* [PATCH 1/6] checkpolicy: include <ctype.h> for isprint(3)
@ 2024-04-02 15:29 Christian Göttsche
2024-04-02 15:29 ` [PATCH 2/6] checkpolicy/fuzz: override YY_FATAL_ERROR Christian Göttsche
` (5 more replies)
0 siblings, 6 replies; 8+ messages in thread
From: Christian Göttsche @ 2024-04-02 15:29 UTC (permalink / raw
To: selinux; +Cc: Christian Göttsche
From: Christian Göttsche <cgzones@googlemail.com>
Include the necessary header for isprint(3) to avoid an implicit
function declaration:
policy_scan.l: In function ‘yyerror’:
policy_scan.l:342:13: warning: implicit declaration of function ‘isprint’ [-Wimplicit-function-declaration]
342 | if (isprint((unsigned char)yytext[0])) {
| ^~~~~~~
policy_scan.l:36:1: note: include ‘<ctype.h>’ or provide a declaration of ‘isprint’
35 | #include "y.tab.h"
+++ |+#include <ctype.h>
36 | #endif
This does not currently break the build cause -Werror is stripped for
the parsing code to avoid breakage on old flex/bison versions that might
not generate warning free code.
Fixes: 39b3cc51350a ("checkpolicy: handle unprintable token")
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
---
checkpolicy/policy_scan.l | 1 +
1 file changed, 1 insertion(+)
diff --git a/checkpolicy/policy_scan.l b/checkpolicy/policy_scan.l
index d7cf2896..62f28c11 100644
--- a/checkpolicy/policy_scan.l
+++ b/checkpolicy/policy_scan.l
@@ -22,6 +22,7 @@
%{
#include <sys/types.h>
+#include <ctype.h>
#include <limits.h>
#include <stdint.h>
#include <string.h>
--
2.43.0
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [PATCH 2/6] checkpolicy/fuzz: override YY_FATAL_ERROR
2024-04-02 15:29 [PATCH 1/6] checkpolicy: include <ctype.h> for isprint(3) Christian Göttsche
@ 2024-04-02 15:29 ` Christian Göttsche
2024-04-02 15:29 ` [PATCH 3/6] libsepol: validate access vector permissions Christian Göttsche
` (4 subsequent siblings)
5 siblings, 0 replies; 8+ messages in thread
From: Christian Göttsche @ 2024-04-02 15:29 UTC (permalink / raw
To: selinux; +Cc: Christian Göttsche
From: Christian Göttsche <cgzones@googlemail.com>
The default action of the lexer macro YY_FATAL_ERROR(msg) is to print
the message and call exit(). This might happen on an overlong token
(8192 bytes) that does not fit into the token buffer.
Fuzz targets must not call exit() though, since an exit is treated as an
abnormal behavior, see https://llvm.org/docs/LibFuzzer.html#fuzz-target.
Since YY_FATAL_ERROR is used in functions with different return value
types and is expected to not return, jump to a location in the fuzzer
right before yyparse() instead.
Reported-by: oss-fuzz (issue 67728)
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
---
checkpolicy/fuzz/checkpolicy-fuzzer.c | 9 +++++++++
checkpolicy/policy_scan.l | 15 +++++++++++++++
2 files changed, 24 insertions(+)
diff --git a/checkpolicy/fuzz/checkpolicy-fuzzer.c b/checkpolicy/fuzz/checkpolicy-fuzzer.c
index ab1a6bb8..6c5ce02f 100644
--- a/checkpolicy/fuzz/checkpolicy-fuzzer.c
+++ b/checkpolicy/fuzz/checkpolicy-fuzzer.c
@@ -1,4 +1,5 @@
#include <assert.h>
+#include <setjmp.h>
#include <unistd.h>
#include <sys/mman.h>
@@ -30,6 +31,7 @@ extern void yyrestart(FILE *);
extern int yylex_destroy(void);
extern void set_source_file(const char *name);
+jmp_buf fuzzing_pre_parse_stack_state;
// Set to 1 for verbose libsepol logging
#define VERBOSE 0
@@ -99,6 +101,13 @@ static int read_source_policy(policydb_t *p, const uint8_t *data, size_t size)
init_parser(1);
+ if (!setjmp(fuzzing_pre_parse_stack_state)) {
+ queue_destroy(id_queue);
+ fclose(yyin);
+ yylex_destroy();
+ return -1;
+ }
+
rc = yyparse();
// TODO: drop global variable policydb_errors if proven to be redundant
assert(rc || !policydb_errors);
diff --git a/checkpolicy/policy_scan.l b/checkpolicy/policy_scan.l
index 62f28c11..e46677a8 100644
--- a/checkpolicy/policy_scan.l
+++ b/checkpolicy/policy_scan.l
@@ -41,6 +41,21 @@ int werror = 0;
int yyerror(const char *msg);
int yywarn(const char *msg);
+#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
+/*
+ * Version that does not exit, like yy_fatal_error(),
+ * since fuzz targets must not call exit().
