Commit Graph

879 Commits

Author SHA1 Message Date
Christian Göttsche
6bfd1be2c4 libsepol/cil: declare file local functions static
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2022-04-06 10:47:15 +02:00
Christian Göttsche
c640af424d libsepol: mark immutable common helper parameter const
Make it more obvious which parameters are read-only and not being
modified and allow callers to pass const pointers.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2022-04-06 10:46:11 +02:00
Christian Göttsche
6359946633 libsepol: mark immutable mls and context parameter const
Make it more obvious which parameters are read-only and not being
modified and allow callers to pass const pointers.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2022-04-06 10:46:10 +02:00
Christian Göttsche
0233e4f6d5 libsepol: add missing oom checks
Check return values of memory allocation functions and propagate their
failure.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2022-04-06 10:45:21 +02:00
Christian Göttsche
5d3c4430ee libsepol/cil: silence GCC 12 array-bounds false positive
GCC 12 produces an array-bounds warning:

    In file included from ../include/sepol/policydb/context.h:23,
                     from ../include/sepol/policydb/policydb.h:62,
                     from ../cil/src/cil_binary.c:41:
    In function ‘mls_level_init’,
        inlined from ‘mls_level_destroy’ at ../include/sepol/policydb/mls_types.h:99:2,
        inlined from ‘mls_level_destroy’ at ../include/sepol/policydb/mls_types.h:92:20,
        inlined from ‘mls_range_destroy’ at ../include/sepol/policydb/mls_types.h:149:2,
        inlined from ‘cil_rangetransition_to_policydb’ at ../cil/src/cil_binary.c:3231:6:
    ../include/sepol/policydb/mls_types.h:89:9: error: ‘memset’ offset [0, 23] is out of the bounds [0, 0] [-Werror=array-bounds]
       89 |         memset(level, 0, sizeof(mls_level_t));
          |         ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    ../include/sepol/policydb/mls_types.h:89:9: error: ‘memset’ offset [0, 23] is out of the bounds [0, 0] [-Werror=array-bounds]
    cc1: all warnings being treated as errors

This is a false positive, by inspecting the code and compiling with -O3
and -flto.

Closes: https://github.com/SELinuxProject/selinux/issues/339

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2022-04-06 10:44:52 +02:00
James Carter
c3f0124b18 libsepol: Validate conditional expressions
When validating a policydb, validate the conditional expressions
including the values of the booleans within them.

Found by oss-fuzz (#45523)

Signed-off-by: James Carter <jwcart2@gmail.com>
2022-03-30 13:43:31 -04:00
James Carter
dfc652f01e libsepol: Use calloc when initializing bool_val_to_struct array
Use calloc() instead of mallocarray() so that everything is
initialized to zero to prevent the use of unitialized memory when
validating malformed binary policies.

Found by oss-fuzz (#45493)

Signed-off-by: James Carter <jwcart2@gmail.com>
2022-03-30 13:43:27 -04:00
James Carter
5456002f1a libsepol/cil: Write a message when a log message is truncated
The MAX_LOG_SIZE is 512. It is possible that a log message could
exceed the max size (such as for neverallowx rules). If so, then
write out "<LOG MESSAGE TRUNCATED>", so that it is obvious that
the log message has been truncated.

Reported-by: Jonathan Hettwer <j2468h@googlemail.com>
Signed-off-by: James Carter <jwcart2@gmail.com>
2022-03-30 13:43:22 -04:00
James Carter
29e610f97a libsepol: Don't write out constraint if it has no permissions
When writing a conf file or CIL policy out from a kernel binary,
do not write out a constraint rule if it has no permissions.

Signed-off-by: James Carter <jwcart2@gmail.com>
2022-03-11 10:19:03 -05:00
James Carter
1f15c62896 libsepol/cil: Don't add constraint if there are no permissions
Since CIL allows permission expressions, it is possible for the
expression to evaluate to no permissions. If this is the case,
then don't add the constraint.

Signed-off-by: James Carter <jwcart2@gmail.com>
2022-03-11 10:19:00 -05:00
Richard Haines
0d84ebcbc4 libsepol: Shorten the policy capability enum names
Shorten "CAPABILITY" to "CAP" following the kernel naming convention.

