packages/libsepol
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
libsepol/backport-libsepol-reject-avtab-entries-with-invalid-specifier.patch
markeryang 977186bea8 sync backport patches from upstream
2024-10-15 01:36:33 +00:00

62 lines
2.1 KiB
Diff
Raw Permalink Blame History

From b1b3467a476b109f20ad581d73c56262205a021e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
Date: Wed, 1 Nov 2023 17:37:24 +0100
Subject: [PATCH] libsepol: reject avtab entries with invalid specifier
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Neverallow avtab entries are not supported (normal and extended). Reject
them to avoid lookup confusions via avtab_search(), e.g. when searching
for a invalid key of AVTAB_TRANSITION|AVTAB_NEVERALLOW and the result of
only AVTAB_NEVERALLOW has no transition value.
Simplify the check for the number of specifiers by using the compiler
popcount builtin (already used in libsepol).
Reported-by: oss-fuzz (issue 60568), caused at the time by the filetrans
prefix proposal
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Reference: https://github.com/SELinuxProject/selinux/commit/b1b3467a476b109f20ad581d73c56262205a021e
Conflict: NA
---
libsepol/src/avtab.c | 13 ++++++-------
1 file changed, 6 insertions(+), 7 deletions(-)
diff --git a/libsepol/src/avtab.c b/libsepol/src/avtab.c
index 6ab49c5e..1ef5ee00 100644
--- a/libsepol/src/avtab.c
+++ b/libsepol/src/avtab.c
@@ -441,7 +441,6 @@ int avtab_read_item(struct policy_file *fp, uint32_t vers, avtab_t * a,
avtab_key_t key;
avtab_datum_t datum;
avtab_extended_perms_t xperms;
- unsigned set;
unsigned int i;
int rc;
@@ -535,13 +534,13 @@ int avtab_read_item(struct policy_file *fp, uint32_t vers, avtab_t * a,
key.target_class = le16_to_cpu(buf16[items++]);
key.specified = le16_to_cpu(buf16[items++]);
- set = 0;
- for (i = 0; i < ARRAY_SIZE(spec_order); i++) {
- if (key.specified & spec_order[i])
- set++;
+ if (key.specified & ~(AVTAB_AV | AVTAB_TYPE | AVTAB_XPERMS | AVTAB_ENABLED)) {
+ ERR(fp->handle, "invalid specifier");
+ return -1;
}
- if (!set || set > 1) {
- ERR(fp->handle, "more than one specifier");
+
+ if (__builtin_popcount(key.specified & ~AVTAB_ENABLED) != 1) {
+ ERR(fp->handle, "not exactly one specifier");
return -1;
}
--
2.33.0
Reference in New Issue View Git Blame Copy Permalink