sync backport patches from upstream

backport-libsepol-add-check-for-category-value-before-printin.patch

@@ -0,0 +1,35 @@
+From d3c2992ed0358c8e86a83c7f55fc529cba545298 Mon Sep 17 00:00:00 2001
+From: Huaxin Lu <luhuaxin1@huawei.com>
+Date: Thu, 16 Nov 2023 07:32:07 +0800
+Subject: [PATCH] libsepol: add check for category value before printing
+ 
+In mls_semantic_level_expand(), there is a explicitly determine
+whether category is 0, which may cause an potential integer
+overflow in error branch.
+ 
+Signed-off-by: Huaxin Lu <luhuaxin1@huawei.com>
+Acked-by: James Carter <jwcart2@gmail.com>
+ 
+Reference: https://github.com/SELinuxProject/selinux/commit/d3c2992ed0358c8e86a83c7f55fc529cba545298
+Conflict: NA
+---
+ libsepol/src/expand.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+ 
+diff --git a/libsepol/src/expand.c b/libsepol/src/expand.c
+index ee5f9185..e63414b1 100644
+--- a/libsepol/src/expand.c
++++ b/libsepol/src/expand.c
+@@ -945,8 +945,8 @@ int mls_semantic_level_expand(mls_semantic_level_t * sl, mls_level_t * l,
+ 	for (cat = sl->cat; cat; cat = cat->next) {
+ 		if (!cat->low || cat->low > cat->high) {
+ 			ERR(h, "Category range is not valid %s.%s",
+-			    p->p_cat_val_to_name[cat->low - 1],
+-			    p->p_cat_val_to_name[cat->high - 1]);
++			    cat->low > 0 ? p->p_cat_val_to_name[cat->low - 1] : "Invalid",
++			    cat->high > 0 ? p->p_cat_val_to_name[cat->high - 1] : "Invalid");
+ 			return -1;
+ 		}
+ 		for (i = cat->low - 1; i < cat->high; i++) {
+-- 
+2.33.0

backport-libsepol-adjust-type-for-saturation-check.patch

@@ -0,0 +1,39 @@
+From 44375cb4a21dfdf3ac037237c5529049123336c2 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
+Date: Thu, 9 Nov 2023 14:51:19 +0100
+Subject: [PATCH] libsepol: adjust type for saturation check
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+ 
+Change the type for the number of primary names in a symtab to uint32_t,
+which conforms to the bytes read and the type used in the symtab.
+The type is important for the saturation check via is_saturated(), since
+it checks against -1 casted to the specific type.
+ 
+Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
+Acked-by: James Carter <jwcart2@gmail.com>
+ 
+Reference: https://github.com/SELinuxProject/selinux/commit/44375cb4a21dfdf3ac037237c5529049123336c2
+Conflict: NA
+---
+ libsepol/src/policydb.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+ 
+diff --git a/libsepol/src/policydb.c b/libsepol/src/policydb.c
+index f608aba4..bc7bc9dc 100644
+--- a/libsepol/src/policydb.c
++++ b/libsepol/src/policydb.c
+@@ -4120,8 +4120,8 @@ int policydb_read(policydb_t * p, struct policy_file *fp, unsigned verbose)
+ {
+ 
+ 	unsigned int i, j, r_policyvers;
+-	uint32_t buf[5];
+-	size_t len, nprim, nel;
++	uint32_t buf[5], nprim;
++	size_t len, nel;
+ 	char *policydb_str;
+ 	const struct policydb_compat_info *info;
+ 	unsigned int policy_type, bufindex;
+-- 
+2.33.0

backport-libsepol-avoid-integer-overflow-in-add_i_to_a.patch

@@ -0,0 +1,32 @@
+From a55cd37461f2e1ef4cec3b09aa8b99f2d12a529d Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
+Date: Mon, 11 Dec 2023 15:48:25 +0100
+Subject: [PATCH] libsepol: avoid integer overflow in add_i_to_a()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+ 
+Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
+Acked-by: James Carter <jwcart2@gmail.com>
+ 
+Reference: https://github.com/SELinuxProject/selinux/commit/a55cd37461f2e1ef4cec3b09aa8b99f2d12a529d
+Conflict: NA
+---
+ libsepol/src/util.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+ 
+diff --git a/libsepol/src/util.c b/libsepol/src/util.c
+index 571f6c93..4a6f7d11 100644
+--- a/libsepol/src/util.c
++++ b/libsepol/src/util.c
+@@ -44,7 +44,7 @@ int add_i_to_a(uint32_t i, uint32_t * cnt, uint32_t ** a)
+ {
+ 	uint32_t *new;
+ 
+-	if (cnt == NULL || a == NULL)
++	if (cnt == NULL || *cnt == UINT32_MAX || a == NULL)
+ 		return -1;
+ 
+ 	/* FIX ME: This is not very elegant! We use an array that we
+-- 
+2.33.0

backport-libsepol-avoid-leak-in-OOM-branch.patch

@@ -0,0 +1,39 @@
+From 3b05202621539843069bb1477da0d6cfdd384ebc Mon Sep 17 00:00:00 2001
+From: root <root@localhost.localdomain>
+Date: Mon, 8 Jan 2024 19:51:09 +0800
+Subject: [PATCH] libsepol: avoid leak in OOM branch
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+ 
+In case the member sid_key failed to allocate, free the parent struct.
+ 
+Reported by Clang Analyzer:
+ 
+    module_to_cil.c:2607:9: warning: Potential leak of memory pointed to by 'item' [unix.Malloc]
+     2607 |         return rc;
+          |                ^~
+ 
+Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
+Acked-by: James Carter <jwcart2@gmail.com>
+ 
+Reference: https://github.com/SELinuxProject/selinux/commit/5e425b4165b801666e478b19efbf8ddb14d82a02
+Conflict: Context adaptation
+---
+ libsepol/src/module_to_cil.c | 1 +
+ 1 file changed, 1 insertion(+)
+ 
+diff --git a/libsepol/src/module_to_cil.c b/libsepol/src/module_to_cil.c
+index cc8066d..9a45cee 100644
+--- a/libsepol/src/module_to_cil.c
++++ b/libsepol/src/module_to_cil.c
+@@ -2570,6 +2570,7 @@ static int ocontext_isid_to_cil(struct policydb *pdb, const char *const *sid_to_
+ 		item->sid_key = strdup(sid);
+ 		if (!item->sid_key) {
+ 			log_err("Out of memory");
++			free(item);
+ 			rc = -1;
+ 			goto exit;
+ 		}
+-- 
+2.33.0

