libsepol/cil: fix NULL pointer dereference with empty macro argument

OSS-Fuzz found a Null-dereference READ in the CIL compiler when trying to compile the following policy: (macro m((name n))) (call m(())) When calling the macro, the name (in variable "pc") is NULL, which triggers a NULL pointer dereference when using it as a key in __cil_insert_name(). The stack trace is: #0 0x7f4662655a85 in __strlen_avx2 (/usr/lib/libc.so.6+0x162a85) SELinuxProject#1 0x556d0b6d150c in __interceptor_strlen.part.0 (/selinux/libsepol/fuzz/fuzz-secilc+0x44850c) SELinuxProject#2 0x556d0ba74ed6 in symhash /selinux/libsepol/src/symtab.c:22:9 SELinuxProject#3 0x556d0b9ef50d in hashtab_search /selinux/libsepol/src/hashtab.c:186:11 SELinuxProject#4 0x556d0b928e1f in cil_symtab_get_datum /selinux/libsepol/src/../cil/src/cil_symtab.c:121:37 SELinuxProject#5 0x556d0b8f28f4 in __cil_insert_name /selinux/libsepol/src/../cil/src/cil_resolve_ast.c:96:2 SELinuxProject#6 0x556d0b908184 in cil_resolve_call1 /selinux/libsepol/src/../cil/src/cil_resolve_ast.c:2835:12 SELinuxProject#7 0x556d0b91b404 in __cil_resolve_ast_node /selinux/libsepol/src/../cil/src/cil_resolve_ast.c SELinuxProject#8 0x556d0b91380f in __cil_resolve_ast_node_helper /selinux/libsepol/src/../cil/src/cil_resolve_ast.c:3773:7 SELinuxProject#9 0x556d0b932230 in cil_tree_walk_core /selinux/libsepol/src/../cil/src/cil_tree.c:263:9 SELinuxProject#10 0x556d0b932230 in cil_tree_walk /selinux/libsepol/src/../cil/src/cil_tree.c:307:7 SELinuxProject#11 0x556d0b932326 in cil_tree_walk_core /selinux/libsepol/src/../cil/src/cil_tree.c:275:9 SELinuxProject#12 0x556d0b932326 in cil_tree_walk /selinux/libsepol/src/../cil/src/cil_tree.c:307:7 SELinuxProject#13 0x556d0b911189 in cil_resolve_ast /selinux/libsepol/src/../cil/src/cil_resolve_ast.c:3941:8 SELinuxProject#14 0x556d0b798729 in cil_compile /selinux/libsepol/src/../cil/src/cil.c:550:7 Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28544 Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
fishilico · Feb 5, 2021 · a603969 · a603969
1 parent af1dcc2
commit a603969
Showing 1 changed file with 79 additions and 0 deletions.
diff --git a/libsepol/cil/src/cil_resolve_ast.c b/libsepol/cil/src/cil_resolve_ast.c
@@ -2828,6 +2828,12 @@ int cil_resolve_call1(struct cil_tree_node *current, void *extra_args)
 			switch (flavor) {
 			case CIL_NAME: {
 				struct cil_name *name;
+				if (pc->data == NULL) {
+					cil_tree_log(current, CIL_ERR, "Invalid macro parameter");
+					cil_destroy_args(new_arg);
+					rc = SEPOL_ERR;
+					goto exit;
+				}
 				name = __cil_insert_name(args->db, pc->data, current);
 				if (name != NULL) {
 					new_arg->arg = (struct cil_symtab_datum *)name;
@@ -2837,21 +2843,57 @@ int cil_resolve_call1(struct cil_tree_node *current, void *extra_args)
 			}
 				break;
 			case CIL_TYPE:
+				if (pc->data == NULL) {
+					cil_tree_log(current, CIL_ERR, "Invalid macro parameter");
+					cil_destroy_args(new_arg);
+					rc = SEPOL_ERR;
+					goto exit;
+				}
 				new_arg->arg_str = pc->data;
 				break;
 			case CIL_ROLE:
+				if (pc->data == NULL) {
+					cil_tree_log(current, CIL_ERR, "Invalid macro parameter");
+					cil_destroy_args(new_arg);
+					rc = SEPOL_ERR;
+					goto exit;
+				}
 				new_arg->arg_str = pc->data;
 				break;
 			case CIL_USER:
+				if (pc->data == NULL) {
+					cil_tree_log(current, CIL_ERR, "Invalid macro parameter");
+					cil_destroy_args(new_arg);
+					rc = SEPOL_ERR;
+					goto exit;
+				}
 				new_arg->arg_str = pc->data;
 				break;
 			case CIL_SENS:
+				if (pc->data == NULL) {
