From 6675e12cc17345834f14a52d260fd0bf4437d03c Mon Sep 17 00:00:00 2001 From: Nicolas Iooss Date: Tue, 22 Nov 2016 23:23:39 +0100 Subject: [PATCH] libsepol: do not crash when a symbol does not exist When hll/pp reads an invalid policy module where some scopes use required symbols which are not defined, the program crashes with a segmentation fault in required_scopes_to_cil(): Program received signal SIGSEGV, Segmentation fault. required_scopes_to_cil (decl_stack=0x6040b0, block=0x607780, pdb=0x6042e0, indent=0) at module_to_cil.c:3479 3479 for (j = 0; j < scope_datum->decl_ids_len; j++) { => 0x00007ffff7a7b1a8 : 44 8b 58 10 mov 0x10(%rax),%r11d (gdb) bt #0 required_scopes_to_cil (decl_stack=0x6040b0, block=0x607780, pdb=0x6042e0, indent=0) at module_to_cil.c:3479 #1 block_to_cil (pdb=pdb@entry=0x6042e0, block=block@entry=0x607780, stack=stack@entry=0x6040b0, indent=indent@entry=0) at module_to_cil.c:3622 #2 0x00007ffff7a85a18 in global_block_to_cil (stack=0x6040b0, block=0x607780, pdb=0x6042e0) at module_to_cil.c:3738 #3 blocks_to_cil (pdb=0x6042e0) at module_to_cil.c:3764 #4 sepol_module_policydb_to_cil (fp=fp@entry=0x7ffff79d05e0 <_IO_2_1_stdout_>, pdb=0x6042e0, linked=linked@entry=0) at module_to_cil.c:4051 #5 0x00007ffff7a86b55 in sepol_module_package_to_cil (fp=fp@entry=0x7ffff79d05e0 <_IO_2_1_stdout_>, mod_pkg=0x604280) at module_to_cil.c:4080 #6 0x0000000000401acc in main (argc=, argv=) at pp.c:150 (gdb) p scope_datum $1 = (struct scope_datum *) 0x0 Detect such errors and exit with an error return value. Signed-off-by: Nicolas Iooss --- libsepol/src/module_to_cil.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libsepol/src/module_to_cil.c b/libsepol/src/module_to_cil.c index ab3ac03d78..1c2c51c614 100644 --- a/libsepol/src/module_to_cil.c +++ b/libsepol/src/module_to_cil.c @@ -3469,6 +3469,10 @@ static int required_scopes_to_cil(int indent, struct policydb *pdb, struct avrul key = pdb->sym_val_to_name[sym][i]; scope_datum = hashtab_search(pdb->scope[sym].table, key); + if (scope_datum == NULL) { + rc = -1; + goto exit; + } for (j = 0; j < scope_datum->decl_ids_len; j++) { if (scope_datum->decl_ids[j] == decl->decl_id) { break;