backport-libsepol-avtab-check-read-counts-for-saturation.patch

@@ -0,0 +1,37 @@
+From f9fd25005f815d996c4344967a8ad13dee853303 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
+Date: Wed, 1 Nov 2023 17:37:25 +0100
+Subject: [PATCH] libsepol: avtab: check read counts for saturation
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+ 
+Ensure counts are not set to the maximum value of their type.
+Also limit their size during fuzzing to prevent OOM reports.
+ 
+Reported-by: oss-fuzz (issue 60572), caused at the time by the filetrans
+             prefix proposal
+Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
+Acked-by: James Carter <jwcart2@gmail.com>
+ 
+Reference: https://github.com/SELinuxProject/selinux/commit/f9fd25005f815d996c4344967a8ad13dee853303
+Conflict: NA
+---
+ libsepol/src/avtab.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+ 
+diff --git a/libsepol/src/avtab.c b/libsepol/src/avtab.c
+index 1ef5ee00..7c2328b7 100644
+--- a/libsepol/src/avtab.c
++++ b/libsepol/src/avtab.c
+@@ -600,7 +600,7 @@ int avtab_read(avtab_t * a, struct policy_file *fp, uint32_t vers)
+ 		goto bad;
+ 	}
+ 	nel = le32_to_cpu(buf[0]);
+-	if (!nel) {
++	if (zero_or_saturated(nel)) {
+ 		ERR(fp->handle, "table is empty");
+ 		goto bad;
+ 	}
+-- 
+2.33.0

backport-libsepol-cil-Check-common-perms-when-verifiying-all.patch

@@ -0,0 +1,53 @@
+From c071aa2e635935216e8e504a5b398f58aed2838e Mon Sep 17 00:00:00 2001
+From: James Carter <jwcart2@gmail.com>
+Date: Mon, 1 Apr 2024 10:49:24 -0400
+Subject: [PATCH] libsepol/cil: Check common perms when verifiying "all"
+
+Commit e81c466 "Fix class permission verification in CIL", added a
+check for the use of "all" in a permission expression for a class
+that had no permissions. Unfortunately, that change did not take
+into account a class that had common permissions, so a class that
+has no permmissions of its own, but inherits permissions from a
+common, will fail the verification check.
+
+If the class inherits from a common, then add those permissions to
+the permmission list when verifying the permission expression.
+
+Example/
+(common co1 (cop1))
+(class cl1 ())
+(classcommon cl1 co1)
+(classorder (CLASS cl1))
+
+(classpermission cp1)
+(classpermissionset cp1 (cl1 (all)))
+
+(classmap cm1 (cmp1))
+(classmapping cm1 cmp1 (cl1 (all)))
+
+Previously, both the classpermissionset and the classmapping rules
+would fail verification, but now they pass as expected.
+
+Patch originally from Ben Cressey <bcressey@amazon.com>, I have
+expanded the explanation.
+
+Reported-by: Ben Cressey <bcressey@amazon.com>
+Signed-off-by: James Carter <jwcart2@gmail.com>
+---
+ libsepol/cil/src/cil_verify.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/libsepol/cil/src/cil_verify.c b/libsepol/cil/src/cil_verify.c
+index 0c6d50a18..4ef2cbab3 100644
+--- a/libsepol/cil/src/cil_verify.c
++++ b/libsepol/cil/src/cil_verify.c
+@@ -1842,6 +1842,9 @@ static int __cil_verify_perms(struct cil_class *class, struct cil_list *perms, s
+ 				int count2 = 0;
+ 				cil_list_init(&perm_list, CIL_MAP_PERM);
+ 				cil_symtab_map(&class->perms, __add_perm_to_list, perm_list);
++				if (class->common != NULL) {
++					cil_symtab_map(&class->common->perms, __add_perm_to_list, perm_list);
++				}
+ 				cil_list_for_each(j, perm_list) {
+ 					count2++;
+ 					struct cil_perm *perm = j->data;

backport-libsepol-cil-Do-not-allow-classpermissionset-to-use-.patch

@@ -0,0 +1,87 @@
+From 903e8cf26e2ab874618e0fdaef537bc3d9a8b69d Mon Sep 17 00:00:00 2001
+From: James Carter <jwcart2@gmail.com>
+Date: Fri, 13 Oct 2023 09:26:50 -0400
+Subject: [PATCH] libsepol/cil: Do not allow classpermissionset to use
+ anonymous classpermission
+
+Macros can use classpermission arguments. These are used in two
+different ways. Either a named classpermission is passed (which is
+declared using a classpermisison rule) or an anonymous classpermission
+is passed (something like "(CLASS (PERM))").
+
+Usually this will look like either of the following:
+Ex1/
+(classpermission cp1)
+(classpermisisonset cp1 (CLASS (PERM)))
+(macro m1 ((classpermisison ARG1))
+  (allow t1 self ARG1)
+)
+(call m1 (cp1))
+or
+Ex2/
+(macro m2 ((classpermission ARG2))
+  (allow t2 self ARG2)
+)
+(call m2 ((CLASS (PERM))))
+
+The following would also be valid:
+Ex3/
+(classpermission cp3)
+(macro m3 ((classpermission ARG3))
+  (classpermissionset ARG3 (CLASS (PERM)))
+  (allow t3 self ARG3)
+)
+(call m3 (cp3))
+
+The oss-fuzzer did the equivalent of the following:
+
+(classpermission cp4)
+(macro m4 ((classpermission ARG4))
+  (classpermissionset ARG4 (CLASS (PERM1)))
+  (allow t4 self ARG4)
+)
+(call m4 (CLASS (PERM2)))
+
+It passed an anonymous classpermission into a macro where there
+was a classpermissionset rule. Suprisingly, everything worked well
+until it was time to destroy the AST. There is no way to distinguish
+between the anonymous classpermission being passed in which needs
+to be destroyed and the classpermission in the classpermissionset
+rule which is destroyed when the classpermissionset rule is
+destroyed. This led to CIL trying to destroy the classpermission
+in the classpermissionset rule twice.
+
+To fix this, when resolving the classpermission name in the
+classpermissionset rule, check if the datum returned is for
+an anonymous classpermission (it has no name) and return an
+error if it is.
+
+This fixes oss-fuzz issue 60670.
+
+Signed-off-by: James Carter <jwcart2@gmail.com>
+
+Reference: https://github.com/SELinuxProject/selinux/commit/903e8cf26e2ab874618e0fdaef537bc3d9a8b69d
+Conflict: Context adaptation
+---
+ libsepol/cil/src/cil_resolve_ast.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/libsepol/cil/src/cil_resolve_ast.c b/libsepol/cil/src/cil_resolve_ast.c
+index 4e8a375d6..427a320c9 100644
+--- a/libsepol/cil/src/cil_resolve_ast.c
++++ b/libsepol/cil/src/cil_resolve_ast.c
+@@ -253,6 +253,12 @@ int cil_resolve_classpermissionset(struct cil_tree_node *current, struct cil_cla
+ 		goto exit;
+ 	}
+ 
++	if (!datum->fqn) {
++		cil_tree_log(current, CIL_ERR, "Anonymous classpermission used in a classpermissionset");
++		rc = SEPOL_ERR;
++		goto exit;
++	}
++
+ 	rc = cil_resolve_classperms_list(current, cps->classperms, extra_args);
+ 	if (rc != SEPOL_OK) {
+ 		goto exit;
+-- 
+2.33.0

