libsepol/backport-libsepol-Fix-buffer-overflow-when-using-sepol_av_to_.patch

From c205b924e280c4ee161c79d2442c5026ec89597c Mon Sep 17 00:00:00 2001
From: James Carter <jwcart2@gmail.com>
Date: Fri, 8 Mar 2024 16:55:56 -0500
Subject: [PATCH] libsepol: Fix buffer overflow when using
sepol_av_to_string()

The function sepol_av_to_string() normally returns a list of
permissions with a space at the beginning, but it will return '\0'
if there are no permissions. Unfortunately, functions in
kernel_to_cil, kernel_to_conf, and module_to_cil assume there is a
space at the beginning and skip the space by using "perms+1".

In kernel_to_cil, kernel_to_conf, and module_to_cil, check for the
permission string being '\0' and return an error if it is.

Reported-by: oss-fuzz (issue 67276)
Signed-off-by: James Carter <jwcart2@gmail.com>
---
 libsepol/src/kernel_to_cil.c  | 11 +++++++++++
 libsepol/src/kernel_to_conf.c | 11 +++++++++++
 libsepol/src/module_to_cil.c  | 12 ++++++++++++
 3 files changed, 34 insertions(+)

diff --git a/libsepol/src/kernel_to_cil.c b/libsepol/src/kernel_to_cil.c
index 69efc97..6d7d815 100644
--- a/libsepol/src/kernel_to_cil.c
+++ b/libsepol/src/kernel_to_cil.c
@@ -1754,6 +1760,11 @@ static char *avtab_node_to_str(struct policydb *pdb, avtab_key_t *key, avtab_dat
 			sepol_log_err("Failed to generate permission string");
 			goto exit;
 		}
+		if (*perms == '\0') {
+			sepol_log_err("No permisisons in permission string");
+			free(perms);
+			goto exit;
+		}
 		rule = create_str("(%s %s %s (%s (%s)))", 5,
 				  flavor, src, tgt, class, perms+1);
 	} else if (key->specified & AVTAB_XPERMS) {
diff --git a/libsepol/src/kernel_to_conf.c b/libsepol/src/kernel_to_conf.c
index a1bf05f..f484e2b 100644
--- a/libsepol/src/kernel_to_conf.c
+++ b/libsepol/src/kernel_to_conf.c
@@ -291,6 +291,12 @@ static int class_constraint_rules_to_strs(struct policydb *pdb, char *classkey,
 		}
 
 		perms = sepol_av_to_string(pdb, class->s.value, curr->permissions);
+		if (*perms == '\0') {
+			sepol_log_err("No permisisons in permission string");
+			free(perms);
+			rc = -1;
+			goto exit;
+		}
 		if (strchr(perms, ' ')) {
 			format_str = "%s %s { %s } %s;";
 		} else {
@@ -1728,6 +1734,11 @@ static char *avtab_node_to_str(struct policydb *pdb, avtab_key_t *key, avtab_dat
 			sepol_log_err("Failed to generate permission string");
 			goto exit;
 		}
+		if (*perms == '\0') {
+			sepol_log_err("No permisisons in permission string");
+			free(perms);
+			goto exit;
+		}
 		rule = create_str("%s %s %s:%s { %s };", 5,
 				  flavor, src, tgt, class, perms+1);
 	} else if (key->specified & AVTAB_XPERMS) {
diff --git a/libsepol/src/module_to_cil.c b/libsepol/src/module_to_cil.c
index 410a41d..e5e632e 100644
--- a/libsepol/src/module_to_cil.c
+++ b/libsepol/src/module_to_cil.c
@@ -606,6 +606,12 @@ static int avrule_to_cil(int indent, struct policydb *pdb, uint32_t type, const
 				rc = -1;
 				goto exit;
 			}
+			if (*perms == '\0') {
+				log_err("No permissions in permission string");
+				free(perms);
+				rc = -1;
+				goto exit;
+			}
 			cil_println(indent, "(%s %s %s (%s (%s)))",
 					rule, src, tgt,
 					pdb->p_class_val_to_name[classperm->tclass - 1],
@@ -1955,6 +1961,12 @@ static int constraints_to_cil(int indent, struct policydb *pdb, char *classkey,
 
 		if (is_constraint) {
 			perms = sepol_av_to_string(pdb, class->s.value, node->permissions);
+			if (*perms == '\0') {
+				log_err("No permissions in permission string");
+				free(perms);
+				rc = -1;
+				goto exit;
+			}
 			cil_println(indent, "(%sconstrain (%s (%s)) %s)", mls, classkey, perms + 1, expr);
 		} else {
 			cil_println(indent, "(%svalidatetrans %s %s)", mls, classkey, expr);
sync backport patches from upstream 2024-10-12 02:09:33 +00:00			`From c205b924e280c4ee161c79d2442c5026ec89597c Mon Sep 17 00:00:00 2001`
			`From: James Carter <jwcart2@gmail.com>`
			`Date: Fri, 8 Mar 2024 16:55:56 -0500`
			`Subject: [PATCH] libsepol: Fix buffer overflow when using`
			`sepol_av_to_string()`