The SELinux policy capability enum names should now follow the
"POLICYDB_CAP_XXX" format.

Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
Acked-by: James Carter <jwcart2@gmail.com>
2022-03-11 10:16:15 -05:00
Christian Göttsche
672d8c2c6e libsepol: validate boolean datum arrays
Validate the boolean entries in the policy.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2022-03-11 10:13:00 -05:00
Christian Göttsche
93ff4ce524 libsepol: reject xperm av rules in conditional statements
Extended permission and neverallow rules are not permitted in
conditional statements.

This causes issues on policy optimization where avtab_search() might
return a non extended permission rule when searching for one.

Found by oss-fuzz (#45327)

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2022-03-11 10:12:56 -05:00
James Carter
5b6e6254b5 libsepol: Do a more thorough validation of constraints
When validating a policydb, do a more thorough validation of the
constraints.
 - No permissions if it is a (mls)validatetrans.
 - Only mlsvalidatetrans can use u3, r3, and t3.
 - Expressions not involving types should have an empty type set.
 - Only "==" and "!=" are allowed when there are names.
 - If names are not used in an expression then both the names bitmap
   and the type set should be empty.
 - Only roles and mls expressions can used "dom", "domby", and "incomp".
 - An mls expression cannot use names.
 - If the expression is "not", "and", or "or", then the names bitmap
   and the type set should be empty.

Signed-off-by: James Carter <jwcart2@gmail.com>
2022-03-11 10:10:53 -05:00
Thiébaud Weksteen
cc1bd5e834 libsepol: fix reallocarray imports
In f0a5f6e, calls to reallocarray were introduced. Ensure that the
correct header (private.h) is included when necessary.

Fixes: f0a5f6e ("libsepol: use reallocarray wrapper to avoid overflows")
Signed-off-by: Thiébaud Weksteen <tweek@google.com>
Acked-by: James Carter <jwcart2@gmail.com>
Test: Built using Android CI (glibc 2.17)
2022-03-11 10:06:54 -05:00
Christian Göttsche
2d35696db3 libsepol: NULL pointer offset fix
On the first loop iteration the variables `r_buf` and `reason_buf_used`
are NULL respective 0.  Please UBSAN by not adding them but instead
directly assign NULL.

    services.c:800:16: runtime error: applying zero offset to null pointer
        #0 0x4d4fce in constraint_expr_eval_reason ./libsepol/src/services.c:800:16
        #1 0x4cf31a in sepol_validate_transition_reason_buffer ./libsepol/src/services.c:1079:8

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2022-03-03 12:11:34 -05:00
Richard Haines
71bcdcc943 libsepol: Add 'ioctl_skip_cloexec' policy capability
If 'ioctl_skip_cloexec' set, kernel will always allow FIOCLEX and FIONCLEX
ioctls.

Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
2022-03-03 12:10:47 -05:00
Thiébaud Weksteen
c900816e93 libsepol: Populate and use policy name
When an assertion fails, the error message refers to a generic
"policy.conf" file. When parsing a policy in checkpolicy, populate its
name using the original filename (source_filename is still build using
the #line directives within the policy).

Signed-off-by: Thiébaud Weksteen <tweek@google.com>
[Merge conflicts fixed by: James Carter <jwcart2@gmail.com>]
Signed-off-by: James Carter <jwcart2@gmail.com>
2022-02-24 10:44:46 -05:00
James Carter
bc26ddc59c libsepol/cil: Limit the amount of reporting for context rule conflicts
When there are conflicting context rules, the location of the
conflicting rules are written out. If there are many duplicates of
the same context rule, there will be many pairs of conflicts written
out. This hides the fact that all of the rules are the same and can
make it hard to see the different conflicts.

First, since these are warnings and not reported at the default log
verbosity level (which only reports errors), only search for the
locations of the conflicting rules when the verbosity level means
that the warnings will actually be reported.

Second, Report all the duplicate conflicting rules together.

Third, Report the first four conflicts of the same rule if when
the verbosity level is at CIL_WARN ("-v") and report all of them
when the verbosity level is at CIL_INFO or higher ("-v -v").