backport-libsepol-cil-Fix-detected-RESOURCE_LEAK-CWE-772.patch

@@ -0,0 +1,29 @@
+From 1f173f8efab8e9931898d924057bd0ea8da759b7 Mon Sep 17 00:00:00 2001
+From: Vit Mojzis <vmojzis@redhat.com>
+Date: Tue, 30 Apr 2024 17:30:24 +0200
+Subject: [PATCH] libsepol/cil: Fix detected RESOURCE_LEAK (CWE-772)
+
+libsepol-3.6/cil/src/cil_binary.c:902: alloc_fn: Storage is returned from allocation function "cil_malloc".
+libsepol-3.6/cil/src/cil_binary.c:902: var_assign: Assigning: "mls_level" = storage returned from "cil_malloc(24UL)".
+libsepol-3.6/cil/src/cil_binary.c:903: noescape: Resource "mls_level" is not freed or pointed-to in "mls_level_init".
+libsepol-3.6/cil/src/cil_binary.c:905: noescape: Resource "mls_level" is not freed or pointed-to in "mls_level_cpy".
+libsepol-3.6/cil/src/cil_binary.c:919: leaked_storage: Variable "mls_level" going out of scope leaks the storage it points to.
+
+Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
+Acked-by: James Carter <jwcart2@gmail.com>
+---
+ libsepol/cil/src/cil_binary.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/libsepol/cil/src/cil_binary.c b/libsepol/cil/src/cil_binary.c
+index 95bd18baa..c8144a5af 100644
+--- a/libsepol/cil/src/cil_binary.c
++++ b/libsepol/cil/src/cil_binary.c
+@@ -904,6 +904,7 @@ static int cil_sensalias_to_policydb(policydb_t *pdb, struct cil_alias *cil_alia
+ 
+ 	rc = mls_level_cpy(mls_level, sepol_level->level);
+ 	if (rc != SEPOL_OK) {
++		free(mls_level);
+ 		goto exit;
+ 	}
+ 	sepol_alias->level = mls_level;

backport-libsepol-cil-ensure-transitivity-in-compare-functions.patch

@@ -0,0 +1,77 @@
+From 162a0884cccce80b76e35bc1094d5eaef84728e5 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
+Date: Wed, 31 Jan 2024 13:56:11 +0100
+Subject: [PATCH] libsepol/cil: ensure transitivity in compare functions
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Ensure comparison functions used by qsort(3) fulfill transitivity, since
+otherwise the resulting array might not be sorted correctly or worse[1]
+in case of integer overflows.
+
+[1]: https://www.qualys.com/2024/01/30/qsort.txt
+
+Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
+Acked-by: James Carter <jwcart2@gmail.com>
+---
+ libsepol/cil/src/cil_post.c | 18 ++++++++++--------
+ 1 file changed, 10 insertions(+), 8 deletions(-)
+
+diff --git a/libsepol/cil/src/cil_post.c b/libsepol/cil/src/cil_post.c
+index 7f45299a3..ac99997f7 100644
+--- a/libsepol/cil/src/cil_post.c
++++ b/libsepol/cil/src/cil_post.c
+@@ -52,6 +52,8 @@
+ #define GEN_REQUIRE_ATTR "cil_gen_require" /* Also in libsepol/src/module_to_cil.c */
+ #define TYPEATTR_INFIX "_typeattr_"        /* Also in libsepol/src/module_to_cil.c */
+ 
++#define spaceship_cmp(a, b) (((a) > (b)) - ((a) < (b)))
++
+ struct fc_data {
+ 	unsigned int meta;
+ 	size_t stem_len;
+@@ -263,8 +265,8 @@ int cil_post_ibpkeycon_compare(const void *a, const void *b)
+ 	if (rc)
+ 		return rc;
+ 
+-	rc = (aibpkeycon->pkey_high - aibpkeycon->pkey_low)
+-		- (bibpkeycon->pkey_high - bibpkeycon->pkey_low);
++	rc = spaceship_cmp(aibpkeycon->pkey_high - aibpkeycon->pkey_low,
++		bibpkeycon->pkey_high - bibpkeycon->pkey_low);
+ 	if (rc == 0) {
+ 		if (aibpkeycon->pkey_low < bibpkeycon->pkey_low)
+ 			rc = -1;
+@@ -281,8 +283,8 @@ int cil_post_portcon_compare(const void *a, const void *b)
+ 	struct cil_portcon *aportcon = *(struct cil_portcon**)a;
+ 	struct cil_portcon *bportcon = *(struct cil_portcon**)b;
+ 
+-	rc = (aportcon->port_high - aportcon->port_low) 
+-		- (bportcon->port_high - bportcon->port_low);
++	rc = spaceship_cmp(aportcon->port_high - aportcon->port_low,
++		bportcon->port_high - bportcon->port_low);
+ 	if (rc == 0) {
+ 		if (aportcon->port_low < bportcon->port_low) {
+ 			rc = -1;
+@@ -394,8 +396,8 @@ static int cil_post_iomemcon_compare(const void *a, const void *b)
+ 	struct cil_iomemcon *aiomemcon = *(struct cil_iomemcon**)a;
+ 	struct cil_iomemcon *biomemcon = *(struct cil_iomemcon**)b;
+ 
+-	rc = (aiomemcon->iomem_high - aiomemcon->iomem_low) 
+-		- (biomemcon->iomem_high - biomemcon->iomem_low);
++	rc = spaceship_cmp(aiomemcon->iomem_high - aiomemcon->iomem_low,
++		biomemcon->iomem_high - biomemcon->iomem_low);
+ 	if (rc == 0) {
+ 		if (aiomemcon->iomem_low < biomemcon->iomem_low) {
+ 			rc = -1;
+@@ -413,8 +415,8 @@ static int cil_post_ioportcon_compare(const void *a, const void *b)
+ 	struct cil_ioportcon *aioportcon = *(struct cil_ioportcon**)a;
+ 	struct cil_ioportcon *bioportcon = *(struct cil_ioportcon**)b;
+ 
+-	rc = (aioportcon->ioport_high - aioportcon->ioport_low) 
+-		- (bioportcon->ioport_high - bioportcon->ioport_low);
++	rc = spaceship_cmp(aioportcon->ioport_high - aioportcon->ioport_low,
++		bioportcon->ioport_high - bioportcon->ioport_low);
+ 	if (rc == 0) {
+ 		if (aioportcon->ioport_low < bioportcon->ioport_low) {
+ 			rc = -1;