+ */
+#include <setjmp.h>
+extern jmp_buf fuzzing_pre_parse_stack_state;
+void yyfatal(const char *msg)
+{
+ yyerror(msg);
+ longjmp(fuzzing_pre_parse_stack_state, 1);
+}
+#define YY_FATAL_ERROR(msg) yyfatal(msg)
+#endif
+
void set_source_file(const char *name);
char source_file[PATH_MAX];
--
2.43.0
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [PATCH 3/6] libsepol: validate access vector permissions
2024-04-02 15:29 [PATCH 1/6] checkpolicy: include <ctype.h> for isprint(3) Christian Göttsche
2024-04-02 15:29 ` [PATCH 2/6] checkpolicy/fuzz: override YY_FATAL_ERROR Christian Göttsche
@ 2024-04-02 15:29 ` Christian Göttsche
2024-04-02 15:29 ` [PATCH 4/6] checkpolicy: drop never read member Christian Göttsche
` (3 subsequent siblings)
5 siblings, 0 replies; 8+ messages in thread
From: Christian Göttsche @ 2024-04-02 15:29 UTC (permalink / raw
To: selinux; +Cc: Christian Göttsche
From: Christian Göttsche <cgzones@googlemail.com>
Since commit c205b924e280 ("libsepol: Fix buffer overflow when using
sepol_av_to_string()") writing an access vector with no valid permission
results in an error instead of an empty string being written.
Validate that at least one permission of an access vector is valid.
There might be invalid bits set, e.g. by previous versions of
checkpolicy setting all bits for the wildcard (*) permission.
Reported-by: oss-fuzz (issue 67730)
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
---
libsepol/src/policydb_validate.c | 62 ++++++++++++++++++++++++++++++++
1 file changed, 62 insertions(+)
diff --git a/libsepol/src/policydb_validate.c b/libsepol/src/policydb_validate.c
index e987d8da..c4f8c300 100644
--- a/libsepol/src/policydb_validate.c
+++ b/libsepol/src/policydb_validate.c
@@ -876,6 +876,49 @@ static int validate_xperms(const avtab_extended_perms_t *xperms)
bad:
return -1;
}
+
+static int perm_match(__attribute__ ((unused)) hashtab_key_t key, hashtab_datum_t datum, void *data)
+{
+ const uint32_t *v = data;
+ const perm_datum_t *perdatum = datum;
+
+ return *v == perdatum->s.value;
+}
+
+static int validate_access_vector(sepol_handle_t *handle, const policydb_t *p, sepol_security_class_t tclass,
+ sepol_access_vector_t av)
+{
+ const class_datum_t *cladatum = p->class_val_to_struct[tclass - 1];
+ uint32_t i;
+
+ /*
+ * Check that at least one permission bit is valid.
+ * Older compilers might set invalid bits for the wildcard permission.
