packages/libsepol
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
libsepol/backport-libsepol-cil-be-more-robust-when-encountering-src_in.patch
panxiaohe c17db78b5b fix secilc-fuzzer issues
2021-12-10 21:28:30 +08:00

54 lines
2.0 KiB
Diff
Raw Blame History

From 4662bdc11c8f505716f8da361a07ad13083b0618 Mon Sep 17 00:00:00 2001
From: Nicolas Iooss <nicolas.iooss@m4x.org>
Date: Fri, 5 Feb 2021 10:45:38 +0100
Subject: [PATCH] libsepol/cil: be more robust when encountering <src_info>
OSS-Fuzz found a Null-dereference READ in the CIL compiler when trying
to compile the following policy:
(<src_info>)
In cil_gen_src_info(), parse_current->next is NULL even though the code
expects that both parse_current->next and parse_current->next->next
exists.
Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28457
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
---
libsepol/cil/src/cil_build_ast.c | 5 +++++
libsepol/cil/src/cil_tree.c | 2 +-
2 files changed, 6 insertions(+), 1 deletion(-)
diff --git a/libsepol/cil/src/cil_build_ast.c b/libsepol/cil/src/cil_build_ast.c
index 5094d62..726f46c 100644
--- a/libsepol/cil/src/cil_build_ast.c
+++ b/libsepol/cil/src/cil_build_ast.c
@@ -6070,6 +6070,11 @@ int cil_gen_src_info(struct cil_tree_node *parse_current, struct cil_tree_node *
/* No need to check syntax, because this is auto generated */
struct cil_src_info *info = NULL;
+ if (parse_current->next == NULL || parse_current->next->next == NULL) {
+ cil_tree_log(parse_current, CIL_ERR, "Bad <src_info>");
+ return SEPOL_ERR;
+ }
+
cil_src_info_init(&info);
info->is_cil = (parse_current->next->data == CIL_KEY_SRC_CIL) ? CIL_TRUE : CIL_FALSE;
diff --git a/libsepol/cil/src/cil_tree.c b/libsepol/cil/src/cil_tree.c
index 886412d..3da972e 100644
--- a/libsepol/cil/src/cil_tree.c
+++ b/libsepol/cil/src/cil_tree.c
@@ -69,7 +69,7 @@ struct cil_tree_node *cil_tree_get_next_path(struct cil_tree_node *node, char **
while (node) {
if (node->flavor == CIL_NODE && node->data == NULL) {
- if (node->cl_head->data == CIL_KEY_SRC_INFO) {
+ if (node->cl_head->data == CIL_KEY_SRC_INFO && node->cl_head->next != NULL && node->cl_head->next->next != NULL) {
/* Parse Tree */
*path = node->cl_head->next->next->data;
*is_cil = (node->cl_head->next->data == CIL_KEY_SRC_CIL);
--
1.8.3.1
Reference in New Issue View Git Blame Copy Permalink