backport-libsepol-enhance-saturation-check.patch

@@ -0,0 +1,138 @@
+From bd1b7848c66b69bdb1ef25332c90c47d61656437 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
+Date: Thu, 9 Nov 2023 14:51:20 +0100
+Subject: [PATCH] libsepol: enhance saturation check
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Several values while parsing kernel policies, like symtab sizes or
+string lengths, are checked for saturation.  They may not be set to the
+maximum value, to avoid overflows or occupying a reserved value, and
+many of those sizes must not be 0.  This is currently handled via the
+two macros is_saturated() and zero_or_saturated().
+
+Both macros are tweaked for the fuzzer, because the fuzzer can create
+input with huge sizes.  While there is no subsequent data to provide
+the announced sizes, which will be caught later, memory of the requested
+size is allocated, which would lead to OOM reports.  Thus the sizes for
+the fuzzer are limited to 2^16.  This has the drawback of the fuzzer
+not checking the complete input space.
+
+Check the sizes in question for actual enough bytes available in the
+input.  This is (only) possible for mapped memory, which the fuzzer
+uses.
+
+Application like setools do currently not benefit from this change,
+since they load the policy via a stream.  There are currently multiple
+interfaces to load a policy, so reworking them to use mapped memory by
+default might be subject for future work.
+
+Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
+Acked-by: James Carter <jwcart2@gmail.com>
+
+Reference: https://github.com/SELinuxProject/selinux/commit/bd1b7848c66b69bdb1ef25332c90c47d61656437
+Conflict: Context adaptation
+---
+ libsepol/src/avtab.c    |  2 +-
+ libsepol/src/policydb.c |  9 ++++++---
+ libsepol/src/private.h  | 22 ++++++++++++++++------
+ libsepol/src/services.c |  2 +-
+ 4 files changed, 24 insertions(+), 11 deletions(-)
+
+diff --git a/libsepol/src/avtab.c b/libsepol/src/avtab.c
+index 7c2328b7..b2fa8d85 100644
+--- a/libsepol/src/avtab.c
++++ b/libsepol/src/avtab.c
+@@ -600,7 +600,7 @@ int avtab_read(avtab_t * a, struct policy_file *fp, uint32_t vers)
+ 		goto bad;
+ 	}
+ 	nel = le32_to_cpu(buf[0]);
+-	if (zero_or_saturated(nel)) {
++	if (zero_or_saturated(nel) || exceeds_available_bytes(fp, nel, sizeof(uint32_t) * 3)) {
+ 		ERR(fp->handle, "table is empty");
+ 		goto bad;
+ 	}
+diff --git a/libsepol/src/policydb.c b/libsepol/src/policydb.c
+index bc7bc9dc..6ba4f916 100644
+--- a/libsepol/src/policydb.c
++++ b/libsepol/src/policydb.c
+@@ -3857,7 +3857,8 @@ static int scope_index_read(scope_index_t * scope_index,
+ 	if (rc < 0)
+ 		return -1;
+ 	scope_index->class_perms_len = le32_to_cpu(buf[0]);
+-	if (is_saturated(scope_index->class_perms_len))
++	if (is_saturated(scope_index->class_perms_len) ||
++	    exceeds_available_bytes(fp, scope_index->class_perms_len, sizeof(uint32_t) * 3))
+ 		return -1;
+ 	if (scope_index->class_perms_len == 0) {
+ 		scope_index->class_perms_map = NULL;
+@@ -4036,7 +4037,8 @@ static int scope_read(policydb_t * p, int symnum, struct policy_file *fp)
+ 		goto cleanup;
+ 	scope->scope = le32_to_cpu(buf[0]);
+ 	scope->decl_ids_len = le32_to_cpu(buf[1]);
+-	if (zero_or_saturated(scope->decl_ids_len)) {
++	if (zero_or_saturated(scope->decl_ids_len) ||
++	    exceeds_available_bytes(fp, scope->decl_ids_len, sizeof(uint32_t))) {
+ 		ERR(fp->handle, "invalid scope with no declaration");
+ 		goto cleanup;
+ 	}
+@@ -4315,7 +4317,8 @@ int policydb_read(policydb_t * p, struct policy_file *fp, unsigned verbose)
+ 		if (rc < 0)
+ 			goto bad;
+ 		nprim = le32_to_cpu(buf[0]);
+-		if (is_saturated(nprim))
++		if (is_saturated(nprim) ||
++		    exceeds_available_bytes(fp, nprim, sizeof(uint32_t) * 3))
+ 			goto bad;
+ 		nel = le32_to_cpu(buf[1]);
+ 		if (nel && !nprim) {
+diff --git a/libsepol/src/private.h b/libsepol/src/private.h
+index 1833b497..1500bbc2 100644
+--- a/libsepol/src/private.h
++++ b/libsepol/src/private.h
+@@ -44,13 +44,23 @@
+ 
+ #define ARRAY_SIZE(x) (sizeof(x)/sizeof((x)[0]))
+ 
+-#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
+-# define is_saturated(x) (x == (typeof(x))-1 || (x) > (1U << 16))
+-#else
+-# define is_saturated(x) (x == (typeof(x))-1)
+-#endif
++static inline int exceeds_available_bytes(const struct policy_file *fp, size_t x, size_t req_elem_size)
++{
++	size_t req_size;
++
++	/* Remaining input size is only available for mmap'ed memory */
++	if (fp->type != PF_USE_MEMORY)
++		return 0;
++
++	if (__builtin_mul_overflow(x, req_elem_size, &req_size))
++		return 1;
++
++	return req_size > fp->len;
++}
++
++#define is_saturated(x) ((x) == (typeof(x))-1)
+ 
+-#define zero_or_saturated(x) ((x == 0) || is_saturated(x))
++#define zero_or_saturated(x) (((x) == 0) || is_saturated(x))
+ 
+ #define spaceship_cmp(a, b) (((a) > (b)) - ((a) < (b)))
+ 
+diff --git a/libsepol/src/services.c b/libsepol/src/services.c
+index 51bd56a0..aa1ad52c 100644
+--- a/libsepol/src/services.c
++++ b/libsepol/src/services.c
+@@ -1748,7 +1748,7 @@ int str_read(char **strp, struct policy_file *fp, size_t len)
+ 	int rc;
+ 	char *str;
+ 
+-	if (zero_or_saturated(len)) {
++	if (zero_or_saturated(len) || exceeds_available_bytes(fp, len, sizeof(char))) {
+ 		errno = EINVAL;
+ 		return -1;
+ 	}
+-- 
+2.27.0

