From c33c9a5941e2690bd65b4355b9a7ee699f2268b7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= Date: Wed, 9 Aug 2023 19:59:11 +0200 Subject: [PATCH] [DO NOT MERGE] please pedantic UBSAN --- libselinux/src/Makefile | 2 +- libselinux/src/label.c | 7 +++++-- libselinux/src/label_file.c | 3 ++- libselinux/src/sha1.c | 7 +++++++ libsemanage/src/Makefile | 2 +- libsepol/src/Makefile | 2 +- policycoreutils/setfiles/restore.c | 2 +- 7 files changed, 18 insertions(+), 7 deletions(-) diff --git a/libselinux/src/Makefile b/libselinux/src/Makefile index 86a254dad8..68e709f18c 100644 --- a/libselinux/src/Makefile +++ b/libselinux/src/Makefile @@ -89,7 +89,7 @@ CFLAGS ?= -O -Wall -W -Wundef -Wformat-y2k -Wformat-security -Winit-self -Wmissi -Werror -Wno-aggregate-return \ $(EXTRA_CFLAGS) -LD_SONAME_FLAGS=-soname,$(LIBSO),--version-script=libselinux.map,-z,defs,-z,relro +LD_SONAME_FLAGS=-soname,$(LIBSO),--version-script=libselinux.map,-z,relro ifeq ($(OS), Darwin) override CFLAGS += -I/opt/local/include diff --git a/libselinux/src/label.c b/libselinux/src/label.c index 1ea9bdcd37..16c5c0a32e 100644 --- a/libselinux/src/label.c +++ b/libselinux/src/label.c @@ -60,7 +60,8 @@ static inline struct selabel_digest *selabel_is_digest_set { struct selabel_digest *digest = NULL; - while (n--) { + while (n) { + n--; if (opts[n].type == SELABEL_OPT_DIGEST && opts[n].value == (char *)1) { digest = calloc(1, sizeof(*digest)); @@ -112,9 +113,11 @@ static void selabel_digest_fini(struct selabel_digest *ptr) static inline int selabel_is_validate_set(const struct selinux_opt *opts, unsigned n) { - while (n--) + while (n) { + n--; if (opts[n].type == SELABEL_OPT_VALIDATE) return !!opts[n].value; + } return 0; } diff --git a/libselinux/src/label_file.c b/libselinux/src/label_file.c index ffbcad2fb7..42bcbbf033 100644 --- a/libselinux/src/label_file.c +++ b/libselinux/src/label_file.c @@ -1173,7 +1173,8 @@ static int init(struct selabel_handle *rec, const struct selinux_opt *opts, int status = -1, baseonly = 0; /* Process arguments */ - while (n--) { + while (n) { + n--; switch(opts[n].type) { case SELABEL_OPT_PATH: path = opts[n].value; diff --git a/libselinux/src/sha1.c b/libselinux/src/sha1.c index 9d51e04ac3..8e720e8cd5 100644 --- a/libselinux/src/sha1.c +++ b/libselinux/src/sha1.c @@ -62,6 +62,13 @@ typedef union // // Hash a single 512-bit block. This is the core of the algorithm /////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +#if defined(__clang__) && defined(__clang_major__) && (__clang_major__ >= 4) +#if (__clang_major__ >= 12) +__attribute__((no_sanitize("unsigned-integer-overflow", "unsigned-shift-base"))) +#else +__attribute__((no_sanitize("unsigned-integer-overflow"))) +#endif +#endif static void TransformFunction diff --git a/libsemanage/src/Makefile b/libsemanage/src/Makefile index 589e4a706b..c35d119245 100644 --- a/libsemanage/src/Makefile +++ b/libsemanage/src/Makefile @@ -90,7 +90,7 @@ $(LIBA): $(OBJS) $(RANLIB) $@ $(LIBSO): $(LOBJS) - $(CC) $(CFLAGS) $(LDFLAGS) -shared -o $@ $^ -lsepol -laudit -lselinux -lbz2 -Wl,-soname,$(LIBSO),--version-script=libsemanage.map,-z,defs + $(CC) $(CFLAGS) $(LDFLAGS) -shared -o $@ $^ -lsepol -laudit -lselinux -lbz2 -Wl,-soname,$(LIBSO),--version-script=libsemanage.map ln -sf $@ $(TARGET) $(LIBPC): $(LIBPC).in ../VERSION diff --git a/libsepol/src/Makefile b/libsepol/src/Makefile index 13410c6726..025ba06eac 100644 --- a/libsepol/src/Makefile +++ b/libsepol/src/Makefile @@ -35,7 +35,7 @@ ifeq (yes,$(shell printf '${H}define _GNU_SOURCE\n${H}include \nint ma override CFLAGS += -DHAVE_REALLOCARRAY endif -LD_SONAME_FLAGS=-soname,$(LIBSO),--version-script=$(LIBMAP),-z,defs +LD_SONAME_FLAGS=-soname,$(LIBSO),--version-script=$(LIBMAP) LN=ln OS := $(shell uname) diff --git a/policycoreutils/setfiles/restore.c b/policycoreutils/setfiles/restore.c index 6131f46a75..9d7efd651f 100644 --- a/policycoreutils/setfiles/restore.c +++ b/policycoreutils/setfiles/restore.c @@ -88,7 +88,7 @@ int process_glob(char *name, struct restore_opts *opts, size_t nthreads, return errors; for (i = 0; i < globbuf.gl_pathc; i++) { - len = strlen(globbuf.gl_pathv[i]) - 2; + len = (int)strlen(globbuf.gl_pathv[i]) - 2; if (len > 0 && strcmp(&globbuf.gl_pathv[i][len--], "/.") == 0) continue; if (len > 0 && strcmp(&globbuf.gl_pathv[i][len], "/..") == 0)