From c205b924e280c4ee161c79d2442c5026ec89597c Mon Sep 17 00:00:00 2001
From: James Carter <jwcart2@gmail.com>
Date: Fri, 8 Mar 2024 16:55:56 -0500
Subject: [PATCH] libsepol: Fix buffer overflow when using
sepol_av_to_string()

The function sepol_av_to_string() normally returns a list of
permissions with a space at the beginning, but it will return '\0'
if there are no permissions. Unfortunately, functions in
kernel_to_cil, kernel_to_conf, and module_to_cil assume there is a
space at the beginning and skip the space by using "perms+1".

In kernel_to_cil, kernel_to_conf, and module_to_cil, check for the
permission string being '\0' and return an error if it is.

Reported-by: oss-fuzz (issue 67276)
Signed-off-by: James Carter <jwcart2@gmail.com>
---
 libsepol/src/kernel_to_cil.c  | 11 +++++++++++
 libsepol/src/kernel_to_conf.c | 11 +++++++++++
 libsepol/src/module_to_cil.c  | 12 ++++++++++++
 3 files changed, 34 insertions(+)

diff --git a/libsepol/src/kernel_to_cil.c b/libsepol/src/kernel_to_cil.c
index 69efc97..6d7d815 100644
--- a/libsepol/src/kernel_to_cil.c
+++ b/libsepol/src/kernel_to_cil.c
@@ -1754,6 +1760,11 @@ static char *avtab_node_to_str(struct policydb *pdb, avtab_key_t *key, avtab_dat
 			sepol_log_err("Failed to generate permission string");
 			goto exit;
 		}
+		if (*perms == '\0') {
+			sepol_log_err("No permisisons in permission string");
+			free(perms);
+			goto exit;
+		}
 		rule = create_str("(%s %s %s (%s (%s)))", 5,
 				  flavor, src, tgt, class, perms+1);
 	} else if (key->specified & AVTAB_XPERMS) {
diff --git a/libsepol/src/kernel_to_conf.c b/libsepol/src/kernel_to_conf.c
index a1bf05f..f484e2b 100644
--- a/libsepol/src/kernel_to_conf.c
+++ b/libsepol/src/kernel_to_conf.c
@@ -291,6 +291,12 @@ static int class_constraint_rules_to_strs(struct policydb *pdb, char *classkey,
 		}
 
 		perms = sepol_av_to_string(pdb, class->s.value, curr->permissions);
+		if (*perms == '\0') {
+			sepol_log_err("No permisisons in permission string");
+			free(perms);
+			rc = -1;
+			goto exit;
+		}
 		if (strchr(perms, ' ')) {
 			format_str = "%s %s { %s } %s;";
 		} else {
@@ -1728,6 +1734,11 @@ static char *avtab_node_to_str(struct policydb *pdb, avtab_key_t *key, avtab_dat
 			sepol_log_err("Failed to generate permission string");
 			goto exit;
 		}
+		if (*perms == '\0') {
+			sepol_log_err("No permisisons in permission string");
+			free(perms);
+			goto exit;
+		}
 		rule = create_str("%s %s %s:%s { %s };", 5,
 				  flavor, src, tgt, class, perms+1);
 	} else if (key->specified & AVTAB_XPERMS) {
diff --git a/libsepol/src/module_to_cil.c b/libsepol/src/module_to_cil.c
index 410a41d..e5e632e 100644
--- a/libsepol/src/module_to_cil.c
+++ b/libsepol/src/module_to_cil.c
@@ -606,6 +606,12 @@ static int avrule_to_cil(int indent, struct policydb *pdb, uint32_t type, const
 				rc = -1;
 				goto exit;
 			}
+			if (*perms == '\0') {
+				log_err("No permissions in permission string");
+				free(perms);
+				rc = -1;
+				goto exit;
+			}
 			cil_println(indent, "(%s %s %s (%s (%s)))",
 					rule, src, tgt,
 					pdb->p_class_val_to_name[classperm->tclass - 1],
@@ -1955,6 +1961,12 @@ static int constraints_to_cil(int indent, struct policydb *pdb, char *classkey,
 
 		if (is_constraint) {
 			perms = sepol_av_to_string(pdb, class->s.value, node->permissions);
+			if (*perms == '\0') {
+				log_err("No permissions in permission string");
+				free(perms);
+				rc = -1;
+				goto exit;
+			}
 			cil_println(indent, "(%sconstrain (%s (%s)) %s)", mls, classkey, perms + 1, expr);
 		} else {
 			cil_println(indent, "(%svalidatetrans %s %s)", mls, classkey, expr);