libsepol: validate access vector permissions
Since commit c205b924e2
("libsepol: Fix buffer overflow when using
sepol_av_to_string()") writing an access vector with no valid permission
results in an error instead of an empty string being written.
Validate that at least one permission of an access vector is valid.
There might be invalid bits set, e.g. by previous versions of
checkpolicy setting all bits for the wildcard (*) permission.
Reported-by: oss-fuzz (issue 67730)
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
This commit is contained in:
parent
f07fc2a752
commit
8c64e5bb6f
|
@ -876,6 +876,49 @@ static int validate_xperms(const avtab_extended_perms_t *xperms)
|
||||||
bad:
|
bad:
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
static int perm_match(__attribute__ ((unused)) hashtab_key_t key, hashtab_datum_t datum, void *data)
|
||||||
|
{
|
||||||
|
const uint32_t *v = data;
|
||||||
|
const perm_datum_t *perdatum = datum;
|
||||||
|
|
||||||
|
return *v == perdatum->s.value;
|
||||||
|
}
|
||||||
|
|
||||||
|
static int validate_access_vector(sepol_handle_t *handle, const policydb_t *p, sepol_security_class_t tclass,
|
||||||
|
sepol_access_vector_t av)
|
||||||
|
{
|
||||||
|
const class_datum_t *cladatum = p->class_val_to_struct[tclass - 1];
|
||||||
|
uint32_t i;
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Check that at least one permission bit is valid.
|
||||||
|
* Older compilers might set invalid bits for the wildcard permission.
|
||||||
|
*/
|
||||||
|
for (i = 0; i < cladatum->permissions.nprim; i++) {
|
||||||
|
if (av & (UINT32_C(1) << i)) {
|
||||||
|
uint32_t v = i + 1;
|
||||||
|
int rc;
|
||||||
|
|
||||||
|
rc = hashtab_map(cladatum->permissions.table, perm_match, &v);
|
||||||
|
if (rc == 1)
|
||||||
|
goto good;
|
||||||
|
|
||||||
|
if (cladatum->comdatum) {
|
||||||
|
rc = hashtab_map(cladatum->comdatum->permissions.table, perm_match, &v);
|
||||||
|
if (rc == 1)
|
||||||
|
goto good;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
ERR(handle, "Invalid access vector");
|
||||||
|
return -1;
|
||||||
|
|
||||||
|
good:
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
static int validate_avtab_key_and_datum(avtab_key_t *k, avtab_datum_t *d, void *args)
|
static int validate_avtab_key_and_datum(avtab_key_t *k, avtab_datum_t *d, void *args)
|
||||||
{
|
{
|
||||||
map_arg_t *margs = args;
|
map_arg_t *margs = args;
|
||||||
|
@ -883,6 +926,16 @@ static int validate_avtab_key_and_datum(avtab_key_t *k, avtab_datum_t *d, void *
|
||||||
if (validate_avtab_key(k, 0, margs->policy, margs->flavors))
|
if (validate_avtab_key(k, 0, margs->policy, margs->flavors))
|
||||||
return -1;
|
return -1;
|
||||||
|
|
||||||
|
if (k->specified & AVTAB_AV) {
|
||||||
|
uint32_t data = d->data;
|
||||||
|
|
||||||
|
if ((0xFFF & k->specified) == AVTAB_AUDITDENY)
|
||||||
|
data = ~data;
|
||||||
|
|
||||||
|
if (validate_access_vector(margs->handle, margs->policy, k->target_class, data))
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
|
||||||
if ((k->specified & AVTAB_TYPE) && validate_simpletype(d->data, margs->policy, margs->flavors))
|
if ((k->specified & AVTAB_TYPE) && validate_simpletype(d->data, margs->policy, margs->flavors))
|
||||||
return -1;
|
return -1;
|
||||||
|
|
||||||
|
@ -915,6 +968,15 @@ static int validate_cond_av_list(sepol_handle_t *handle, const cond_av_list_t *c
|
||||||
|
|
||||||
if (validate_avtab_key(key, 1, p, flavors))
|
if (validate_avtab_key(key, 1, p, flavors))
|
||||||
goto bad;
|
goto bad;
|
||||||
|
if (key->specified & AVTAB_AV) {
|
||||||
|
uint32_t data = datum->data;
|
||||||
|
|
||||||
|
if ((0xFFF & key->specified) == AVTAB_AUDITDENY)
|
||||||
|
data = ~data;
|
||||||
|
|
||||||
|
if (validate_access_vector(handle, p, key->target_class, data))
|
||||||
|
goto bad;
|
||||||
|
}
|
||||||
if ((key->specified & AVTAB_TYPE) && validate_simpletype(datum->data, p, flavors))
|
if ((key->specified & AVTAB_TYPE) && validate_simpletype(datum->data, p, flavors))
|
||||||
goto bad;
|
goto bad;
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue