sandbox manual page description of sandbox types does not match usage #17

mikedlr · 2016-06-17T17:52:37Z

Currently the sandbox manual page wrongly describes at least two of the contexts

sandbox_x_t \-  Printer Ports

sandbox_net_t   \-  All network ports

actually sandbox_x_t is for X windows, sandbox_net_t seems to block outgoing connections and there is an additional sandbox_net_client_t which seems to allow outgoing network connections.

N.B. The definition of the sandbox seems clearest in this selinux manual page. Confirmation that sandbox_net_t isn't meant to give full network access can be gleaned from this bugzilla ticket

The text was updated successfully, but these errors were encountered:

mikedlr · 2016-06-23T08:58:22Z

My proposed change has been merged. Thanks.

Limit the maximum length of read sizes, like string length of module version and name or keys and number of symtab entries. This avoids the fuzzer to report oom events for huge allocations (it also improves the number of executions per seconds of the fuzzer). This change only affects the fuzzer build. ==15211== ERROR: libFuzzer: out-of-memory (malloc(3115956666)) To change the out-of-memory limit use -rss_limit_mb=<N> #0 0x52dc61 in __sanitizer_print_stack_trace (./out/binpolicy-fuzzer+0x52dc61) SELinuxProject#1 0x475618 in fuzzer::PrintStackTrace() fuzzer.o SELinuxProject#2 0x458855 in fuzzer::Fuzzer::HandleMalloc(unsigned long) fuzzer.o SELinuxProject#3 0x45876a in fuzzer::MallocHook(void const volatile*, unsigned long) fuzzer.o SELinuxProject#4 0x534557 in __sanitizer::RunMallocHooks(void const*, unsigned long) (./out/binpolicy-fuzzer+0x534557) SELinuxProject#5 0x4aa7d7 in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) (./out/binpolicy-fuzzer+0x4aa7d7) SELinuxProject#6 0x4aa143 in __asan::asan_malloc(unsigned long, __sanitizer::BufferedStackTrace*) (./out/binpolicy-fuzzer+0x4aa143) SELinuxProject#7 0x5259cb in malloc (./out/binpolicy-fuzzer+0x5259cb) SELinuxProject#8 0x59d307 in str_read ./libsepol/src/services.c:1746:8 SELinuxProject#9 0x585b97 in perm_read ./libsepol/src/policydb.c:2063:5 SELinuxProject#10 0x581f8a in common_read ./libsepol/src/policydb.c:2119:7 SELinuxProject#11 0x576681 in policydb_read ./libsepol/src/policydb.c:4417:8 SELinuxProject#12 0x55a214 in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:26:6 SELinuxProject#13 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o SELinuxProject#14 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o SELinuxProject#15 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o SELinuxProject#16 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2) SELinuxProject#17 0x7fe1ec88a7ec in __libc_start_main csu/../csu/libc-start.c:332:16 SELinuxProject#18 0x423689 in _start (./out/binpolicy-fuzzer+0x423689) ==13584== ERROR: libFuzzer: out-of-memory (malloc(2560137369)) To change the out-of-memory limit use -rss_limit_mb=<N> #0 0x52dc61 in __sanitizer_print_stack_trace (./out/binpolicy-fuzzer+0x52dc61) SELinuxProject#1 0x475618 in fuzzer::PrintStackTrace() fuzzer.o SELinuxProject#2 0x458855 in fuzzer::Fuzzer::HandleMalloc(unsigned long) fuzzer.o SELinuxProject#3 0x45876a in fuzzer::MallocHook(void const volatile*, unsigned long) fuzzer.o SELinuxProject#4 0x534557 in __sanitizer::RunMallocHooks(void const*, unsigned long) (./out/binpolicy-fuzzer+0x534557) SELinuxProject#5 0x4aa7d7 in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) (./out/binpolicy-fuzzer+0x4aa7d7) SELinuxProject#6 0x4aa143 in __asan::asan_malloc(unsigned long, __sanitizer::BufferedStackTrace*) (./out/binpolicy-fuzzer+0x4aa143) SELinuxProject#7 0x5259cb in malloc (./out/binpolicy-fuzzer+0x5259cb) SELinuxProject#8 0x581cc4 in common_read ./libsepol/src/policydb.c:2108:8 SELinuxProject#9 0x576681 in policydb_read ./libsepol/src/policydb.c:4409:8 SELinuxProject#10 0x55a214 in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:26:6 SELinuxProject#11 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o SELinuxProject#12 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o SELinuxProject#13 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o SELinuxProject#14 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2) SELinuxProject#15 0x7fa6431787ec in __libc_start_main csu/../csu/libc-start.c:332:16 SELinuxProject#16 0x423689 in _start (./out/binpolicy-fuzzer+0x423689) ==12683== ERROR: libFuzzer: out-of-memory (malloc(2526451450)) To change the out-of-memory limit use -rss_limit_mb=<N> #0 0x52dc61 in __sanitizer_print_stack_trace (./out/binpolicy-fuzzer+0x52dc61) SELinuxProject#1 0x475618 in fuzzer::PrintStackTrace() fuzzer.o SELinuxProject#2 0x458855 in fuzzer::Fuzzer::HandleMalloc(unsigned long) fuzzer.o SELinuxProject#3 0x45876a in fuzzer::MallocHook(void const volatile*, unsigned long) fuzzer.o SELinuxProject#4 0x534557 in __sanitizer::RunMallocHooks(void const*, unsigned long) (./out/binpolicy-fuzzer+0x534557) SELinuxProject#5 0x4aa7d7 in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) (./out/binpolicy-fuzzer+0x4aa7d7) SELinuxProject#6 0x4aa143 in __asan::asan_malloc(unsigned long, __sanitizer::BufferedStackTrace*) (./out/binpolicy-fuzzer+0x4aa143) SELinuxProject#7 0x5259cb in malloc (./out/binpolicy-fuzzer+0x5259cb) SELinuxProject#8 0x575f8a in policydb_read ./libsepol/src/policydb.c:4356:18 SELinuxProject#9 0x55a214 in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:26:6 SELinuxProject#10 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o SELinuxProject#11 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o SELinuxProject#12 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o SELinuxProject#13 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2) SELinuxProject#14 0x7fa737b377ec in __libc_start_main csu/../csu/libc-start.c:332:16 SELinuxProject#15 0x423689 in _start (./out/binpolicy-fuzzer+0x423689) Signed-off-by: Christian Göttsche <cgzones@googlemail.com>