backport-libsepol-ensure-transitivity-in-compare-functions.patch

@@ -0,0 +1,47 @@
+From b52e27aeaa563ac998345a6a670493172411b166 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
+Date: Wed, 31 Jan 2024 13:56:10 +0100
+Subject: [PATCH] libsepol: ensure transitivity in compare functions
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Ensure comparison functions used by qsort(3) fulfill transitivity, since
+otherwise the resulting array might not be sorted correctly or worse[1]
+in case of integer overflows.
+
+[1]: https://www.qualys.com/2024/01/30/qsort.txt
+
+Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
+Acked-by: James Carter <jwcart2@gmail.com>
+---
+ libsepol/src/kernel_to_common.c | 2 +-
+ libsepol/src/module_to_cil.c    | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/libsepol/src/kernel_to_common.c b/libsepol/src/kernel_to_common.c
+index 2422eed08..44f0be23a 100644
+--- a/libsepol/src/kernel_to_common.c
++++ b/libsepol/src/kernel_to_common.c
+@@ -503,7 +503,7 @@ static int ibendport_data_cmp(const void *a, const void *b)
+ 	if (rc)
+ 		return rc;
+ 
+-	return (*aa)->u.ibendport.port - (*bb)->u.ibendport.port;
++	return spaceship_cmp((*aa)->u.ibendport.port, (*bb)->u.ibendport.port);
+ }
+ 
+ static int pirq_data_cmp(const void *a, const void *b)
+diff --git a/libsepol/src/module_to_cil.c b/libsepol/src/module_to_cil.c
+index 0fce7cc7e..6699a46be 100644
+--- a/libsepol/src/module_to_cil.c
++++ b/libsepol/src/module_to_cil.c
+@@ -1681,7 +1681,7 @@ static int class_perm_cmp(const void *a, const void *b)
+ 	const struct class_perm_datum *aa = a;
+ 	const struct class_perm_datum *bb = b;
+ 
+-	return aa->val - bb->val;
++	return spaceship_cmp(aa->val, bb->val);
+ }
+ 
+ static int common_to_cil(char *key, void *data, void *UNUSED(arg))

backport-libsepol-expand-skip-invalid-cat.patch

@@ -0,0 +1,38 @@
+From cae65d9a10623bb9063a2e3ca5357bb1602d55af Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
+Date: Fri, 12 May 2023 11:30:01 +0200
+Subject: [PATCH] libsepol: expand: skip invalid cat
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+ 
+Bail out on expanding levels with invalid low category.
+ 
+UBSAN report:
+ 
+    expand.c:952:21: runtime error: unsigned integer overflow: 0 - 1 cannot be represented in type 'uint32_t' (aka 'unsigned int')
+ 
+Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
+Acked-by: James Carter <jwcart2@gmail.com>
+ 
+Reference: https://github.com/SELinuxProject/selinux/commit/cae65d9a10623bb9063a2e3ca5357bb1602d55af
+Conflict: NA
+---
+ libsepol/src/expand.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+ 
+diff --git a/libsepol/src/expand.c b/libsepol/src/expand.c
+index c08d3a35..8795229a 100644
+--- a/libsepol/src/expand.c
++++ b/libsepol/src/expand.c
+@@ -943,7 +943,7 @@ int mls_semantic_level_expand(mls_semantic_level_t * sl, mls_level_t * l,
+ 		return -1;
+ 	}
+ 	for (cat = sl->cat; cat; cat = cat->next) {
+-		if (cat->low > cat->high) {
++		if (!cat->low || cat->low > cat->high) {
+ 			ERR(h, "Category range is not valid %s.%s",
+ 			    p->p_cat_val_to_name[cat->low - 1],
+ 			    p->p_cat_val_to_name[cat->high - 1]);
+-- 
+2.33.0

backport-libsepol-more-strict-validation.patch

@@ -0,0 +1,55 @@
+From 6ed7dcf2f6f71d6db5fa89e0b965c10a165f315c Mon Sep 17 00:00:00 2001
+From: root <root@localhost.localdomain>
+Date: Mon, 8 Jan 2024 17:09:46 +0800
+Subject: [PATCH] libsepol: more strict validation
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+ 
+Ensure the ibendport port is not 0 (similar to the kernel).
+ 
+More general depth test for boolean expressions.
+ 
+Ensure the boolean id is not set for logic operators.
+ 
+Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
+Acked-by: James Carter <jwcart2@gmail.com>
+ 
+Reference: https://github.com/SELinuxProject/selinux/commit/7b754f703d704c9d9931497536771e6124ca2418
+Conflict: Context adaptation
+---
+ libsepol/src/policydb_validate.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+ 
+diff --git a/libsepol/src/policydb_validate.c b/libsepol/src/policydb_validate.c
+index da3c7c5..09f0813 100644
+--- a/libsepol/src/policydb_validate.c
++++ b/libsepol/src/policydb_validate.c
+@@ -479,13 +479,15 @@ static int validate_cond_expr(sepol_handle_t *handle, struct cond_expr *expr, va
+ 		case COND_BOOL:
+ 			if (validate_value(expr->bool, boolean))
+ 				goto bad;
+-			if (depth == (COND_EXPR_MAXDEPTH - 1))
++			if (depth >= (COND_EXPR_MAXDEPTH - 1))
+ 				goto bad;
+ 			depth++;
+ 			break;
+ 		case COND_NOT:
+ 			if (depth < 0)
+ 				goto bad;
++			if (expr->bool != 0)
++				goto bad;
+ 			break;
+ 		case COND_OR:
+ 		case COND_AND:
+@@ -494,6 +496,8 @@ static int validate_cond_expr(sepol_handle_t *handle, struct cond_expr *expr, va
+ 		case COND_NEQ:
+ 			if (depth < 1)
+ 				goto bad;
++			if (expr->bool != 0)
++				goto bad;
+ 			depth--;
+ 			break;
+ 		default:
+-- 
+2.33.0