+ */
+ for (i = 0; i < cladatum->permissions.nprim; i++) {
+ if (av & (UINT32_C(1) << i)) {
+ uint32_t v = i + 1;
+ int rc;
+
+ rc = hashtab_map(cladatum->permissions.table, perm_match, &v);
+ if (rc == 1)
+ goto good;
+
+ if (cladatum->comdatum) {
+ rc = hashtab_map(cladatum->comdatum->permissions.table, perm_match, &v);
+ if (rc == 1)
+ goto good;
+ }
+ }
+ }
+
+ ERR(handle, "Invalid access vector");
+ return -1;
+
+good:
+ return 0;
+}
+
static int validate_avtab_key_and_datum(avtab_key_t *k, avtab_datum_t *d, void *args)
{
map_arg_t *margs = args;
@@ -883,6 +926,16 @@ static int validate_avtab_key_and_datum(avtab_key_t *k, avtab_datum_t *d, void *
if (validate_avtab_key(k, 0, margs->policy, margs->flavors))
return -1;
+ if (k->specified & AVTAB_AV) {
+ uint32_t data = d->data;
+
+ if ((0xFFF & k->specified) == AVTAB_AUDITDENY)
+ data = ~data;
+
+ if (validate_access_vector(margs->handle, margs->policy, k->target_class, data))
+ return -1;
+ }
+
if ((k->specified & AVTAB_TYPE) && validate_simpletype(d->data, margs->policy, margs->flavors))
return -1;
@@ -915,6 +968,15 @@ static int validate_cond_av_list(sepol_handle_t *handle, const cond_av_list_t *c
if (validate_avtab_key(key, 1, p, flavors))
goto bad;
+ if (key->specified & AVTAB_AV) {
+ uint32_t data = datum->data;
+
+ if ((0xFFF & key->specified) == AVTAB_AUDITDENY)
+ data = ~data;
+
+ if (validate_access_vector(handle, p, key->target_class, data))
+ goto bad;
+ }
if ((key->specified & AVTAB_TYPE) && validate_simpletype(datum->data, p, flavors))
goto bad;
}
--
2.43.0
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [PATCH 4/6] checkpolicy: drop never read member
2024-04-02 15:29 [PATCH 1/6] checkpolicy: include <ctype.h> for isprint(3) Christian Göttsche
2024-04-02 15:29 ` [PATCH 2/6] checkpolicy/fuzz: override YY_FATAL_ERROR Christian Göttsche
2024-04-02 15:29 ` [PATCH 3/6] libsepol: validate access vector permissions Christian Göttsche
@ 2024-04-02 15:29 ` Christian Göttsche
2024-04-02 15:29 ` [PATCH 5/6] checkpolicy: drop union stack_item_u Christian Göttsche
` (2 subsequent siblings)
5 siblings, 0 replies; 8+ messages in thread
From: Christian Göttsche @ 2024-04-02 15:29 UTC (permalink / raw
To: selinux; +Cc: Christian Göttsche
From: Christian Göttsche <cgzones@googlemail.com>
The struct scope_stack member child is never read, drop it.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
---
checkpolicy/module_compiler.c | 6 +-----
1 file changed, 1 insertion(+), 5 deletions(-)
diff --git a/checkpolicy/module_compiler.c b/checkpolicy/module_compiler.c
index 6ff91b8f..e25a77b4 100644
--- a/checkpolicy/module_compiler.c
+++ b/checkpolicy/module_compiler.c
@@ -34,7 +34,7 @@ typedef struct scope_stack {
avrule_t *last_avrule;
int in_else; /* if in an avrule block, within ELSE branch */
int require_given; /* 1 if this block had at least one require */
- struct scope_stack *parent, *child;
+ struct scope_stack *parent;
} scope_stack_t;
extern policydb_t *policydbp;
@@ -1478,7 +1478,6 @@ static int push_stack(int stack_type, ...)
}
va_end(ap);
s->parent = stack_top;
- s->child = NULL;
stack_top = s;
return 0;
}
@@ -1490,9 +1489,6 @@ static void pop_stack(void)
scope_stack_t *parent;
assert(stack_top != NULL);
parent = stack_top->parent;
- if (parent != NULL) {
- parent->child = NULL;
- }
free(stack_top);
stack_top = parent;
}
--
2.43.0
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [PATCH 5/6] checkpolicy: drop union stack_item_u
2024-04-02 15:29 [PATCH 1/6] checkpolicy: include <ctype.h> for isprint(3) Christian Göttsche
` (2 preceding siblings ...)