Add checks for invalid read sizes from a binary policy to guard allocations. In the fuzzer build the value will also be bounded to avoid oom reports. ==29857== ERROR: libFuzzer: out-of-memory (malloc(17179868160)) To change the out-of-memory limit use -rss_limit_mb=<N> #0 0x52dc61 in __sanitizer_print_stack_trace (./out/binpolicy-fuzzer+0x52dc61) SELinuxProject#1 0x475618 in fuzzer::PrintStackTrace() fuzzer.o SELinuxProject#2 0x458855 in fuzzer::Fuzzer::HandleMalloc(unsigned long) fuzzer.o SELinuxProject#3 0x45876a in fuzzer::MallocHook(void const volatile*, unsigned long) fuzzer.o SELinuxProject#4 0x534557 in __sanitizer::RunMallocHooks(void const*, unsigned long) (./out/binpolicy-fuzzer+0x534557) SELinuxProject#5 0x4aa7d7 in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) (./out/binpolicy-fuzzer+0x4aa7d7) SELinuxProject#6 0x4aa143 in __asan::asan_malloc(unsigned long, __sanitizer::BufferedStackTrace*) (./out/binpolicy-fuzzer+0x4aa143) SELinuxProject#7 0x5259cb in malloc (./out/binpolicy-fuzzer+0x5259cb) SELinuxProject#8 0x580b5d in mallocarray ./libsepol/src/./private.h:93:9 SELinuxProject#9 0x57c2ed in scope_read ./libsepol/src/policydb.c:4120:7 SELinuxProject#10 0x576b0d in policydb_read ./libsepol/src/policydb.c:4462:9 SELinuxProject#11 0x55a214 in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:26:6 SELinuxProject#12 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o SELinuxProject#13 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o SELinuxProject#14 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o SELinuxProject#15 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2) SELinuxProject#16 0x7ffad6e107ec in __libc_start_main csu/../csu/libc-start.c:332:16 SELinuxProject#17 0x423689 in _start (./out/binpolicy-fuzzer+0x423689) ==19462== ERROR: libFuzzer: out-of-memory (malloc(18253611008)) To change the out-of-memory limit use -rss_limit_mb=<N> #0 0x52dc61 in __sanitizer_print_stack_trace (./out/binpolicy-fuzzer+0x52dc61) SELinuxProject#1 0x475618 in fuzzer::PrintStackTrace() fuzzer.o SELinuxProject#2 0x458855 in fuzzer::Fuzzer::HandleMalloc(unsigned long) fuzzer.o SELinuxProject#3 0x45876a in fuzzer::MallocHook(void const volatile*, unsigned long) fuzzer.o SELinuxProject#4 0x534557 in __sanitizer::RunMallocHooks(void const*, unsigned long) (./out/binpolicy-fuzzer+0x534557) SELinuxProject#5 0x4aa7d7 in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) (./out/binpolicy-fuzzer+0x4aa7d7) SELinuxProject#6 0x4aa999 in __asan::asan_calloc(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*) (./out/binpolicy-fuzzer+0x4aa999) SELinuxProject#7 0x525b63 in __interceptor_calloc (./out/binpolicy-fuzzer+0x525b63) SELinuxProject#8 0x570938 in policydb_index_others ./libsepol/src/policydb.c:1245:6 SELinuxProject#9 0x5771f3 in policydb_read ./src/policydb.c:4481:6 SELinuxProject#10 0x55a214 in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:26:6 SELinuxProject#11 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o SELinuxProject#12 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o SELinuxProject#13 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o SELinuxProject#14 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2) SELinuxProject#15 0x7f4d933157ec in __libc_start_main csu/../csu/libc-start.c:332:16 SELinuxProject#16 0x423689 in _start (./out/binpolicy-fuzzer+0x423689) Signed-off-by: Christian Göttsche <cgzones@googlemail.com>

