packages/libsepol
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
libsepol/backport-libsepol-cil-fix-NULL-pointer-dereference-when-using.patch
yang_zhuang_zhuang dcbb3a6a58 fix heap-use-after-free in cil_yy_switch_to_buffer 
fix heap-use-after-free in __class_reset_perm_values()
  fix heap-buffer-overflow in cil_print_recursive_blockinherit
2021-03-15 11:31:23 +08:00

42 lines
1.5 KiB
Diff
Raw Blame History

From 38a09b74024bbe1c78639821f3cff3a5ceb73d0d Mon Sep 17 00:00:00 2001
From: Nicolas Iooss <nicolas.iooss@m4x.org>
Date: Wed, 30 Dec 2020 21:11:39 +0100
Subject: [PATCH] libsepol/cil: fix NULL pointer dereference when using an
unused alias
OSS-Fuzz found a NULL pointer dereference when the CIL compiler tries to
compile a policy where a categoryalias references an unused
categoryalias:
$ echo '(categoryalias c0)(categoryalias c1)(categoryaliasactual c0 c1)' > tmp.cil
$ secil tmp.cil
Segmentation fault (core dumped)
In such a case, a1 can become NULL in cil_resolve_alias_to_actual().
Add a check to report an error when this occurs. Now the error message
is:
Alias c0 references an unused alias c1 at tmp.cil:1
Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28471
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
---
libsepol/cil/src/cil_resolve_ast.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/libsepol/cil/src/cil_resolve_ast.c b/libsepol/cil/src/cil_resolve_ast.c
index f6deb1002..affa7657b 100644
--- a/libsepol/cil/src/cil_resolve_ast.c
+++ b/libsepol/cil/src/cil_resolve_ast.c
@@ -555,6 +555,10 @@ int cil_resolve_alias_to_actual(struct cil_tree_node *current, enum cil_flavor f
a1_node = a1->datum.nodes->head->data;
while (flavor != a1_node->flavor) {
+ if (a1->actual == NULL) {
+ cil_tree_log(current, CIL_ERR, "Alias %s references an unused alias %s", alias->datum.name, a1->datum.name);
+ return SEPOL_ERR;
+ }
a1 = a1->actual;
a1_node = a1->datum.nodes->head->data;
steps += 1;
Reference in New Issue View Git Blame Copy Permalink