libsepol: reject invalid class datums

Internally class values are stored in multiple placed in a 16-bit wide integer. Reject class values exceeding the maximum representable value. This avoids truncations in the helper policydb_string_to_security_class(), which gets called before validation of the policy: policydb.c:4082:9: runtime error: implicit conversion from type 'uint32_t' (aka 'unsigned int') of value 2113929220 (32-bit, unsigned) to type 'sepol_security_class_t' (aka 'unsigned short') changed the value to 4 (16-bit, unsigned) Signed-off-by: Christian Göttsche <cgzones@googlemail.com> Acked-by: James Carter <jwcart2@gmail.com>
2023-11-28 19:23:32 +01:00 · 2023-11-28 19:23:32 +01:00 · 68c3a99916
parent 58a444fb84
commit 68c3a99916
2 changed files with 3 additions and 1 deletions
--- a/libsepol/src/policydb.c
+++ b/libsepol/src/policydb.c
@ -2255,6 +2255,8 @@ static int class_read(policydb_t * p, hashtab_t h, struct policy_file *fp)

 	len2 = le32_to_cpu(buf[1]);
 	cladatum->s.value = le32_to_cpu(buf[2]);
+	if (cladatum->s.value > UINT16_MAX)
+		goto bad;

 	if (symtab_init(&cladatum->permissions, PERM_SYMTAB_SIZE))
 		goto bad;
--- a/libsepol/src/policydb_validate.c
+++ b/libsepol/src/policydb_validate.c
@ -389,7 +389,7 @@ static int validate_common_datum_wrapper(__attribute__((unused)) hashtab_key_t k

 static int validate_class_datum(sepol_handle_t *handle, const class_datum_t *class, validate_t flavors[])
 {
-	if (validate_value(class->s.value, &flavors[SYM_CLASSES]))
+	if (class->s.value > UINT16_MAX || validate_value(class->s.value, &flavors[SYM_CLASSES]))
 		goto bad;
 	if (class->comdatum && validate_common_datum(handle, class->comdatum, flavors))
 		goto bad;