Limit the maximum length of read sizes, like string length of module version and name or keys and number of symtab entries. This avoids the fuzzer to report oom events for huge allocations (it also improves the number of executions per seconds of the fuzzer). This change only affects the fuzzer build. ==15211== ERROR: libFuzzer: out-of-memory (malloc(3115956666)) To change the out-of-memory limit use -rss_limit_mb=<N> #0 0x52dc61 in __sanitizer_print_stack_trace (./out/binpolicy-fuzzer+0x52dc61) SELinuxProject#1 0x475618 in fuzzer::PrintStackTrace() fuzzer.o SELinuxProject#2 0x458855 in fuzzer::Fuzzer::HandleMalloc(unsigned long) fuzzer.o SELinuxProject#3 0x45876a in fuzzer::MallocHook(void const volatile*, unsigned long) fuzzer.o SELinuxProject#4 0x534557 in __sanitizer::RunMallocHooks(void const*, unsigned long) (./out/binpolicy-fuzzer+0x534557) SELinuxProject#5 0x4aa7d7 in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) (./out/binpolicy-fuzzer+0x4aa7d7) SELinuxProject#6 0x4aa143 in __asan::asan_malloc(unsigned long, __sanitizer::BufferedStackTrace*) (./out/binpolicy-fuzzer+0x4aa143) SELinuxProject#7 0x5259cb in malloc (./out/binpolicy-fuzzer+0x5259cb) SELinuxProject#8 0x59d307 in str_read ./libsepol/src/services.c:1746:8 SELinuxProject#9 0x585b97 in perm_read ./libsepol/src/policydb.c:2063:5 SELinuxProject#10 0x581f8a in common_read ./libsepol/src/policydb.c:2119:7 SELinuxProject#11 0x576681 in policydb_read ./libsepol/src/policydb.c:4417:8 SELinuxProject#12 0x55a214 in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:26:6 SELinuxProject#13 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o SELinuxProject#14 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o SELinuxProject#15 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o SELinuxProject#16 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2) SELinuxProject#17 0x7fe1ec88a7ec in __libc_start_main csu/../csu/libc-start.c:332:16 SELinuxProject#18 0x423689 in _start (./out/binpolicy-fuzzer+0x423689) ==13584== ERROR: libFuzzer: out-of-memory (malloc(2560137369)) To change the out-of-memory limit use -rss_limit_mb=<N> #0 0x52dc61 in __sanitizer_print_stack_trace (./out/binpolicy-fuzzer+0x52dc61) SELinuxProject#1 0x475618 in fuzzer::PrintStackTrace() fuzzer.o SELinuxProject#2 0x458855 in fuzzer::Fuzzer::HandleMalloc(unsigned long) fuzzer.o SELinuxProject#3 0x45876a in fuzzer::MallocHook(void const volatile*, unsigned long) fuzzer.o SELinuxProject#4 0x534557 in __sanitizer::RunMallocHooks(void const*, unsigned long) (./out/binpolicy-fuzzer+0x534557) SELinuxProject#5 0x4aa7d7 in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) (./out/binpolicy-fuzzer+0x4aa7d7) SELinuxProject#6 0x4aa143 in __asan::asan_malloc(unsigned long, __sanitizer::BufferedStackTrace*) (./out/binpolicy-fuzzer+0x4aa143) SELinuxProject#7 0x5259cb in malloc (./out/binpolicy-fuzzer+0x5259cb) SELinuxProject#8 0x581cc4 in common_read ./libsepol/src/policydb.c:2108:8 SELinuxProject#9 0x576681 in policydb_read ./libsepol/src/policydb.c:4409:8 SELinuxProject#10 0x55a214 in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:26:6 SELinuxProject#11 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o SELinuxProject#12 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o SELinuxProject#13 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o SELinuxProject#14 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2) SELinuxProject#15 0x7fa6431787ec in __libc_start_main csu/../csu/libc-start.c:332:16 SELinuxProject#16 0x423689 in _start (./out/binpolicy-fuzzer+0x423689) ==12683== ERROR: libFuzzer: out-of-memory (malloc(2526451450)) To change the out-of-memory limit use -rss_limit_mb=<N> #0 0x52dc61 in __sanitizer_print_stack_trace (./out/binpolicy-fuzzer+0x52dc61) SELinuxProject#1 0x475618 in fuzzer::PrintStackTrace() fuzzer.o SELinuxProject#2 0x458855 in fuzzer::Fuzzer::HandleMalloc(unsigned long) fuzzer.o SELinuxProject#3 0x45876a in fuzzer::MallocHook(void const volatile*, unsigned long) fuzzer.o SELinuxProject#4 0x534557 in __sanitizer::RunMallocHooks(void const*, unsigned long) (./out/binpolicy-fuzzer+0x534557) SELinuxProject#5 0x4aa7d7 in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) (./out/binpolicy-fuzzer+0x4aa7d7) SELinuxProject#6 0x4aa143 in __asan::asan_malloc(unsigned long, __sanitizer::BufferedStackTrace*) (./out/binpolicy-fuzzer+0x4aa143) SELinuxProject#7 0x5259cb in malloc (./out/binpolicy-fuzzer+0x5259cb) SELinuxProject#8 0x575f8a in policydb_read ./libsepol/src/policydb.c:4356:18 SELinuxProject#9 0x55a214 in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:26:6 SELinuxProject#10 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o SELinuxProject#11 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o SELinuxProject#12 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o SELinuxProject#13 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2) SELinuxProject#14 0x7fa737b377ec in __libc_start_main csu/../csu/libc-start.c:332:16 SELinuxProject#15 0x423689 in _start (./out/binpolicy-fuzzer+0x423689) Signed-off-by: Christian Göttsche <cgzones@googlemail.com>

