Skip to content

Commit

Permalink
libsepol: make capability index an unsigned int
Browse files Browse the repository at this point in the history 
When sepol_polcap_getname() is called with a negative capnum, it
dereferences polcap_names[capnum] which produces a segmentation fault
most of the time.

For information, here is a gdb session when hll/pp loads a policy module
which has been mutated by American Fuzzy Lop:

    Program received signal SIGSEGV, Segmentation fault.
    sepol_polcap_getname (capnum=capnum@entry=-4259840) at polcaps.c:34
    34      return polcap_names[capnum];
    => 0x00007ffff7a8da07 <sepol_polcap_getname+135>:   48 8b 04 f8 mov
    (%rax,%rdi,8),%rax

    (gdb) bt
    #0  sepol_polcap_getname (capnum=capnum@entry=-4259840) at
    polcaps.c:34
    #1  0x00007ffff7a7c440 in polcaps_to_cil (pdb=0x6042e0) at
    module_to_cil.c:2492
    #2  sepol_module_policydb_to_cil (fp=fp@entry=0x7ffff79c75e0
    <_IO_2_1_stdout_>, pdb=0x6042e0, linked=linked@entry=0) at
    module_to_cil.c:4039
    #3  0x00007ffff7a7e695 in sepol_module_package_to_cil
    (fp=fp@entry=0x7ffff79c75e0 <_IO_2_1_stdout_>, mod_pkg=0x604280) at
    module_to_cil.c:4087
    #4  0x0000000000401acc in main (argc=<optimized out>,
    argv=<optimized out>) at pp.c:150

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
  • Loading branch information
@fishilico @stephensmalley
fishilico authored and stephensmalley committed Jan 9, 2017
1 parent d7b0941 commit d4923b4
Show file tree
Hide file tree
Showing 2 changed files with 2 additions and 2 deletions.
2 changes: 1 addition & 1 deletion libsepol/include/sepol/policydb/polcaps.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ enum {
extern int sepol_polcap_getnum(const char *name);

/* Convert a capability number to name. */
extern const char *sepol_polcap_getname(int capnum);
extern const char *sepol_polcap_getname(unsigned int capnum);

#ifdef __cplusplus
}
Expand Down
2 changes: 1 addition & 1 deletion libsepol/src/polcaps.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ int sepol_polcap_getnum(const char *name)
return -1;
}

const char *sepol_polcap_getname(int capnum)
const char *sepol_polcap_getname(unsigned int capnum)
{
if (capnum > POLICYDB_CAPABILITY_MAX)
return NULL;
Expand Down

0 comments on commit d4923b4

Please sign in to comment.