Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add checks for invalid read sizes from a binary policy to guard allocations. The common and class permission counts needs to be limited more strict otherwise a too high count of common or class permissions can lead to permission values with a too high value, which can lead to overflows in shift operations. In the fuzzer build the value will also be bounded to avoid oom reports. ==29857== ERROR: libFuzzer: out-of-memory (malloc(17179868160)) To change the out-of-memory limit use -rss_limit_mb=<N> #0 0x52dc61 in __sanitizer_print_stack_trace (./out/binpolicy-fuzzer+0x52dc61) #1 0x475618 in fuzzer::PrintStackTrace() fuzzer.o #2 0x458855 in fuzzer::Fuzzer::HandleMalloc(unsigned long) fuzzer.o #3 0x45876a in fuzzer::MallocHook(void const volatile*, unsigned long) fuzzer.o #4 0x534557 in __sanitizer::RunMallocHooks(void const*, unsigned long) (./out/binpolicy-fuzzer+0x534557) #5 0x4aa7d7 in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) (./out/binpolicy-fuzzer+0x4aa7d7) #6 0x4aa143 in __asan::asan_malloc(unsigned long, __sanitizer::BufferedStackTrace*) (./out/binpolicy-fuzzer+0x4aa143) SELinuxProject#7 0x5259cb in malloc (./out/binpolicy-fuzzer+0x5259cb) SELinuxProject#8 0x580b5d in mallocarray ./libsepol/src/./private.h:93:9 SELinuxProject#9 0x57c2ed in scope_read ./libsepol/src/policydb.c:4120:7 SELinuxProject#10 0x576b0d in policydb_read ./libsepol/src/policydb.c:4462:9 SELinuxProject#11 0x55a214 in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:26:6 SELinuxProject#12 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o SELinuxProject#13 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o SELinuxProject#14 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o SELinuxProject#15 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2) SELinuxProject#16 0x7ffad6e107ec in __libc_start_main csu/../csu/libc-start.c:332:16 SELinuxProject#17 0x423689 in _start (./out/binpolicy-fuzzer+0x423689) ==19462== ERROR: libFuzzer: out-of-memory (malloc(18253611008)) To change the out-of-memory limit use -rss_limit_mb=<N> #0 0x52dc61 in __sanitizer_print_stack_trace (./out/binpolicy-fuzzer+0x52dc61) #1 0x475618 in fuzzer::PrintStackTrace() fuzzer.o #2 0x458855 in fuzzer::Fuzzer::HandleMalloc(unsigned long) fuzzer.o #3 0x45876a in fuzzer::MallocHook(void const volatile*, unsigned long) fuzzer.o #4 0x534557 in __sanitizer::RunMallocHooks(void const*, unsigned long) (./out/binpolicy-fuzzer+0x534557) #5 0x4aa7d7 in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) (./out/binpolicy-fuzzer+0x4aa7d7) #6 0x4aa999 in __asan::asan_calloc(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*) (./out/binpolicy-fuzzer+0x4aa999) SELinuxProject#7 0x525b63 in __interceptor_calloc (./out/binpolicy-fuzzer+0x525b63) SELinuxProject#8 0x570938 in policydb_index_others ./libsepol/src/policydb.c:1245:6 SELinuxProject#9 0x5771f3 in policydb_read ./src/policydb.c:4481:6 SELinuxProject#10 0x55a214 in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:26:6 SELinuxProject#11 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o SELinuxProject#12 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o SELinuxProject#13 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o SELinuxProject#14 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2) SELinuxProject#15 0x7f4d933157ec in __libc_start_main csu/../csu/libc-start.c:332:16 SELinuxProject#16 0x423689 in _start (./out/binpolicy-fuzzer+0x423689) Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
- Loading branch information