Add checks for invalid read sizes from a binary policy to guard allocations. In the fuzzer build the value will also be bounded to avoid oom reports. ==29857== ERROR: libFuzzer: out-of-memory (malloc(17179868160)) To change the out-of-memory limit use -rss_limit_mb=<N> #0 0x52dc61 in __sanitizer_print_stack_trace (./out/binpolicy-fuzzer+0x52dc61) SELinuxProject#1 0x475618 in fuzzer::PrintStackTrace() fuzzer.o SELinuxProject#2 0x458855 in fuzzer::Fuzzer::HandleMalloc(unsigned long) fuzzer.o SELinuxProject#3 0x45876a in fuzzer::MallocHook(void const volatile*, unsigned long) fuzzer.o SELinuxProject#4 0x534557 in __sanitizer::RunMallocHooks(void const*, unsigned long) (./out/binpolicy-fuzzer+0x534557) SELinuxProject#5 0x4aa7d7 in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) (./out/binpolicy-fuzzer+0x4aa7d7) SELinuxProject#6 0x4aa143 in __asan::asan_malloc(unsigned long, __sanitizer::BufferedStackTrace*) (./out/binpolicy-fuzzer+0x4aa143) SELinuxProject#7 0x5259cb in malloc (./out/binpolicy-fuzzer+0x5259cb) SELinuxProject#8 0x580b5d in mallocarray ./libsepol/src/./private.h:93:9 SELinuxProject#9 0x57c2ed in scope_read ./libsepol/src/policydb.c:4120:7 SELinuxProject#10 0x576b0d in policydb_read ./libsepol/src/policydb.c:4462:9 SELinuxProject#11 0x55a214 in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:26:6 SELinuxProject#12 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o SELinuxProject#13 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o SELinuxProject#14 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o SELinuxProject#15 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2) SELinuxProject#16 0x7ffad6e107ec in __libc_start_main csu/../csu/libc-start.c:332:16 SELinuxProject#17 0x423689 in _start (./out/binpolicy-fuzzer+0x423689) ==19462== ERROR: libFuzzer: out-of-memory (malloc(18253611008)) To change the out-of-memory limit use -rss_limit_mb=<N> #0 0x52dc61 in __sanitizer_print_stack_trace (./out/binpolicy-fuzzer+0x52dc61) SELinuxProject#1 0x475618 in fuzzer::PrintStackTrace() fuzzer.o SELinuxProject#2 0x458855 in fuzzer::Fuzzer::HandleMalloc(unsigned long) fuzzer.o SELinuxProject#3 0x45876a in fuzzer::MallocHook(void const volatile*, unsigned long) fuzzer.o SELinuxProject#4 0x534557 in __sanitizer::RunMallocHooks(void const*, unsigned long) (./out/binpolicy-fuzzer+0x534557) SELinuxProject#5 0x4aa7d7 in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) (./out/binpolicy-fuzzer+0x4aa7d7) SELinuxProject#6 0x4aa999 in __asan::asan_calloc(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*) (./out/binpolicy-fuzzer+0x4aa999) SELinuxProject#7 0x525b63 in __interceptor_calloc (./out/binpolicy-fuzzer+0x525b63) SELinuxProject#8 0x570938 in policydb_index_others ./libsepol/src/policydb.c:1245:6 SELinuxProject#9 0x5771f3 in policydb_read ./src/policydb.c:4481:6 SELinuxProject#10 0x55a214 in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:26:6 SELinuxProject#11 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o SELinuxProject#12 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o SELinuxProject#13 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o SELinuxProject#14 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2) SELinuxProject#15 0x7f4d933157ec in __libc_start_main csu/../csu/libc-start.c:332:16 SELinuxProject#16 0x423689 in _start (./out/binpolicy-fuzzer+0x423689) Signed-off-by: Christian Göttsche <cgzones@googlemail.com>