Fixes problem found by oss-fuzz (#39735)

Signed-off-by: James Carter <jwcart2@gmail.com>
2022-02-24 10:39:45 -05:00
James Carter
c964fe14f4 libsepol/cil: Limit the neverallow violations reported
When there is a neverallow violation, a search is made for all of
the rules that violate the neverallow. The violating rules as well
as their parents are written out to make it easier to find these
rules.

If there is a lot of rules that violate a neverallow, then this
amount of reporting is too much. Instead, only print out the first
four rules (with their parents) that match the violated neverallow
rule along with the total number of rules that violate the
neverallow at the default log level. Report all the violations when
at a higher verbosity level.

Signed-off-by: James Carter <jwcart2@gmail.com>
2022-02-24 10:39:43 -05:00
James Carter
3c45d91cd0 libsepol/cil: Provide more control over reporting bounds failures
Commit 4b2e2a248e (libsepol/cil: Limit
the amount of reporting for bounds failures) limited the number of
bounds failures that were reported to the first two matching rules
for the first two bad rules.

Instead, report the first two matching rules for the first four bad
rules at the default log level and report all matching rules for all
bad rules for higher verbosity levels.

Signed-off-by: James Carter <jwcart2@gmail.com>
2022-02-24 10:39:40 -05:00
James Carter
3ffb84ec9e libsepol/cil: Add cil_get_log_level() function
Add the function cil_get_log_level() that returns the current log
level for CIL.

Signed-off-by: James Carter <jwcart2@gmail.com>
2022-02-24 10:39:37 -05:00
James Carter
71291385cf libsepol: Fix two problems with neverallowxperm reporting
Not all violations of neverallowxperm rules were being reported.
In check_assertion_extended_permissions_avtab(), a break was
performed after finding a match rather than just returning right
away. This means that if other src and tgt pairs were checked
afterward that did not match, then no match would be reported.

Example:
 allow attr attr:CLASS ioctl;
 allowxperm attr attr:CLASS ioctl 0x9401;
 allowxperm t1 self:CLASS ioctl 0x9421;
 neverallowxperm attr self:CLASS ioctl 0x9421;
Would result in no assertion violations being found.

Another problem was that the reporting function did not properly
recognize when there was a valid allowxperm rule and falsely
reported additional violations that did not exist. (There had
to be at least one legitimate violation.)

Using the same example as above (and assuming t1 and t2 both have
attribute attr), the following would be reported as:
  neverallowxperm on line 4 of policy.conf (or line 4 of policy.conf)
  violated by
  allowxperm t1 t1:CLASS ioctl { 0x9421 };

  neverallowxperm on line 4 of policy.conf (or line 4 of policy.conf)
  violated by
  allow t2 t2:CLASS4 { ioctl };

There is no violation for t2 because there is a valid allowxperm
rule for it.

With this patch, only the first error message (which is the correct
one) is printed.

Signed-off-by: James Carter <jwcart2@gmail.com>
2022-02-24 10:38:32 -05:00
James Carter
931380ca2e libsepol: Set args avtab pointer when reporting assertion violations
The changes are the same as in a patch sent by Christian Göttsche
<cgzones@googlemail.com> to support adding not-self to neverallowxperm
checking, but it is needed for normal neverallowxperm checking as well
and the following explanation reflects that.

When reporting neverallowxperm violations, the avtab is searched to
find the rule that violates the assertion. If the avtab pointer of
the args is not set, then it will report the error as if no extended
permissions existed for the source and target (so allowing the ioctl
permission at all violates the neverallowxperm).

Example (where t1 has attribute attr):
  allow attr attr:CLASS ioctl;
  allowxperm attr attr:CLASS ioctl 0x9411;
  neverallowxperm t1 self:CLASS ioctl 0x9411;
Would be reported as:
  neverallowxperm on line 3 of policy.conf (or line 3 of policy.conf)
  violated by
  allow t1 t1:CLASS { ioctl };
Instead of:
  neverallowxperm on line 3 of policy.conf (or line 3 of policy.conf)
  violated by
  allowxperm attr attr:CLASS ioctl { 0x9411 };

Reported-by: Christian Göttsche <cgzones@googlemail.com>
Signed-off-by: James Carter <jwcart2@gmail.com>
2022-02-24 10:38:29 -05:00
James Carter
fb3a383f42 libsepol: The src and tgt must be the same if neverallow uses self
When checking for violations of neverallow rules, if the neverallow
uses self, then the src and tgt must be the same when checking
extended permissions and when reporting violations.

