Skip to content

Commit

Permalink
libsepol: reject abnormal huge sid ids
Browse files Browse the repository at this point in the history 
Check if the sid value is saturated to guard dependent allocations.

    ==19967== ERROR: libFuzzer: out-of-memory (malloc(7784628224))
        #0 0x52dc61 in __sanitizer_print_stack_trace (./out/binpolicy-fuzzer+0x52dc61)
        SELinuxProject#1 0x475618 in fuzzer::PrintStackTrace() fuzzer.o
        SELinuxProject#2 0x458855 in fuzzer::Fuzzer::HandleMalloc(unsigned long) fuzzer.o
        SELinuxProject#3 0x45876a in fuzzer::MallocHook(void const volatile*, unsigned long) fuzzer.o
        SELinuxProject#4 0x534557 in __sanitizer::RunMallocHooks(void const*, unsigned long) (./out/binpolicy-fuzzer+0x534557)
        SELinuxProject#5 0x4aa7d7 in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) (./out/binpolicy-fuzzer+0x4aa7d7)
        SELinuxProject#6 0x4aabe3 in __asan::Allocator::Reallocate(void*, unsigned long, __sanitizer::BufferedStackTrace*) (./out/binpolicy-fuzzer+0x4aabe3)
        SELinuxProject#7 0x4aaa32 in __asan::asan_reallocarray(void*, unsigned long, unsigned long, __sanitizer::BufferedStackTrace*) (./out/binpolicy-fuzzer+0x4aaa32)
        SELinuxProject#8 0x525f8e in __interceptor_reallocarray (./out/binpolicy-fuzzer+0x525f8e)
        SELinuxProject#9 0x5ebad3 in strs_add_at_index ./libsepol/src/kernel_to_common.c:224:9
        SELinuxProject#10 0x5680eb in write_sids_to_conf ./libsepol/src/kernel_to_conf.c:466:8
        SELinuxProject#11 0x55c1c0 in write_sid_decl_rules_to_conf ./libsepol/src/kernel_to_conf.c:498:8
        SELinuxProject#12 0x55ad36 in sepol_kernel_policydb_to_conf ./libsepol/src/kernel_to_conf.c:3083:7
        SELinuxProject#13 0x55a34f in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:38:9
        SELinuxProject#14 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o
        SELinuxProject#15 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o
        SELinuxProject#16 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o
        SELinuxProject#17 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2)
        SELinuxProject#18 0x7f085ac657ec in __libc_start_main csu/../csu/libc-start.c:332:16
        SELinuxProject#19 0x423689 in _start (./out/binpolicy-fuzzer+0x423689)

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
  • Loading branch information
@cgzones
cgzones committed Oct 9, 2021
1 parent b8c2ff2 commit cdc61ba
Showing 1 changed file with 4 additions and 0 deletions.
4 changes: 4 additions & 0 deletions libsepol/src/policydb.c
View file
Expand Up @@ -2921,6 +2921,8 @@ static int ocontext_read_xen(const struct policydb_compat_info *info,
if (rc < 0)
return -1;
c->sid[0] = le32_to_cpu(buf[0]);
if (is_saturated(c->sid[0]))
return -1;
if (context_read_and_validate
(&c->context[0], p, fp))
return -1;
Expand Down Expand Up @@ -3032,6 +3034,8 @@ static int ocontext_read_selinux(const struct policydb_compat_info *info,
if (rc < 0)
return -1;
c->sid[0] = le32_to_cpu(buf[0]);
if (is_saturated(c->sid[0]))
return -1;
if (context_read_and_validate
(&c->context[0], p, fp))
return -1;
Expand Down

0 comments on commit cdc61ba

Please sign in to comment.