			`The function sepol_av_to_string() normally returns a list of`
			`permissions with a space at the beginning, but it will return '\0'`
			`if there are no permissions. Unfortunately, functions in`
			`kernel_to_cil, kernel_to_conf, and module_to_cil assume there is a`
			`space at the beginning and skip the space by using "perms+1".`

			`In kernel_to_cil, kernel_to_conf, and module_to_cil, check for the`
			`permission string being '\0' and return an error if it is.`

			`Reported-by: oss-fuzz (issue 67276)`
			`Signed-off-by: James Carter <jwcart2@gmail.com>`
			`---`
			`libsepol/src/kernel_to_cil.c \| 11 +++++++++++`
			`libsepol/src/kernel_to_conf.c \| 11 +++++++++++`
			`libsepol/src/module_to_cil.c \| 12 ++++++++++++`
			`3 files changed, 34 insertions(+)`

			`diff --git a/libsepol/src/kernel_to_cil.c b/libsepol/src/kernel_to_cil.c`
			`index 69efc97..6d7d815 100644`
			`--- a/libsepol/src/kernel_to_cil.c`
			`+++ b/libsepol/src/kernel_to_cil.c`
			`@@ -1754,6 +1760,11 @@ static char avtab_node_to_str(struct policydb pdb, avtab_key_t *key, avtab_dat`
			`sepol_log_err("Failed to generate permission string");`
			`goto exit;`
			`}`
			`+ if (*perms == '\0') {`
			`+ sepol_log_err("No permisisons in permission string");`
			`+ free(perms);`
			`+ goto exit;`
			`+ }`
			`rule = create_str("(%s %s %s (%s (%s)))", 5,`
			`flavor, src, tgt, class, perms+1);`
			`} else if (key->specified & AVTAB_XPERMS) {`
			`diff --git a/libsepol/src/kernel_to_conf.c b/libsepol/src/kernel_to_conf.c`
			`index a1bf05f..f484e2b 100644`
			`--- a/libsepol/src/kernel_to_conf.c`
			`+++ b/libsepol/src/kernel_to_conf.c`
			`@@ -291,6 +291,12 @@ static int class_constraint_rules_to_strs(struct policydb pdb, char classkey,`
			`}`

			`perms = sepol_av_to_string(pdb, class->s.value, curr->permissions);`
			`+ if (*perms == '\0') {`
			`+ sepol_log_err("No permisisons in permission string");`
			`+ free(perms);`
			`+ rc = -1;`
			`+ goto exit;`
			`+ }`
			`if (strchr(perms, ' ')) {`
			`format_str = "%s %s { %s } %s;";`
			`} else {`
			`@@ -1728,6 +1734,11 @@ static char avtab_node_to_str(struct policydb pdb, avtab_key_t *key, avtab_dat`
			`sepol_log_err("Failed to generate permission string");`
			`goto exit;`
			`}`
			`+ if (*perms == '\0') {`
			`+ sepol_log_err("No permisisons in permission string");`
			`+ free(perms);`
			`+ goto exit;`
			`+ }`
			`rule = create_str("%s %s %s:%s { %s };", 5,`
			`flavor, src, tgt, class, perms+1);`
			`} else if (key->specified & AVTAB_XPERMS) {`
			`diff --git a/libsepol/src/module_to_cil.c b/libsepol/src/module_to_cil.c`
			`index 410a41d..e5e632e 100644`
			`--- a/libsepol/src/module_to_cil.c`
			`+++ b/libsepol/src/module_to_cil.c`
			`@@ -606,6 +606,12 @@ static int avrule_to_cil(int indent, struct policydb *pdb, uint32_t type, const`
			`rc = -1;`
			`goto exit;`
			`}`
			`+ if (*perms == '\0') {`
			`+ log_err("No permissions in permission string");`
			`+ free(perms);`
			`+ rc = -1;`
			`+ goto exit;`
			`+ }`
			`cil_println(indent, "(%s %s %s (%s (%s)))",`
			`rule, src, tgt,`
			`pdb->p_class_val_to_name[classperm->tclass - 1],`
			`@@ -1955,6 +1961,12 @@ static int constraints_to_cil(int indent, struct policydb pdb, char classkey,`

			`if (is_constraint) {`
			`perms = sepol_av_to_string(pdb, class->s.value, node->permissions);`
			`+ if (*perms == '\0') {`
			`+ log_err("No permissions in permission string");`
			`+ free(perms);`
			`+ rc = -1;`
			`+ goto exit;`
			`+ }`
			`cil_println(indent, "(%sconstrain (%s (%s)) %s)", mls, classkey, perms + 1, expr);`
			`} else {`
			`cil_println(indent, "(%svalidatetrans %s %s)", mls, classkey, expr);`