Example:
  allow attr attr : CLASS PERM;
  neverallow attr self : CLASS PERM;

If the types t1 and t2 have attribute attr, then the violations
that would be reported would be:
  allow t1 t1 : CLASS PERM;
  allow t1 t2 : CLASS PERM;
  allow t2 t1 : CLASS PERM;
  allow t2 t2 : CLASS PERM;
instead of:
  allow t1 t1 : CLASS PERM;
  allow t2 t2 : CLASS PERM;

Signed-off-by: James Carter <jwcart2@gmail.com>
2022-02-24 10:38:26 -05:00
James Carter
461067242a libsepol: Make return value clearer when reporting neverallowx errors
The value returned from report_assertion_extended_permissions() is
the nubmer of errors, so call it that instead of ret.

Signed-off-by: James Carter <jwcart2@gmail.com>
2022-02-24 10:38:23 -05:00
James Carter
88c79c6865 libsepol: Refactor match_any_class_permissions() to be clearer
Signed-off-by: James Carter <jwcart2@gmail.com>
2022-02-24 10:38:20 -05:00
James Carter
3b71e51637 libsepol: Make use of previously created ebitmap when checking self
In both check_assertion_extended_permissions() and
report_assertion_avtab_matches(), when checking for a match involving
a rule using self, the matches between the source and target of the
rule being checked are found using ebitmap_and() and then the matches
between that result and the source of the neverallow are found using
another ebitmap_and() call.

Since the matches between the sources of the rule being checked and
the neverallow have already been found, just find the matches between
that result and the target of the rule being checked. This only
requires one call to ebitmap_and() instead of two.

Signed-off-by: James Carter <jwcart2@gmail.com>
2022-02-24 10:38:18 -05:00
James Carter
cfdf4ec289 libsepol: Move assigning outer loop index out of inner loop
Assign value based on outer loop index in the outer loop instead
of the inner loop.

Signed-off-by: James Carter <jwcart2@gmail.com>
2022-02-24 10:38:15 -05:00
James Carter
8f643827b5 libsepol: Remove unnessesary check for matching class
When check_assertion_extended_permissions() is called, it has already
been determined that there is a match, and, since neither the class
nor the permissions are used, there is no need for the check.

Signed-off-by: James Carter <jwcart2@gmail.com>
2022-02-24 10:38:12 -05:00
James Carter
68d32d2c27 libsepol: Use (rc < 0) instead of (rc) when calling ebitmap functions
Inorder to differentiate errors from matches, use "(rc < 0)" when
calling ebitmap_* functions while checking neverallow rules.

Also, just use rc instead of having a separate variable (ret) in
check_assertion_extended_permissions().

Signed-off-by: James Carter <jwcart2@gmail.com>
2022-02-24 10:38:09 -05:00
James Carter
7312d3c66e libsepol: Create function check_assertion_self_match() and use it
Create the function called check_assertion_self_match() and put the
self checking code into it.

Signed-off-by: James Carter <jwcart2@gmail.com>
2022-02-24 10:38:06 -05:00
James Carter
d4456cb4b9 libsepol: Move check of target types to before check for self
If a neverallow has target types as well as using self and a match
is found with the target types, then self does not even need to
be checked, since the rule is already in violation of the assertion.

So move the check for a match of the target types before dealing with
self.

Signed-off-by: James Carter <jwcart2@gmail.com>
2022-02-24 10:38:03 -05:00
James Carter
a9d5688031 libsepol: Use consistent return checking style
In check_assertion_avtab_match(), for the functions that do not return
an error, but only returns 0 or 1 depending on if a match is found,
call the function in an if statement.