Limit the maximum length of read sizes, like string length of module version and name or keys and number of symtab entries. This avoids the fuzzer to report oom events for huge allocations (it also improves the number of executions per seconds of the fuzzer). This change only affects the fuzzer build. ==15211== ERROR: libFuzzer: out-of-memory (malloc(3115956666)) To change the out-of-memory limit use -rss_limit_mb=<N> #0 0x52dc61 in __sanitizer_print_stack_trace (./out/binpolicy-fuzzer+0x52dc61) SELinuxProject#1 0x475618 in fuzzer::PrintStackTrace() fuzzer.o SELinuxProject#2 0x458855 in fuzzer::Fuzzer::HandleMalloc(unsigned long) fuzzer.o SELinuxProject#3 0x45876a in fuzzer::MallocHook(void const volatile*, unsigned long) fuzzer.o SELinuxProject#4 0x534557 in __sanitizer::RunMallocHooks(void const*, unsigned long) (./out/binpolicy-fuzzer+0x534557) SELinuxProject#5 0x4aa7d7 in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) (./out/binpolicy-fuzzer+0x4aa7d7) SELinuxProject#6 0x4aa143 in __asan::asan_malloc(unsigned long, __sanitizer::BufferedStackTrace*) (./out/binpolicy-fuzzer+0x4aa143) SELinuxProject#7 0x5259cb in malloc (./out/binpolicy-fuzzer+0x5259cb) SELinuxProject#8 0x59d307 in str_read ./libsepol/src/services.c:1746:8 SELinuxProject#9 0x585b97 in perm_read ./libsepol/src/policydb.c:2063:5 SELinuxProject#10 0x581f8a in common_read ./libsepol/src/policydb.c:2119:7 SELinuxProject#11 0x576681 in policydb_read ./libsepol/src/policydb.c:4417:8 SELinuxProject#12 0x55a214 in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:26:6 SELinuxProject#13 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o SELinuxProject#14 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o SELinuxProject#15 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o SELinuxProject#16 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2) SELinuxProject#17 0x7fe1ec88a7ec in __libc_start_main csu/../csu/libc-start.c:332:16 SELinuxProject#18 0x423689 in _start (./out/binpolicy-fuzzer+0x423689) ==13584== ERROR: libFuzzer: out-of-memory (malloc(2560137369)) To change the out-of-memory limit use -rss_limit_mb=<N> #0 0x52dc61 in __sanitizer_print_stack_trace (./out/binpolicy-fuzzer+0x52dc61) SELinuxProject#1 0x475618 in fuzzer::PrintStackTrace() fuzzer.o SELinuxProject#2 0x458855 in fuzzer::Fuzzer::HandleMalloc(unsigned long) fuzzer.o SELinuxProject#3 0x45876a in fuzzer::MallocHook(void const volatile*, unsigned long) fuzzer.o SELinuxProject#4 0x534557 in __sanitizer::RunMallocHooks(void const*, unsigned long) (./out/binpolicy-fuzzer+0x534557) SELinuxProject#5 0x4aa7d7 in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) (./out/binpolicy-fuzzer+0x4aa7d7) SELinuxProject#6 0x4aa143 in __asan::asan_malloc(unsigned long, __sanitizer::BufferedStackTrace*) (./out/binpolicy-fuzzer+0x4aa143) SELinuxProject#7 0x5259cb in malloc (./out/binpolicy-fuzzer+0x5259cb) SELinuxProject#8 0x581cc4 in common_read ./libsepol/src/policydb.c:2108:8 SELinuxProject#9 0x576681 in policydb_read ./libsepol/src/policydb.c:4409:8 SELinuxProject#10 0x55a214 in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:26:6 SELinuxProject#11 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o SELinuxProject#12 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o SELinuxProject#13 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o SELinuxProject#14 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2) SELinuxProject#15 0x7fa6431787ec in __libc_start_main csu/../csu/libc-start.c:332:16 SELinuxProject#16 0x423689 in _start (./out/binpolicy-fuzzer+0x423689) ==12683== ERROR: libFuzzer: out-of-memory (malloc(2526451450)) To change the out-of-memory limit use -rss_limit_mb=<N> #0 0x52dc61 in __sanitizer_print_stack_trace (./out/binpolicy-fuzzer+0x52dc61) SELinuxProject#1 0x475618 in fuzzer::PrintStackTrace() fuzzer.o SELinuxProject#2 0x458855 in fuzzer::Fuzzer::HandleMalloc(unsigned long) fuzzer.o SELinuxProject#3 0x45876a in fuzzer::MallocHook(void const volatile*, unsigned long) fuzzer.o SELinuxProject#4 0x534557 in __sanitizer::RunMallocHooks(void const*, unsigned long) (./out/binpolicy-fuzzer+0x534557) SELinuxProject#5 0x4aa7d7 in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) (./out/binpolicy-fuzzer+0x4aa7d7) SELinuxProject#6 0x4aa143 in __asan::asan_malloc(unsigned long, __sanitizer::BufferedStackTrace*) (./out/binpolicy-fuzzer+0x4aa143) SELinuxProject#7 0x5259cb in malloc (./out/binpolicy-fuzzer+0x5259cb) SELinuxProject#8 0x575f8a in policydb_read ./libsepol/src/policydb.c:4356:18 SELinuxProject#9 0x55a214 in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:26:6 SELinuxProject#10 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o SELinuxProject#11 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o SELinuxProject#12 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o SELinuxProject#13 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2) SELinuxProject#14 0x7fa737b377ec in __libc_start_main csu/../csu/libc-start.c:332:16 SELinuxProject#15 0x423689 in _start (./out/binpolicy-fuzzer+0x423689) Signed-off-by: Christian Göttsche <cgzones@googlemail.com>