backport-libsepol-reject-avtab-entries-with-invalid-specifier.patch

@@ -0,0 +1,61 @@
+From b1b3467a476b109f20ad581d73c56262205a021e Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
+Date: Wed, 1 Nov 2023 17:37:24 +0100
+Subject: [PATCH] libsepol: reject avtab entries with invalid specifier
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+ 
+Neverallow avtab entries are not supported (normal and extended). Reject
+them to avoid lookup confusions via avtab_search(), e.g. when searching
+for a invalid key of AVTAB_TRANSITION|AVTAB_NEVERALLOW and the result of
+only AVTAB_NEVERALLOW has no transition value.
+ 
+Simplify the check for the number of specifiers by using the compiler
+popcount builtin (already used in libsepol).
+ 
+Reported-by: oss-fuzz (issue 60568), caused at the time by the filetrans
+             prefix proposal
+Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
+Acked-by: James Carter <jwcart2@gmail.com>
+ 
+Reference: https://github.com/SELinuxProject/selinux/commit/b1b3467a476b109f20ad581d73c56262205a021e
+Conflict: NA
+---
+ libsepol/src/avtab.c | 13 ++++++-------
+ 1 file changed, 6 insertions(+), 7 deletions(-)
+ 
+diff --git a/libsepol/src/avtab.c b/libsepol/src/avtab.c
+index 6ab49c5e..1ef5ee00 100644
+--- a/libsepol/src/avtab.c
++++ b/libsepol/src/avtab.c
+@@ -441,7 +441,6 @@ int avtab_read_item(struct policy_file *fp, uint32_t vers, avtab_t * a,
+ 	avtab_key_t key;
+ 	avtab_datum_t datum;
+ 	avtab_extended_perms_t xperms;
+-	unsigned set;
+ 	unsigned int i;
+ 	int rc;
+ 
+@@ -535,13 +534,13 @@ int avtab_read_item(struct policy_file *fp, uint32_t vers, avtab_t * a,
+ 	key.target_class = le16_to_cpu(buf16[items++]);
+ 	key.specified = le16_to_cpu(buf16[items++]);
+ 
+-	set = 0;
+-	for (i = 0; i < ARRAY_SIZE(spec_order); i++) {
+-		if (key.specified & spec_order[i])
+-			set++;
++	if (key.specified & ~(AVTAB_AV | AVTAB_TYPE | AVTAB_XPERMS | AVTAB_ENABLED)) {
++		ERR(fp->handle, "invalid specifier");
++		return -1;
+ 	}
+-	if (!set || set > 1) {
+-		ERR(fp->handle, "more than one specifier");
++
++	if (__builtin_popcount(key.specified & ~AVTAB_ENABLED) != 1) {
++		ERR(fp->handle, "not exactly one specifier");
+ 		return -1;
+ 	}
+ 
+-- 
+2.33.0

backport-libsepol-reject-invalid-class-datums.patch

@@ -0,0 +1,54 @@
+From 68c3a9991679702a7adc6e040e5703a7abb50b16 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
+Date: Tue, 28 Nov 2023 19:23:32 +0100
+Subject: [PATCH] libsepol: reject invalid class datums
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Internally class values are stored in multiple placed in a 16-bit wide
+integer.  Reject class values exceeding the maximum representable value.
+This avoids truncations in the helper
+policydb_string_to_security_class(), which gets called before validation
+of the policy:
+
+    policydb.c:4082:9: runtime error: implicit conversion from type 'uint32_t' (aka 'unsigned int') of value 2113929220 (32-bit, unsigned) to type 'sepol_security_class_t' (aka 'unsigned short') changed the value to 4 (16-bit, unsigned)
+
+Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
+Acked-by: James Carter <jwcart2@gmail.com>
+ 
+Reference: https://github.com/SELinuxProject/selinux/commit/68c3a9991679702a7adc6e040e5703a7abb50b16
+Conflict: Context adaptation
+---
+ libsepol/src/policydb.c          | 2 ++
+ libsepol/src/policydb_validate.c | 2 +-
+ 2 files changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/libsepol/src/policydb.c b/libsepol/src/policydb.c
+index 6ba4f9168..f10a8a95a 100644
+--- a/libsepol/src/policydb.c
++++ b/libsepol/src/policydb.c
+@@ -2250,6 +2250,8 @@ static int class_read(policydb_t * p, hashtab_t h, struct policy_file *fp)
+ 	if (is_saturated(len2))
+ 		goto bad;
+ 	cladatum->s.value = le32_to_cpu(buf[2]);
++	if (cladatum->s.value > UINT16_MAX)
++		goto bad;
+ 
+ 	if (symtab_init(&cladatum->permissions, PERM_SYMTAB_SIZE))
+ 		goto bad;
+diff --git a/libsepol/src/policydb_validate.c b/libsepol/src/policydb_validate.c
+index 6d8641f..69a436b 100644
+--- a/libsepol/src/policydb_validate.c
++++ b/libsepol/src/policydb_validate.c
+@@ -199,7 +199,7 @@ bad:
+ 
+ static int validate_class_datum(sepol_handle_t *handle, const class_datum_t *class, validate_t flavors[])
+ {
+-	if (validate_value(class->s.value, &flavors[SYM_CLASSES]))
++	if (class->s.value > UINT16_MAX || validate_value(class->s.value, &flavors[SYM_CLASSES]))
+ 		goto bad;
+ 	if (class->comdatum && validate_common_datum(handle, class->comdatum, flavors))
+ 		goto bad;
+-- 
+2.33.0