Signed-off-by: James Carter <jwcart2@gmail.com>
2022-02-24 10:38:01 -05:00
James Carter
18e1ae1142 libsepol: Check for error from check_assertion_extended_permissions()
Return an error if check_assertion_extended_permissions() returns
an error instead of treating it as an assertion violation.

Signed-off-by: James Carter <jwcart2@gmail.com>
2022-02-24 10:37:53 -05:00
James Carter
a700e426b8 libsepol: Remove uneeded error messages in assertion checking
An out of memory condition is unlikely and the general message
that an error occured while checking neverallows is sufficient.

Signed-off-by: James Carter <jwcart2@gmail.com>
2022-02-24 10:37:50 -05:00
James Carter
c2af8933ef libsepol: Change label in check_assertion_avtab_match()
Change the label name from "exit" to "nomatch' to make it clearer
what is happening.

Signed-off-by: James Carter <jwcart2@gmail.com>
2022-02-24 10:37:47 -05:00
James Carter
521e6ad713 libsepol: Return an error if check_assertion() returns an error.
Instead of calling report_assertion_failures() and treating an
error like it was a neverallow violation, just return an error.

Signed-off-by: James Carter <jwcart2@gmail.com>
2022-02-24 10:37:44 -05:00
Christian Göttsche
ff25475ce7 libsepol: validate several flags
Check the type for type and role sets is valid.

Check the scope of a scope datum is valid.

Check the flavor and flags of a type datum are valid.

Check xperms are set if and only if it is an extended permission avrule.

Check xperms has a valid specified field.

Check the flag of avrule blocks is valid.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2022-02-18 11:08:54 -05:00
Christian Göttsche
9bee80da00 libsepol: more strict constraint validation
Check the permission bitset in normal constraints is not empty and has
no invalid bits set.

Check the names and type_names members are empty in case they are not
used.

Check the operator and attribute type are not set for simple expression
types.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2022-02-18 11:08:51 -05:00
Christian Göttsche
496002e7ea libsepol: use correct error type to please UBSAN
The callback function apply in hashtap_map has a return type of int and
can return -1 on error.  Use int as type to save the return value to
avoid implicit conversions:

    hashtab.c:236:10: runtime error: implicit conversion from type 'int' of value -1 (32-bit, signed) to type 'unsigned int' changed the value to 4294967295 (32-bit, unsigned)

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2022-02-18 11:08:48 -05:00
James Carter
86cdb9f119 libsepol/cil: Ensure that the class in a classcommon is a kernel class
Map classes use the same struct as kernel classes, but only the kernel
class uses the pointer to a common class. When resolving a classcommon,
make sure that the class that is found is a kernel class and not a
map class. If not, then return an error.

Found by oss-fuzz (#43209)

Signed-off-by: James Carter <jwcart2@gmail.com>
2022-02-11 14:07:03 -05:00
James Carter
f0823bbbb5 libsepol/cil: Do not resolve names to declarations in abstract blocks
Since abstract blocks will not appear in the final policy, do not
resolve names to a declaration inside one.

When resolving blockabstract rules, they must be collected in a list
and processed at the end of the pass because if a parent block is
marked as abstract, then a blockabstract rule for a sub-block will
fail to resolve.

Found by oss-fuzz (#42981)

Signed-off-by: James Carter <jwcart2@gmail.com>
2022-02-11 14:05:19 -05:00
James Carter
6d783e5bb3 libsepol/cil: Mark as abstract all sub-blocks of an abstract block
If a block is marked as abstract, then it will be skipped during
every pass after blockabstracts are resolved (only tunables,
in-befores, and blockinherits are before blockabstracts), so mark
all of its sub-blocks as abstract to reflect their actual status.

Signed-off-by: James Carter <jwcart2@gmail.com>
2022-02-11 14:05:15 -05:00
James Carter
e6429963eb libsepol/cil: Do not copy blockabstracts when inheriting a block
Do not copy any blockabstract statements when copying a block to
resolve a blockinherit statement. Inheriting a block from what was
just inherited does not work, so there is no reason to create an
abstract block.