Add checks for invalid read sizes from a binary policy to guard allocations. In the fuzzer build the value will also be bounded to avoid oom reports. ==29857== ERROR: libFuzzer: out-of-memory (malloc(17179868160)) To change the out-of-memory limit use -rss_limit_mb=<N> #0 0x52dc61 in __sanitizer_print_stack_trace (./out/binpolicy-fuzzer+0x52dc61) SELinuxProject#1 0x475618 in fuzzer::PrintStackTrace() fuzzer.o SELinuxProject#2 0x458855 in fuzzer::Fuzzer::HandleMalloc(unsigned long) fuzzer.o SELinuxProject#3 0x45876a in fuzzer::MallocHook(void const volatile*, unsigned long) fuzzer.o SELinuxProject#4 0x534557 in __sanitizer::RunMallocHooks(void const*, unsigned long) (./out/binpolicy-fuzzer+0x534557) SELinuxProject#5 0x4aa7d7 in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) (./out/binpolicy-fuzzer+0x4aa7d7) SELinuxProject#6 0x4aa143 in __asan::asan_malloc(unsigned long, __sanitizer::BufferedStackTrace*) (./out/binpolicy-fuzzer+0x4aa143) SELinuxProject#7 0x5259cb in malloc (./out/binpolicy-fuzzer+0x5259cb) SELinuxProject#8 0x580b5d in mallocarray ./libsepol/src/./private.h:93:9 SELinuxProject#9 0x57c2ed in scope_read ./libsepol/src/policydb.c:4120:7 SELinuxProject#10 0x576b0d in policydb_read ./libsepol/src/policydb.c:4462:9 SELinuxProject#11 0x55a214 in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:26:6 SELinuxProject#12 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o SELinuxProject#13 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o SELinuxProject#14 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o SELinuxProject#15 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2) SELinuxProject#16 0x7ffad6e107ec in __libc_start_main csu/../csu/libc-start.c:332:16 SELinuxProject#17 0x423689 in _start (./out/binpolicy-fuzzer+0x423689) ==19462== ERROR: libFuzzer: out-of-memory (malloc(18253611008)) To change the out-of-memory limit use -rss_limit_mb=<N> #0 0x52dc61 in __sanitizer_print_stack_trace (./out/binpolicy-fuzzer+0x52dc61) SELinuxProject#1 0x475618 in fuzzer::PrintStackTrace() fuzzer.o SELinuxProject#2 0x458855 in fuzzer::Fuzzer::HandleMalloc(unsigned long) fuzzer.o SELinuxProject#3 0x45876a in fuzzer::MallocHook(void const volatile*, unsigned long) fuzzer.o SELinuxProject#4 0x534557 in __sanitizer::RunMallocHooks(void const*, unsigned long) (./out/binpolicy-fuzzer+0x534557) SELinuxProject#5 0x4aa7d7 in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) (./out/binpolicy-fuzzer+0x4aa7d7) SELinuxProject#6 0x4aa999 in __asan::asan_calloc(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*) (./out/binpolicy-fuzzer+0x4aa999) SELinuxProject#7 0x525b63 in __interceptor_calloc (./out/binpolicy-fuzzer+0x525b63) SELinuxProject#8 0x570938 in policydb_index_others ./libsepol/src/policydb.c:1245:6 SELinuxProject#9 0x5771f3 in policydb_read ./src/policydb.c:4481:6 SELinuxProject#10 0x55a214 in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:26:6 SELinuxProject#11 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o SELinuxProject#12 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o SELinuxProject#13 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o SELinuxProject#14 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2) SELinuxProject#15 0x7f4d933157ec in __libc_start_main csu/../csu/libc-start.c:332:16 SELinuxProject#16 0x423689 in _start (./out/binpolicy-fuzzer+0x423689) Signed-off-by: Christian Göttsche <cgzones@googlemail.com>