backport-libsepol-reject-linking-modules-with-no-avrules.patch

@@ -0,0 +1,47 @@
+From 4724538b62e4eb846057b227ce12052749bd4473 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
+Date: Tue, 28 Nov 2023 19:23:34 +0100
+Subject: [PATCH] libsepol: reject linking modules with no avrules
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+ 
+Standard policy modules generated by compilers have at least one global
+av rule.  Reject modules otherwise, e.g. generated by a fuzzer.
+ 
+Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
+Acked-by: James Carter <jwcart2@gmail.com>
+ 
+Reference: https://github.com/SELinuxProject/selinux/commit/4724538b62e4eb846057b227ce12052749bd4473
+Conflict: NA
+---
+ libsepol/src/link.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+ 
+diff --git a/libsepol/src/link.c b/libsepol/src/link.c
+index 3b7742bc..b8272308 100644
+--- a/libsepol/src/link.c
++++ b/libsepol/src/link.c
+@@ -2019,7 +2019,7 @@ static int debug_requirements(link_state_t * state, policydb_t * p)
+ 	memset(&req, 0, sizeof(req));
+ 
+ 	for (cur = p->global; cur != NULL; cur = cur->next) {
+-		if (cur->enabled != NULL)
++		if (cur->enabled != NULL || cur->branch_list == NULL)
+ 			continue;
+ 
+ 		ret = is_decl_requires_met(state, cur->branch_list, &req);
+@@ -2142,6 +2142,11 @@ static int enable_avrules(link_state_t * state, policydb_t * pol)
+ 	/* 1) enable all of the non-else blocks */
+ 	for (block = pol->global; block != NULL; block = block->next) {
+ 		block->enabled = block->branch_list;
++		if (!block->enabled) {
++			ERR(state->handle, "Global block has no avrules!");
++			ret = SEPOL_ERR;
++			goto out;
++		}
+ 		block->enabled->enabled = 1;
+ 		for (decl = block->branch_list->next; decl != NULL;
+ 		     decl = decl->next)
+-- 
+2.33.0

backport-libsepol-reject-unsupported-policy-capabilities.patch

@@ -0,0 +1,75 @@
+From e22b7dee0d8de9bc49992fa80b9ceb53925ea36c Mon Sep 17 00:00:00 2001
+From: root <root@localhost.localdomain>
+Date: Mon, 8 Jan 2024 17:16:30 +0800
+Subject: [PATCH] libsepol: reject unsupported policy capabilities
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+ 
+Kernel policies with unsupported policy capabilities enabled can
+currently be parsed, since they result just in a bit set inside an
+ebitmap.  Writing such a loaded policy into the traditional language or
+CIL will fail however, since the unsupported policy capabilities can not
+be converted into a name.
+ 
+Reject kernel policies with invalid policy capabilities.
+ 
+Reported-by: oss-fuzz (issue 60573)
+ 
+Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
+Acked-by: James Carter <jwcart2@gmail.com>
+ 
+Reference: https://github.com/SELinuxProject/selinux/commit/7cf2bfb59313eeef59e916834c3243b7a0ce7b4f
+Conflict: Context adaptation
+---
+ libsepol/src/policydb_validate.c | 21 +++++++++++++++++++++
+ 1 file changed, 21 insertions(+)
+ 
+diff --git a/libsepol/src/policydb_validate.c b/libsepol/src/policydb_validate.c
+index 09f0813..9553812 100644
+--- a/libsepol/src/policydb_validate.c
++++ b/libsepol/src/policydb_validate.c
+@@ -2,6 +2,7 @@
+ #include <sepol/policydb/conditional.h>
+ #include <sepol/policydb/ebitmap.h>
+ #include <sepol/policydb/policydb.h>
++#include <sepol/policydb/polcaps.h>
+ #include <sepol/policydb/services.h>
+ 
+ #include "debug.h"
+@@ -771,6 +772,23 @@ bad:
+ 	return -1;
+ }
+ 
++static int validate_policycaps(sepol_handle_t *handle, const policydb_t *p)
++{
++	ebitmap_node_t *node;
++	uint32_t i;
++
++	ebitmap_for_each_positive_bit(&p->policycaps, node, i) {
++		if (!sepol_polcap_getname(i))
++			goto bad;
++	}
++
++	return 0;
++
++bad:
++	ERR(handle, "Invalid policy capability");
++	return -1;
++}
++
+ static void validate_array_destroy(validate_t flavors[])
+ {
+ 	unsigned int i;
+@@ -790,6 +808,9 @@ int policydb_validate(sepol_handle_t *handle, policydb_t *p)
+ 	if (validate_properties(handle, p))
+ 		goto bad;
+ 
++	if (validate_policycaps(handle, p))
++		goto bad;
++
+ 	if (p->policy_type == POLICY_KERN) {
+ 		if (validate_avtab(handle, &p->te_avtab, p, flavors))
+ 			goto bad;
+-- 
+2.33.0

backport-libsepol-use-correct-type-to-avoid-truncations.patch

@@ -0,0 +1,50 @@
+From 4f1435dd51f832fa3b122e5e98be2a5ab176780c Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
+Date: Tue, 28 Nov 2023 19:23:29 +0100
+Subject: [PATCH] libsepol: use correct type to avoid truncations
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+ 
+Avoid truncations of the read 32 bit unsigned integer:
+ 
+    conditional.c:764:8: runtime error: implicit conversion from type 'uint32_t' (aka 'unsigned int') of value 3758096384 (32-bit, unsigned) to type 'int' changed the value to -536870912 (32-bit, signed)
+    conditional.c:831:8: runtime error: implicit conversion from type 'uint32_t' (aka 'unsigned int') of value 4280295456 (32-bit, unsigned) to type 'int' changed the value to -14671840 (32-bit, signed)
+ 
+Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
+Acked-by: James Carter <jwcart2@gmail.com>
+ 
+Reference: https://github.com/SELinuxProject/selinux/commit/4f1435dd51f832fa3b122e5e98be2a5ab176780c
+Conflict: NA
+---
+ libsepol/src/conditional.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+ 
+diff --git a/libsepol/src/conditional.c b/libsepol/src/conditional.c
+index 24380ea0..420c7b6c 100644
+--- a/libsepol/src/conditional.c
++++ b/libsepol/src/conditional.c
+@@ -746,8 +746,8 @@ static int expr_isvalid(policydb_t * p, cond_expr_t * expr)
+ 
+ static int cond_read_node(policydb_t * p, cond_node_t * node, void *fp)
+ {
+-	uint32_t buf[2];
+-	int len, i, rc;
++	uint32_t buf[2], i, len;
++	int rc;
+ 	cond_expr_t *expr = NULL, *last = NULL;
+ 
+ 	rc = next_entry(buf, fp, sizeof(uint32_t));
+@@ -821,8 +821,8 @@ static int cond_read_node(policydb_t * p, cond_node_t * node, void *fp)
+ int cond_read_list(policydb_t * p, cond_list_t ** list, void *fp)
+ {
+ 	cond_node_t *node, *last = NULL;
+-	uint32_t buf[1];
+-	int i, len, rc;
++	uint32_t buf[1], i, len;
++	int rc;
+ 
+ 	rc = next_entry(buf, fp, sizeof(uint32_t));
+ 	if (rc < 0)
+-- 
+2.33.0