Signed-off-by: James Carter <jwcart2@gmail.com>
2022-02-11 14:05:12 -05:00
Christian Göttsche
58443a00db libsepol: do not add gaps to string list
When converting an ebitmap into a string list, skip potential gaps in
ebitmap_to_strs(). All converting functions like strs_to_str(),
strs_write_each() and strs_write_each_indented() do already skip NULL
elements, but sorting such a list will lead to a NULL dereference.

    #0 0x432ce5 in strcmp /src/llvm-project/compiler-rt/lib/sanitizer_common/sanitizer_common_interceptors.inc:462:25
    #1 0x4f4893 in strs_cmp selinux/libsepol/src/kernel_to_common.c:258:9
    #2 0x47b74b in qsort_r /src/llvm-project/compiler-rt/lib/sanitizer_common/sanitizer_common_interceptors.inc:9994:7
    #3 0x4f481d in strs_sort selinux/libsepol/src/kernel_to_common.c:266:2
    #4 0x4fe781 in attrmap_to_str selinux/libsepol/src/kernel_to_conf.c:1560:2
    #5 0x4fe781 in write_type_attribute_sets_to_conf selinux/libsepol/src/kernel_to_conf.c:1599:11
    #6 0x4f8098 in sepol_kernel_policydb_to_conf selinux/libsepol/src/kernel_to_conf.c:3182:7
    #7 0x4e0277 in LLVMFuzzerTestOneInput selinux/libsepol/fuzz/binpolicy-fuzzer.c:50:9
    #8 0x4d613b in main
    #9 0x7fa2d50260b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/libc-start.c:308:16
    #10 0x41d4ed in _start

Found by oss-fuzz (#44170)

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2022-02-07 11:14:53 -05:00
Christian Göttsche
7385004162 libsepol: invert only valid range of role bitmap
The length of an ebitmap is the current highest allocated (not set) bit
and always a multiple of MAPTYPE (= 64). The role ebitmap should only
have valid role bits set, even after inverting. The length might be
smaller than the maximum number of defined roles leading to non defined
role bits set afterwards.
Only invert up to the number of roles defined instead the full ebitmap
length, similar to type_set_expand().

This also avoids timeouts on an invalid huge highbit set, since the
ebitmap has not been validated yet, on which inverting will take
excessive amount of memory and time, found by oss-fuzz (#43709).

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2022-01-27 09:52:10 -05:00
Christian Göttsche
42a8dc46a7 libsepol: handle type gaps
For policy versions between 20 and 23 the type_val_to_struct array might
contain gaps. Skip those gaps to avoid NULL pointer dereferences:

    ==1250==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 (pc 0x00000058560b bp 0x7ffdca60c110 sp 0x7ffdca60bfc0 T0)
    ==1250==The signal is caused by a READ memory access.
    ==1250==Hint: address points to the zero page.
        #0 0x58560b in build_type_map selinux/libsepol/src/optimize.c:107:33
        #1 0x58560b in policydb_optimize selinux/libsepol/src/optimize.c:441:13
        #2 0x55e63e in LLVMFuzzerTestOneInput selinux/libsepol/fuzz/binpolicy-fuzzer.c:42:10
        #3 0x455283 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) cxa_noexception.cpp:0
        #4 0x440ec2 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:324:6
        #5 0x44671c in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) cxa_noexception.cpp:0
        #6 0x46f522 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
        #7 0x7f9c160d00b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/libc-start.c:308:16
        #8 0x41f67d in _start

Found by oss-fuzz (#42697)

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2022-01-27 09:51:50 -05:00
Christian Göttsche
b8cba274be libsepol: drop trailing newlines in log messages
The default log handler sepol_msg_default_handler() appends a newline
and the majority of log messages do not contain a trailing newline in
the format string.

Fixes: 5c178f9f55 ("libsepol: use logging framework in conditional.c")
Fixes: 852f14d43d ("libsepol: use logging framework in ebitmap.c")

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2022-01-27 09:51:37 -05:00
Christian Göttsche
f52f5e2715 libsepol: return failure on saturated class name length
Do not return success if the class name length is saturated (or too big
in the fuzzer build).

Fixes: c3d52a6a ("libsepol: check for saturated class name length")

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2022-01-27 09:51:21 -05:00