Limit the maximum length of read sizes, like string length of module version and name or keys and number of symtab entries. This avoids the fuzzer to report oom events for huge allocations (it also improves the number of executions per seconds of the fuzzer). This change only affects the fuzzer build. ==15211== ERROR: libFuzzer: out-of-memory (malloc(3115956666)) To change the out-of-memory limit use -rss_limit_mb=<N> #0 0x52dc61 in __sanitizer_print_stack_trace (./out/binpolicy-fuzzer+0x52dc61) SELinuxProject#1 0x475618 in fuzzer::PrintStackTrace() fuzzer.o SELinuxProject#2 0x458855 in fuzzer::Fuzzer::HandleMalloc(unsigned long) fuzzer.o SELinuxProject#3 0x45876a in fuzzer::MallocHook(void const volatile*, unsigned long) fuzzer.o SELinuxProject#4 0x534557 in __sanitizer::RunMallocHooks(void const*, unsigned long) (./out/binpolicy-fuzzer+0x534557) SELinuxProject#5 0x4aa7d7 in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) (./out/binpolicy-fuzzer+0x4aa7d7) SELinuxProject#6 0x4aa143 in __asan::asan_malloc(unsigned long, __sanitizer::BufferedStackTrace*) (./out/binpolicy-fuzzer+0x4aa143) SELinuxProject#7 0x5259cb in malloc (./out/binpolicy-fuzzer+0x5259cb) SELinuxProject#8 0x59d307 in str_read ./libsepol/src/services.c:1746:8 SELinuxProject#9 0x585b97 in perm_read ./libsepol/src/policydb.c:2063:5 SELinuxProject#10 0x581f8a in common_read ./libsepol/src/policydb.c:2119:7 SELinuxProject#11 0x576681 in policydb_read ./libsepol/src/policydb.c:4417:8 SELinuxProject#12 0x55a214 in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:26:6 SELinuxProject#13 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o SELinuxProject#14 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o SELinuxProject#15 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o SELinuxProject#16 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2) SELinuxProject#17 0x7fe1ec88a7ec in __libc_start_main csu/../csu/libc-start.c:332:16 SELinuxProject#18 0x423689 in _start (./out/binpolicy-fuzzer+0x423689) ==13584== ERROR: libFuzzer: out-of-memory (malloc(2560137369)) To change the out-of-memory limit use -rss_limit_mb=<N> #0 0x52dc61 in __sanitizer_print_stack_trace (./out/binpolicy-fuzzer+0x52dc61) SELinuxProject#1 0x475618 in fuzzer::PrintStackTrace() fuzzer.o SELinuxProject#2 0x458855 in fuzzer::Fuzzer::HandleMalloc(unsigned long) fuzzer.o SELinuxProject#3 0x45876a in fuzzer::MallocHook(void const volatile*, unsigned long) fuzzer.o SELinuxProject#4 0x534557 in __sanitizer::RunMallocHooks(void const*, unsigned long) (./out/binpolicy-fuzzer+0x534557) SELinuxProject#5 0x4aa7d7 in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) (./out/binpolicy-fuzzer+0x4aa7d7) SELinuxProject#6 0x4aa143 in __asan::asan_malloc(unsigned long, __sanitizer::BufferedStackTrace*) (./out/binpolicy-fuzzer+0x4aa143) SELinuxProject#7 0x5259cb in malloc (./out/binpolicy-fuzzer+0x5259cb) SELinuxProject#8 0x581cc4 in common_read ./libsepol/src/policydb.c:2108:8 SELinuxProject#9 0x576681 in policydb_read ./libsepol/src/policydb.c:4409:8 SELinuxProject#10 0x55a214 in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:26:6 SELinuxProject#11 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o SELinuxProject#12 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o SELinuxProject#13 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o SELinuxProject#14 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2) SELinuxProject#15 0x7fa6431787ec in __libc_start_main csu/../csu/libc-start.c:332:16 SELinuxProject#16 0x423689 in _start (./out/binpolicy-fuzzer+0x423689) ==12683== ERROR: libFuzzer: out-of-memory (malloc(2526451450)) To change the out-of-memory limit use -rss_limit_mb=<N> #0 0x52dc61 in __sanitizer_print_stack_trace (./out/binpolicy-fuzzer+0x52dc61) SELinuxProject#1 0x475618 in fuzzer::PrintStackTrace() fuzzer.o SELinuxProject#2 0x458855 in fuzzer::Fuzzer::HandleMalloc(unsigned long) fuzzer.o SELinuxProject#3 0x45876a in fuzzer::MallocHook(void const volatile*, unsigned long) fuzzer.o SELinuxProject#4 0x534557 in __sanitizer::RunMallocHooks(void const*, unsigned long) (./out/binpolicy-fuzzer+0x534557) SELinuxProject#5 0x4aa7d7 in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) (./out/binpolicy-fuzzer+0x4aa7d7) SELinuxProject#6 0x4aa143 in __asan::asan_malloc(unsigned long, __sanitizer::BufferedStackTrace*) (./out/binpolicy-fuzzer+0x4aa143) SELinuxProject#7 0x5259cb in malloc (./out/binpolicy-fuzzer+0x5259cb) SELinuxProject#8 0x575f8a in policydb_read ./libsepol/src/policydb.c:4356:18 SELinuxProject#9 0x55a214 in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:26:6 SELinuxProject#10 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o SELinuxProject#11 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o SELinuxProject#12 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o SELinuxProject#13 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2) SELinuxProject#14 0x7fa737b377ec in __libc_start_main csu/../csu/libc-start.c:332:16 SELinuxProject#15 0x423689 in _start (./out/binpolicy-fuzzer+0x423689) Signed-off-by: Christian Göttsche <cgzones@googlemail.com>

