RepoMirrors
/
selinux
mirror of https://github.com/SELinuxProject/selinux
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

libsepol/cil: Check datum in ordered list for expected flavor 

The secilc-fuzzer found an out of bounds memory access occurs
when building the binary policy if a map class is included in a
classorder statement.

The order statements in CIL (sidorder, classorder, categoryorder,
and sensitivityorder) are used to specify an ordering for sids,
classes, categories, and sensitivities. When the order statments
are resolved and merged, only in the case of the category order
list is the datum resolved checked to see if it is the expected
flavor.

When resolving the sid, class, and sensitivity order statements,
check that each name resolved to a datum of the expected flavor
and return an error if it does not.

Signed-off-by: James Carter <jwcart2@gmail.com>
This commit is contained in:
James Carter 2021-04-28 16:07:03 -04:00
parent 74d00a8dec
commit d438b6cfb3
1 changed files with 16 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
libsepol/cil/src/cil_resolve_ast.c
View File

@ -1488,6 +1488,11 @@ int cil_resolve_classorder(struct cil_tree_node *current, void *extra_args)
rc = SEPOL_ERR;
goto exit;
}
if (FLAVOR(datum) != CIL_CLASS) {
cil_log(CIL_ERR, "%s is not a class. Only classes are allowed in classorder statements\n", datum->name);
rc = SEPOL_ERR;
goto exit;
}
cil_list_append(new, CIL_CLASS, datum);
}
@ -1526,6 +1531,12 @@ int cil_resolve_sidorder(struct cil_tree_node *current, void *extra_args)
cil_log(CIL_ERR, "Failed to resolve sid %s in sidorder\n", (char *)curr->data);
goto exit;
}
if (FLAVOR(datum) != CIL_SID) {
cil_log(CIL_ERR, "%s is not a sid. Only sids are allowed in sidorder statements\n", datum->name);
rc = SEPOL_ERR;
goto exit;
}
cil_list_append(new, CIL_SID, datum);
}
@ -1617,6 +1628,11 @@ int cil_resolve_sensitivityorder(struct cil_tree_node *current, void *extra_args
cil_log(CIL_ERR, "Failed to resolve sensitivty %s in sensitivityorder\n", (char *)curr->data);
goto exit;
}
if (FLAVOR(datum) != CIL_SENS) {
cil_log(CIL_ERR, "%s is not a sensitivity. Only sensitivities are allowed in sensitivityorder statements\n", datum->name);
rc = SEPOL_ERR;
goto exit;
}
cil_list_append(new, CIL_SENS, datum);
}