perms ./checkpolicy/policy_define.c:2487:6 SELinuxProject#3 0x4cef0b in yyparse ./checkpolicy/policy_parse.y:494:30 SELinuxProject#4 0x4e0575 in read_source_policy ./checkpolicy/parse_util.c:63:6 SELinuxProject#5 0x4ff121 in main ./checkpolicy/checkpolicy.c:616:7 SELinuxProject#6 0x7fe31628b7ec in __libc_start_main csu/../csu/libc-start.c:332:16 Indirect leak of 24 byte(s) in 1 object(s) allocated from: #0 0x49bb5d in __interceptor_malloc (./checkpolicy/checkpolicy+0x49bb5d) SELinuxProject#1 0x50f2fa in ebitmap_set_bit ./libsepol/src/ebitmap.c:346:27 SELinuxProject#2 0x4eb632 in set_types ./checkpolicy/policy_define.c SELinuxProject#3 0x4e7055 in define_te_avtab_xperms_helper ./checkpolicy/policy_define.c:2059:7 SELinuxProject#4 0x4e7055 in define_te_avtab_extended_perms ./checkpolicy/policy_define.c:2487:6 SELinuxProject#5 0x4cef0b in yyparse ./checkpolicy/policy_parse.y:494:30 SELinuxProject#6 0x4e0575 in read_source_policy ./checkpolicy/parse_util.c:63:6 SELinuxProject#7 0x4ff121 in main ./checkpolicy/checkpolicy.c:616:7 SELinuxProject#8 0x7fe31628b7ec in __libc_start_main csu/../csu/libc-start.c:332:16 Signed-off-by: Christian Göttsche <cgzones@googlemail.com>

Fixed typo/grammatical error

6d198c0

stephensmalley added a commit that referenced this pull request Feb 12, 2015

Merge pull request #6 from cspeterson/typo

80d7cd3

Fixed typo/grammatical error

stephensmalley merged commit 80d7cd3 into SELinuxProject:master Feb 12, 2015

muyu888 mentioned this pull request Jul 12, 2023

libsepol：The libsepol package detects memory leaks and segmentation errors when tested by OSS-fuzz. #404

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Fixed typo/grammatical error #6

Fixed typo/grammatical error #6

cspeterson commented Feb 8, 2015

stephensmalley commented Feb 12, 2015

cspeterson commented Feb 12, 2015 via email

Fixed typo/grammatical error #6

Fixed typo/grammatical error #6

Conversation

cspeterson commented Feb 8, 2015

stephensmalley commented Feb 12, 2015

cspeterson commented Feb 12, 2015 via email