+					cil_tree_log(current, CIL_ERR, "Invalid macro parameter");
+					cil_destroy_args(new_arg);
+					rc = SEPOL_ERR;
+					goto exit;
+				}
 				new_arg->arg_str = pc->data;
 				break;
 			case CIL_CAT:
+				if (pc->data == NULL) {
+					cil_tree_log(current, CIL_ERR, "Invalid macro parameter");
+					cil_destroy_args(new_arg);
+					rc = SEPOL_ERR;
+					goto exit;
+				}
 				new_arg->arg_str = pc->data;
 				break;
 			case CIL_BOOL:
+				if (pc->data == NULL) {
+					cil_tree_log(current, CIL_ERR, "Invalid macro parameter");
+					cil_destroy_args(new_arg);
+					rc = SEPOL_ERR;
+					goto exit;
+				}
 				new_arg->arg_str = pc->data;
 				break;
 			case CIL_CATSET: {
@@ -2871,6 +2913,11 @@ int cil_resolve_call1(struct cil_tree_node *current, void *extra_args)
 					cil_list_append(((struct cil_symtab_datum*)catset)->nodes,
 									CIL_LIST_ITEM, cat_node);
 					new_arg->arg = (struct cil_symtab_datum*)catset;
+				} else if (pc->data == NULL) {
+					cil_tree_log(current, CIL_ERR, "Invalid macro parameter");
+					cil_destroy_args(new_arg);
+					rc = SEPOL_ERR;
+					goto exit;
 				} else {
 					new_arg->arg_str = pc->data;
 				}
@@ -2896,6 +2943,11 @@ int cil_resolve_call1(struct cil_tree_node *current, void *extra_args)
 					cil_list_append(((struct cil_symtab_datum*)level)->nodes, 
 									CIL_LIST_ITEM, lvl_node);
 					new_arg->arg = (struct cil_symtab_datum*)level;
+				} else if (pc->data == NULL) {
+					cil_tree_log(current, CIL_ERR, "Invalid macro parameter");
+					cil_destroy_args(new_arg);
+					rc = SEPOL_ERR;
+					goto exit;
 				} else {
 					new_arg->arg_str = pc->data;
 				}
@@ -2921,6 +2973,11 @@ int cil_resolve_call1(struct cil_tree_node *current, void *extra_args)
 					cil_list_append(((struct cil_symtab_datum*)range)->nodes, 
 									CIL_LIST_ITEM, range_node);
 					new_arg->arg = (struct cil_symtab_datum*)range;
+				} else if (pc->data == NULL) {
+					cil_tree_log(current, CIL_ERR, "Invalid macro parameter");
+					cil_destroy_args(new_arg);
+					rc = SEPOL_ERR;
+					goto exit;
 				} else {
 					new_arg->arg_str = pc->data;
 				}
@@ -2946,16 +3003,33 @@ int cil_resolve_call1(struct cil_tree_node *current, void *extra_args)
 					cil_list_append(((struct cil_symtab_datum*)ipaddr)->nodes,
 									CIL_LIST_ITEM, addr_node);
 					new_arg->arg = (struct cil_symtab_datum*)ipaddr;
+				} else if (pc->data == NULL) {
+					cil_tree_log(current, CIL_ERR, "Invalid macro parameter");
+					cil_destroy_args(new_arg);
+					rc = SEPOL_ERR;
+					goto exit;
 				} else {
 					new_arg->arg_str = pc->data;
 				}
 
 				break;
 			}
 			case CIL_CLASS:
+				if (pc->data == NULL) {
+					cil_tree_log(current, CIL_ERR, "Invalid macro parameter");
+					cil_destroy_args(new_arg);
+					rc = SEPOL_ERR;
+					goto exit;
+				}
 				new_arg->arg_str = pc->data;
 				break;
 			case CIL_MAP_CLASS:
+				if (pc->data == NULL) {
+					cil_tree_log(current, CIL_ERR, "Invalid macro parameter");
+					cil_destroy_args(new_arg);
+					rc = SEPOL_ERR;
+					goto exit;
+				}
 				new_arg->arg_str = pc->data;
 				break;
 			case CIL_CLASSPERMISSION: {
@@ -2976,6 +3050,11 @@ int cil_resolve_call1(struct cil_tree_node *current, void *extra_args)
 					cp_node->data = cp;
 					cil_list_append(cp->datum.nodes, CIL_LIST_ITEM, cp_node);
 					new_arg->arg = (struct cil_symtab_datum*)cp;
+				} else if (pc->data == NULL) {
+					cil_tree_log(current, CIL_ERR, "Invalid macro parameter");
+					cil_destroy_args(new_arg);
+					rc = SEPOL_ERR;
+					goto exit;
 				} else {
 					new_arg->arg_str = pc->data;
 				}