libsepol/cil: do not allow \0 in quoted strings

Using the '\0' character in strings in a CIL policy is not expected to happen, and makes the flex tokenizer very slow. For example when generating a file with: python -c 'print("\"" + "\0"*100000 + "\"")' > policy.cil secilc fails after 26 seconds, on my desktop computer. Increasing the numbers of \0 makes this time increase significantly. But replacing \0 with another character makes secilc fail in only few milliseconds. Fix this "possible denial of service" issue by forbidding \0 in strings in CIL policies. Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=36016 Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2025-01-02 11:42:05 +00:00 · 2021-07-12 10:44:28 +02:00 · 2021-07-12 10:44:28 +02:00 · af29a23553
commit af29a23553
parent 8470058934
1 changed files with 1 additions and 1 deletions
--- a/libsepol/cil/src/cil_lexer.l
+++ b/libsepol/cil/src/cil_lexer.l
@ -49,7 +49,7 @@ spec_char	[\[\]\.\@\=\/\*\-\_\$\%\+\-\!\|\&\^\:\~\`\#\{\}\'\<\>\?\,]
 symbol		({digit}|{alpha}|{spec_char})+
 white		[ \t]
 newline		[\n\r]
-qstring		\"[^"\n]*\"
+qstring		\"[^"\n\0]*\"
 hll_lm          ^;;\*
 comment		;