2024-04-02 15:29 ` [PATCH 4/6] checkpolicy: drop never read member Christian Göttsche
@ 2024-04-02 15:29 ` Christian Göttsche
2024-04-02 15:29 ` [PATCH 6/6] checkpolicy: free complete role_allow_rule on error Christian Göttsche
2024-04-03 19:35 ` [PATCH 1/6] checkpolicy: include <ctype.h> for isprint(3) James Carter
5 siblings, 0 replies; 8+ messages in thread
From: Christian Göttsche @ 2024-04-02 15:29 UTC (permalink / raw
To: selinux; +Cc: Christian Göttsche
From: Christian Göttsche <cgzones@googlemail.com>
The union stack_item_u is only used as a member in struct scope_stack,
but actually never used.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
---
checkpolicy/module_compiler.c | 12 +++---------
1 file changed, 3 insertions(+), 9 deletions(-)
diff --git a/checkpolicy/module_compiler.c b/checkpolicy/module_compiler.c
index e25a77b4..4efd77bf 100644
--- a/checkpolicy/module_compiler.c
+++ b/checkpolicy/module_compiler.c
@@ -21,14 +21,8 @@
#include "queue.h"
#include "module_compiler.h"
-union stack_item_u {
- avrule_block_t *avrule;
- cond_list_t *cond_list;
-};
-
typedef struct scope_stack {
- union stack_item_u u;
- int type; /* for above union: 1 = avrule block, 2 = conditional */
+ int type; /* 1 = avrule block, 2 = conditional */
avrule_decl_t *decl; /* if in an avrule block, which
* declaration is current */
avrule_t *last_avrule;
@@ -1464,12 +1458,12 @@ static int push_stack(int stack_type, ...)
va_start(ap, stack_type);
switch (s->type = stack_type) {
case 1:{
- s->u.avrule = va_arg(ap, avrule_block_t *);
+ va_arg(ap, avrule_block_t *);
s->decl = va_arg(ap, avrule_decl_t *);
break;
}
case 2:{
- s->u.cond_list = va_arg(ap, cond_list_t *);
+ va_arg(ap, cond_list_t *);
break;
}
default:
--
2.43.0
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [PATCH 6/6] checkpolicy: free complete role_allow_rule on error
2024-04-02 15:29 [PATCH 1/6] checkpolicy: include <ctype.h> for isprint(3) Christian Göttsche
` (3 preceding siblings ...)
2024-04-02 15:29 ` [PATCH 5/6] checkpolicy: drop union stack_item_u Christian Göttsche
@ 2024-04-02 15:29 ` Christian Göttsche
2024-04-03 19:35 ` [PATCH 1/6] checkpolicy: include <ctype.h> for isprint(3) James Carter
5 siblings, 0 replies; 8+ messages in thread
From: Christian Göttsche @ 2024-04-02 15:29 UTC (permalink / raw
To: selinux; +Cc: Christian Göttsche
From: Christian Göttsche <cgzones@googlemail.com>
Free the ebitmaps inside the rolesets on error.
Reported-by: oss-fuzz (issue 67769)
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
---
checkpolicy/policy_define.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c
index 4fc6c417..1c019a3b 100644
--- a/checkpolicy/policy_define.c
+++ b/checkpolicy/policy_define.c
@@ -3186,6 +3186,7 @@ int define_role_allow(void)
while ((id = queue_remove(id_queue))) {
if (set_roles(&ra->roles, id)) {
+ role_allow_rule_destroy(ra);
free(ra);
return -1;
}
@@ -3193,6 +3194,7 @@ int define_role_allow(void)
while ((id = queue_remove(id_queue))) {
if (set_roles(&ra->new_roles, id)) {
+ role_allow_rule_destroy(ra);
free(ra);
return -1;
}
--
2.43.0
^ permalink raw reply related [flat|nested] 8+ messages in thread
* Re: [PATCH 1/6] checkpolicy: include <ctype.h> for isprint(3)
2024-04-02 15:29 [PATCH 1/6] checkpolicy: include <ctype.h> for isprint(3) Christian Göttsche
` (4 preceding siblings ...)
2024-04-02 15:29 ` [PATCH 6/6] checkpolicy: free complete role_allow_rule on error Christian Göttsche
@ 2024-04-03 19:35 ` James Carter
2024-04-04 16:22 ` James Carter
5 siblings, 1 reply; 8+ messages in thread
From: James Carter @ 2024-04-03 19:35 UTC (permalink / raw
To: Christian Göttsche; +Cc: selinux, Christian Göttsche
On Tue, Apr 2, 2024 at 11:29 AM Christian Göttsche
<cgoettsche@seltendoof.de> wrote:
>
> From: Christian Göttsche <cgzones@googlemail.com>
>
> Include the necessary header for isprint(3) to avoid an implicit
> function declaration:
>
> policy_scan.l: In function ‘yyerror’:
> policy_scan.l:342:13: warning: implicit declaration of function ‘isprint’ [-Wimplicit-function-declaration]
> 342 | if (isprint((unsigned char)yytext[0])) {
> | ^~~~~~~
> policy_scan.l:36:1: note: include ‘<ctype.h>’ or provide a declaration of ‘isprint’
> 35 | #include "y.tab.h"
> +++ |+#include <ctype.h>
> 36 | #endif
>
> This does not currently break the build cause -Werror is stripped for
> the parsing code to avoid breakage on old flex/bison versions that might
> not generate warning free code.
