From cf6ddded1650098c05f4245df41395420cf41838 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
Date: Thu, 9 Nov 2023 14:51:21 +0100
Subject: [PATCH] libsepol: validate the identifier for initials SID is valid
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Check the identifier for initial SIDs is less than the maximum known ID.
The kernel will ignore all unknown IDs, see
security/selinux/ss/policydb.c:policydb_load_isids().

Without checking huge IDs result in OOM events, while writing policies,
e.g. in write_sids_to_conf() or write_sids_to_cil(), due to allocation
of large (continuous) string lists.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>

Reference: https://github.com/SELinuxProject/selinux/commit/cf6ddded1650098c05f4245df41395420cf41838
Conflict: Context adaptation
---
 libsepol/src/policydb_validate.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/libsepol/src/policydb_validate.c b/libsepol/src/policydb_validate.c
index 016ab6550..32ad5a18b 100644
--- a/libsepol/src/policydb_validate.c
+++ b/libsepol/src/policydb_validate.c
@@ -6,6 +6,7 @@
 #include <sepol/policydb/services.h>
 
 #include "debug.h"
+#include "kernel_to_common.h"
 #include "policydb_validate.h"
 
 #define bool_xor(a, b) (!(a) != !(b))
@@ -635,6 +636,10 @@ static int validate_ocontexts(sepol_handle_t *handle, const policydb_t *p, validate_t
 
 			if (p->target_platform == SEPOL_TARGET_SELINUX) {
 				switch (i) {
+				case OCON_ISID:
+					if (octx->sid[0] == SEPOL_SECSID_NULL || octx->sid[0] >= SELINUX_SID_SZ)
+						goto bad;
+					break;
 				case OCON_FS:
 				case OCON_NETIF:
 					if (validate_context(&octx->context[1], flavors, p->mls))
-- 
2.33.0