backport-libsepol-validate-empty-common-classes-in-scope-indi.patch

@@ -0,0 +1,35 @@
+From e54bedce80267b4fbd79b16f548a278c097bd675 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
+Date: Mon, 11 Dec 2023 15:55:40 +0100
+Subject: [PATCH] libsepol: validate empty common classes in scope indices
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Validate no common classes inside scope indices are defined.
+
+Reported-by: oss-fuzz (issue 64849)
+Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
+Acked-by: James Carter <jwcart2@gmail.com>
+
+Reference: https://github.com/SELinuxProject/selinux/commit/e54bedce80267b4fbd79b16f548a278c097bd675
+Conflict: Context adaptation
+---
+ libsepol/src/policydb_validate.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/libsepol/src/policydb_validate.c b/libsepol/src/policydb_validate.c
+index bd8e9f8f3..d86f885e4 100644
+--- a/libsepol/src/policydb_validate.c
++++ b/libsepol/src/policydb_validate.c
+@@ -730,6 +730,8 @@ bad:
+ 
+ static int validate_scope_index(sepol_handle_t *handle, const scope_index_t *scope_index, validate_t flavors[])
+ {
++	if (!ebitmap_is_empty(&scope_index->scope[SYM_COMMONS]))
++		goto bad;
+ 	if (validate_ebitmap(&scope_index->p_classes_scope, &flavors[SYM_CLASSES]))
+ 		goto bad;
+ 	if (validate_ebitmap(&scope_index->p_roles_scope, &flavors[SYM_ROLES]))
+-- 
+2.33.0

backport-libsepol-validate-the-identifier-for-initials-SID-is.patch

@@ -0,0 +1,50 @@
+From cf6ddded1650098c05f4245df41395420cf41838 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
+Date: Thu, 9 Nov 2023 14:51:21 +0100
+Subject: [PATCH] libsepol: validate the identifier for initials SID is valid
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Check the identifier for initial SIDs is less than the maximum known ID.
+The kernel will ignore all unknown IDs, see
+security/selinux/ss/policydb.c:policydb_load_isids().
+
+Without checking huge IDs result in OOM events, while writing policies,
+e.g. in write_sids_to_conf() or write_sids_to_cil(), due to allocation
+of large (continuous) string lists.
+
+Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
+Acked-by: James Carter <jwcart2@gmail.com>
+
+Reference: https://github.com/SELinuxProject/selinux/commit/cf6ddded1650098c05f4245df41395420cf41838
+Conflict: Context adaptation
+---
+ libsepol/src/policydb_validate.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/libsepol/src/policydb_validate.c b/libsepol/src/policydb_validate.c
+index 016ab6550..32ad5a18b 100644
+--- a/libsepol/src/policydb_validate.c
++++ b/libsepol/src/policydb_validate.c
+@@ -6,6 +6,7 @@
+ #include <sepol/policydb/services.h>
+ 
+ #include "debug.h"
++#include "kernel_to_common.h"
+ #include "policydb_validate.h"
+ 
+ #define bool_xor(a, b) (!(a) != !(b))
+@@ -635,6 +636,10 @@ static int validate_ocontexts(sepol_handle_t *handle, const policydb_t *p, validate_t
+ 
+ 			if (p->target_platform == SEPOL_TARGET_SELINUX) {
+ 				switch (i) {
++				case OCON_ISID:
++					if (octx->sid[0] == SEPOL_SECSID_NULL || octx->sid[0] >= SELINUX_SID_SZ)
++						goto bad;
++					break;
+ 				case OCON_FS:
+ 				case OCON_NETIF:
+ 					if (validate_context(&octx->context[1], flavors, p->mls))
+-- 
+2.33.0

libsepol.spec

@@ -1,6 +1,6 @@
 Name:           libsepol
 Version:        3.5
-Release:        3
+Release:        4
 Summary:        SELinux binary policy manipulation library
 License:        LGPLv2+
 URL:            https://github.com/SELinuxProject/selinux/wiki/Releases
@@ -14,6 +14,26 @@ Patch0005:      backport-libsepol-cil-Fix-class-permission-verification-in-CIL.p
 Patch0006:      backport-libsepol-validate-old-style-range-trans-classes.patch
 Patch0007:      backport-libsepol-validate-check-low-category-is-not-bigger-than-high.patch
 Patch0008:      backport-libsepol-reorder-calloc-3-arguments.patch
+Patch0009:      backport-libsepol-reject-avtab-entries-with-invalid-specifier.patch
+Patch0010:      backport-libsepol-avtab-check-read-counts-for-saturation.patch
+Patch0011:      backport-libsepol-expand-skip-invalid-cat.patch
+Patch0012:      backport-libsepol-more-strict-validation.patch
+Patch0013:      backport-libsepol-reject-unsupported-policy-capabilities.patch
+Patch0014:      backport-libsepol-adjust-type-for-saturation-check.patch
+Patch0015:      backport-libsepol-enhance-saturation-check.patch
+Patch0016:      backport-libsepol-avoid-leak-in-OOM-branch.patch
+Patch0017:      backport-libsepol-cil-Do-not-allow-classpermissionset-to-use-.patch
+Patch0018:      backport-libsepol-add-check-for-category-value-before-printin.patch
+Patch0019:      backport-libsepol-use-correct-type-to-avoid-truncations.patch
+Patch0020:      backport-libsepol-reject-invalid-class-datums.patch
+Patch0021:      backport-libsepol-reject-linking-modules-with-no-avrules.patch
+Patch0022:      backport-libsepol-avoid-integer-overflow-in-add_i_to_a.patch
+Patch0023:      backport-libsepol-validate-empty-common-classes-in-scope-indi.patch
+Patch0024:      backport-libsepol-validate-the-identifier-for-initials-SID-is.patch
+Patch0025:      backport-libsepol-ensure-transitivity-in-compare-functions.patch
+Patch0026:      backport-libsepol-cil-ensure-transitivity-in-compare-functions.patch
+Patch0027:      backport-libsepol-cil-Check-common-perms-when-verifiying-all.patch
+Patch0028:      backport-libsepol-cil-Fix-detected-RESOURCE_LEAK-CWE-772.patch
 
 BuildRequires:  gcc flex
 
@@ -74,6 +94,9 @@ make DESTDIR="%{buildroot}" LIBDIR="%{_libdir}" SHLIBDIR="%{_libdir}" install
 %{_mandir}/man3/*
 
 %changelog
+* Tue Oct 15 2024 yanglongkang <yanglongkang@h-partners.com> - 3.5-4
+- backport bugfix from upstream
+
 * Tue Mar 26 2024 gengqihu <gengqihu2@h-partners.com> - 3.5-3
 - backport bugfix from upstream