libsepol: Validate conditional expressions

When validating a policydb, validate the conditional expressions including the values of the booleans within them. Found by oss-fuzz (#45523) Signed-off-by: James Carter <jwcart2@gmail.com>
2025-01-01 11:12:08 +00:00 · 2022-03-16 16:15:57 -04:00 · 2022-03-16 16:15:57 -04:00 · c3f0124b18
commit c3f0124b18
parent dfc652f01e
1 changed files with 43 additions and 0 deletions
--- a/libsepol/src/policydb_validate.c
+++ b/libsepol/src/policydb_validate.c
@ -881,9 +881,52 @@ bad:
 	return -1;
 }

+static int validate_cond_expr(sepol_handle_t *handle, struct cond_expr *expr, validate_t *bool)
+{
+	int depth = -1;
+
+	for (; expr; expr = expr->next) {
+		switch(expr->expr_type) {
+		case COND_BOOL:
+			if (validate_value(expr->bool, bool))
+				goto bad;
+			if (depth == (COND_EXPR_MAXDEPTH - 1))
+				goto bad;
+			depth++;
+			break;
+		case COND_NOT:
+			if (depth < 0)
+				goto bad;
+			break;
+		case COND_OR:
+		case COND_AND:
+		case COND_XOR:
+		case COND_EQ:
+		case COND_NEQ:
+			if (depth < 1)
+				goto bad;
+			depth--;
+			break;
+		default:
+			goto bad;
+		}
+	}
+
+	if (depth != 0)
+		goto bad;
+
+	return 0;
+
+bad:
+	ERR(handle, "Invalid cond expression");
+	return -1;
+}
+
 static int validate_cond_list(sepol_handle_t *handle, cond_list_t *cond, validate_t flavors[])
 {
 	for (; cond; cond = cond->next) {
+		if (validate_cond_expr(handle, cond->expr, &flavors[SYM_BOOLS]))
+			goto bad;
 		if (validate_cond_av_list(handle, cond->true_list, flavors))
 			goto bad;
 		if (validate_cond_av_list(handle, cond->false_list, flavors))