Skip to content

Commit

Permalink
libsepol: do not add gaps to string list
Browse files Browse the repository at this point in the history
When converting an ebitmap into a string list, skip potential gaps in
ebitmap_to_strs(). All converting functions like strs_to_str(),
strs_write_each() and strs_write_each_indented() do already skip NULL
elements, but sorting such a list will lead to a NULL dereference.

    #0 0x432ce5 in strcmp /src/llvm-project/compiler-rt/lib/sanitizer_common/sanitizer_common_interceptors.inc:462:25
    #1 0x4f4893 in strs_cmp selinux/libsepol/src/kernel_to_common.c:258:9
    #2 0x47b74b in qsort_r /src/llvm-project/compiler-rt/lib/sanitizer_common/sanitizer_common_interceptors.inc:9994:7
    #3 0x4f481d in strs_sort selinux/libsepol/src/kernel_to_common.c:266:2
    #4 0x4fe781 in attrmap_to_str selinux/libsepol/src/kernel_to_conf.c:1560:2
    #5 0x4fe781 in write_type_attribute_sets_to_conf selinux/libsepol/src/kernel_to_conf.c:1599:11
    #6 0x4f8098 in sepol_kernel_policydb_to_conf selinux/libsepol/src/kernel_to_conf.c:3182:7
    SELinuxProject#7 0x4e0277 in LLVMFuzzerTestOneInput selinux/libsepol/fuzz/binpolicy-fuzzer.c:50:9
    SELinuxProject#8 0x4d613b in main
    SELinuxProject#9 0x7fa2d50260b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/libc-start.c:308:16
    SELinuxProject#10 0x41d4ed in _start

Found by oss-fuzz (#44170)

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
  • Loading branch information
cgzones authored and jwcart2 committed Feb 7, 2022
1 parent 9229f8b commit 58443a0
Showing 1 changed file with 3 additions and 0 deletions.
3 changes: 3 additions & 0 deletions libsepol/src/kernel_to_common.c
Original file line number Diff line number Diff line change
Expand Up @@ -366,6 +366,9 @@ int ebitmap_to_strs(struct ebitmap *map, struct strs *strs, char **val_to_name)
int rc;

ebitmap_for_each_positive_bit(map, node, i) {
if (!val_to_name[i])
continue;

rc = strs_add(strs, val_to_name[i]);
if (rc != 0) {
return -1;
Expand Down

0 comments on commit 58443a0

Please sign in to comment.