>
> Fixes: 39b3cc51350a ("checkpolicy: handle unprintable token")
> Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
For these six patches:
Acked-by: James Carter <jwcart2@gmail.com>
> ---
> checkpolicy/policy_scan.l | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/checkpolicy/policy_scan.l b/checkpolicy/policy_scan.l
> index d7cf2896..62f28c11 100644
> --- a/checkpolicy/policy_scan.l
> +++ b/checkpolicy/policy_scan.l
> @@ -22,6 +22,7 @@
>
> %{
> #include <sys/types.h>
> +#include <ctype.h>
> #include <limits.h>
> #include <stdint.h>
> #include <string.h>
> --
> 2.43.0
>
>
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH 1/6] checkpolicy: include <ctype.h> for isprint(3)
2024-04-03 19:35 ` [PATCH 1/6] checkpolicy: include <ctype.h> for isprint(3) James Carter
@ 2024-04-04 16:22 ` James Carter
0 siblings, 0 replies; 8+ messages in thread
From: James Carter @ 2024-04-04 16:22 UTC (permalink / raw
To: Christian Göttsche; +Cc: selinux, Christian Göttsche
On Wed, Apr 3, 2024 at 3:35 PM James Carter <jwcart2@gmail.com> wrote:
>
> On Tue, Apr 2, 2024 at 11:29 AM Christian Göttsche
> <cgoettsche@seltendoof.de> wrote:
> >
> > From: Christian Göttsche <cgzones@googlemail.com>
> >
> > Include the necessary header for isprint(3) to avoid an implicit
> > function declaration:
> >
> > policy_scan.l: In function ‘yyerror’:
> > policy_scan.l:342:13: warning: implicit declaration of function ‘isprint’ [-Wimplicit-function-declaration]
> > 342 | if (isprint((unsigned char)yytext[0])) {
> > | ^~~~~~~
> > policy_scan.l:36:1: note: include ‘<ctype.h>’ or provide a declaration of ‘isprint’
> > 35 | #include "y.tab.h"
> > +++ |+#include <ctype.h>
> > 36 | #endif
> >
> > This does not currently break the build cause -Werror is stripped for
> > the parsing code to avoid breakage on old flex/bison versions that might
> > not generate warning free code.
> >
> > Fixes: 39b3cc51350a ("checkpolicy: handle unprintable token")
> > Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
>
> For these six patches:
> Acked-by: James Carter <jwcart2@gmail.com>
>
These six patches have been merged.
Thanks,
Jim
> > ---
> > checkpolicy/policy_scan.l | 1 +
> > 1 file changed, 1 insertion(+)
> >
> > diff --git a/checkpolicy/policy_scan.l b/checkpolicy/policy_scan.l
> > index d7cf2896..62f28c11 100644
> > --- a/checkpolicy/policy_scan.l
> > +++ b/checkpolicy/policy_scan.l
> > @@ -22,6 +22,7 @@
> >
> > %{
> > #include <sys/types.h>
> > +#include <ctype.h>
> > #include <limits.h>
> > #include <stdint.h>
> > #include <string.h>
> > --
> > 2.43.0
> >
> >
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2024-04-04 16:23 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-04-02 15:29 [PATCH 1/6] checkpolicy: include <ctype.h> for isprint(3) Christian Göttsche
2024-04-02 15:29 ` [PATCH 2/6] checkpolicy/fuzz: override YY_FATAL_ERROR Christian Göttsche
2024-04-02 15:29 ` [PATCH 3/6] libsepol: validate access vector permissions Christian Göttsche
2024-04-02 15:29 ` [PATCH 4/6] checkpolicy: drop never read member Christian Göttsche
2024-04-02 15:29 ` [PATCH 5/6] checkpolicy: drop union stack_item_u Christian Göttsche
2024-04-02 15:29 ` [PATCH 6/6] checkpolicy: free complete role_allow_rule on error Christian Göttsche
2024-04-03 19:35 ` [PATCH 1/6] checkpolicy: include <ctype.h> for isprint(3) James Carter
2024-04-04 16:22 ` James Carter
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).