Add checks for invalid read sizes from a binary policy to guard allocations. In the fuzzer build the value will also be bounded to avoid oom reports. ==29857== ERROR: libFuzzer: out-of-memory (malloc(17179868160)) To change the out-of-memory limit use -rss_limit_mb=<N> #0 0x52dc61 in __sanitizer_print_stack_trace (./out/binpolicy-fuzzer+0x52dc61) SELinuxProject#1 0x475618 in fuzzer::PrintStackTrace() fuzzer.o SELinuxProject#2 0x458855 in fuzzer::Fuzzer::HandleMalloc(unsigned long) fuzzer.o SELinuxProject#3 0x45876a in fuzzer::MallocHook(void const volatile*, unsigned long) fuzzer.o SELinuxProject#4 0x534557 in __sanitizer::RunMallocHooks(void const*, unsigned long) (./out/binpolicy-fuzzer+0x534557) SELinuxProject#5 0x4aa7d7 in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) (./out/binpolicy-fuzzer+0x4aa7d7) SELinuxProject#6 0x4aa143 in __asan::asan_malloc(unsigned long, __sanitizer::BufferedStackTrace*) (./out/binpolicy-fuzzer+0x4aa143) SELinuxProject#7 0x5259cb in malloc (./out/binpolicy-fuzzer+0x5259cb) SELinuxProject#8 0x580b5d in mallocarray ./libsepol/src/./private.h:93:9 SELinuxProject#9 0x57c2ed in scope_read ./libsepol/src/policydb.c:4120:7 SELinuxProject#10 0x576b0d in policydb_read ./libsepol/src/policydb.c:4462:9 SELinuxProject#11 0x55a214 in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:26:6 SELinuxProject#12 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o SELinuxProject#13 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o SELinuxProject#14 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o SELinuxProject#15 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2) SELinuxProject#16 0x7ffad6e107ec in __libc_start_main csu/../csu/libc-start.c:332:16 SELinuxProject#17 0x423689 in _start (./out/binpolicy-fuzzer+0x423689) ==19462== ERROR: libFuzzer: out-of-memory (malloc(18253611008)) To change the out-of-memory limit use -rss_limit_mb=<N> #0 0x52dc61 in __sanitizer_print_stack_trace (./out/binpolicy-fuzzer+0x52dc61) SELinuxProject#1 0x475618 in fuzzer::PrintStackTrace() fuzzer.o SELinuxProject#2 0x458855 in fuzzer::Fuzzer::HandleMalloc(unsigned long) fuzzer.o SELinuxProject#3 0x45876a in fuzzer::MallocHook(void const volatile*, unsigned long) fuzzer.o SELinuxProject#4 0x534557 in __sanitizer::RunMallocHooks(void const*, unsigned long) (./out/binpolicy-fuzzer+0x534557) SELinuxProject#5 0x4aa7d7 in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) (./out/binpolicy-fuzzer+0x4aa7d7) SELinuxProject#6 0x4aa999 in __asan::asan_calloc(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*) (./out/binpolicy-fuzzer+0x4aa999) SELinuxProject#7 0x525b63 in __interceptor_calloc (./out/binpolicy-fuzzer+0x525b63) SELinuxProject#8 0x570938 in policydb_index_others ./libsepol/src/policydb.c:1245:6 SELinuxProject#9 0x5771f3 in policydb_read ./src/policydb.c:4481:6 SELinuxProject#10 0x55a214 in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:26:6 SELinuxProject#11 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o SELinuxProject#12 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o SELinuxProject#13 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o SELinuxProject#14 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2) SELinuxProject#15 0x7f4d933157ec in __libc_start_main csu/../csu/libc-start.c:332:16 SELinuxProject#16 0x423689 in _start (./out/binpolicy-fuzzer+0x423689) Signed-off-by: Christian Göttsche <cgzones@googlemail.com>

Check if the sid value is saturated to guard dependent allocations. ==19967== ERROR: libFuzzer: out-of-memory (malloc(7784628224)) #0 0x52dc61 in __sanitizer_print_stack_trace (./out/binpolicy-fuzzer+0x52dc61) SELinuxProject#1 0x475618 in fuzzer::PrintStackTrace() fuzzer.o SELinuxProject#2 0x458855 in fuzzer::Fuzzer::HandleMalloc(unsigned long) fuzzer.o SELinuxProject#3 0x45876a in fuzzer::MallocHook(void const volatile*, unsigned long) fuzzer.o SELinuxProject#4 0x534557 in __sanitizer::RunMallocHooks(void const*, unsigned long) (./out/binpolicy-fuzzer+0x534557) SELinuxProject#5 0x4aa7d7 in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) (./out/binpolicy-fuzzer+0x4aa7d7) SELinuxProject#6 0x4aabe3 in __asan::Allocator::Reallocate(void*, unsigned long, __sanitizer::BufferedStackTrace*) (./out/binpolicy-fuzzer+0x4aabe3) SELinuxProject#7 0x4aaa32 in __asan::asan_reallocarray(void*, unsigned long, unsigned long, __sanitizer::BufferedStackTrace*) (./out/binpolicy-fuzzer+0x4aaa32) SELinuxProject#8 0x525f8e in __interceptor_reallocarray (./out/binpolicy-fuzzer+0x525f8e) SELinuxProject#9 0x5ebad3 in strs_add_at_index ./libsepol/src/kernel_to_common.c:224:9 SELinuxProject#10 0x5680eb in write_sids_to_conf ./libsepol/src/kernel_to_conf.c:466:8 SELinuxProject#11 0x55c1c0 in write_sid_decl_rules_to_conf ./libsepol/src/kernel_to_conf.c:498:8 SELinuxProject#12 0x55ad36 in sepol_kernel_policydb_to_conf ./libsepol/src/kernel_to_conf.c:3083:7 SELinuxProject#13 0x55a34f in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:38:9 SELinuxProject#14 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o SELinuxProject#15 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o SELinuxProject#16 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o SELinuxProject#17 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2) SELinuxProject#18 0x7f085ac657ec in __libc_start_main csu/../csu/libc-start.c:332:16 SELinuxProject#19 0x423689 in _start (./out/binpolicy-fuzzer+0x423689) Signed-off-by: Christian Göttsche <cgzones@googlemail.com>