From cd14c0eb8552bace7c8aef45a933898ded799d9d Mon Sep 17 00:00:00 2001 From: markeryang Date: Tue, 15 Oct 2024 01:36:33 +0000 Subject: [PATCH] sync backport patches from upstream (cherry picked from commit 977186bea8f1977eb677de83bbf6df234918cac4) --- ...ck-for-category-value-before-printin.patch | 35 +++++ ...pol-adjust-type-for-saturation-check.patch | 39 +++++ ...avoid-integer-overflow-in-add_i_to_a.patch | 32 ++++ ...rt-libsepol-avoid-leak-in-OOM-branch.patch | 39 +++++ ...tab-check-read-counts-for-saturation.patch | 37 +++++ ...eck-common-perms-when-verifiying-all.patch | 53 +++++++ ...not-allow-classpermissionset-to-use-.patch | 87 +++++++++++ ...l-Fix-detected-RESOURCE_LEAK-CWE-772.patch | 29 ++++ ...re-transitivity-in-compare-functions.patch | 77 ++++++++++ ...rt-libsepol-enhance-saturation-check.patch | 138 ++++++++++++++++++ ...re-transitivity-in-compare-functions.patch | 47 ++++++ ...ort-libsepol-expand-skip-invalid-cat.patch | 38 +++++ ...port-libsepol-more-strict-validation.patch | 55 +++++++ ...avtab-entries-with-invalid-specifier.patch | 61 ++++++++ ...libsepol-reject-invalid-class-datums.patch | 54 +++++++ ...ject-linking-modules-with-no-avrules.patch | 47 ++++++ ...ject-unsupported-policy-capabilities.patch | 75 ++++++++++ ...se-correct-type-to-avoid-truncations.patch | 50 +++++++ ...e-empty-common-classes-in-scope-indi.patch | 35 +++++ ...e-the-identifier-for-initials-SID-is.patch | 50 +++++++ libsepol.spec | 25 +++- 21 files changed, 1102 insertions(+), 1 deletion(-) create mode 100644 backport-libsepol-add-check-for-category-value-before-printin.patch create mode 100644 backport-libsepol-adjust-type-for-saturation-check.patch create mode 100644 backport-libsepol-avoid-integer-overflow-in-add_i_to_a.patch create mode 100644 backport-libsepol-avoid-leak-in-OOM-branch.patch create mode 100644 backport-libsepol-avtab-check-read-counts-for-saturation.patch create mode 100644 backport-libsepol-cil-Check-common-perms-when-verifiying-all.patch create mode 100644 backport-libsepol-cil-Do-not-allow-classpermissionset-to-use-.patch create mode 100644 backport-libsepol-cil-Fix-detected-RESOURCE_LEAK-CWE-772.patch create mode 100644 backport-libsepol-cil-ensure-transitivity-in-compare-functions.patch create mode 100644 backport-libsepol-enhance-saturation-check.patch create mode 100644 backport-libsepol-ensure-transitivity-in-compare-functions.patch create mode 100644 backport-libsepol-expand-skip-invalid-cat.patch create mode 100644 backport-libsepol-more-strict-validation.patch create mode 100644 backport-libsepol-reject-avtab-entries-with-invalid-specifier.patch create mode 100644 backport-libsepol-reject-invalid-class-datums.patch create mode 100644 backport-libsepol-reject-linking-modules-with-no-avrules.patch create mode 100644 backport-libsepol-reject-unsupported-policy-capabilities.patch create mode 100644 backport-libsepol-use-correct-type-to-avoid-truncations.patch create mode 100644 backport-libsepol-validate-empty-common-classes-in-scope-indi.patch create mode 100644 backport-libsepol-validate-the-identifier-for-initials-SID-is.patch diff --git a/backport-libsepol-add-check-for-category-value-before-printin.patch b/backport-libsepol-add-check-for-category-value-before-printin.patch new file mode 100644 index 0000000..fe6537d --- /dev/null +++ b/backport-libsepol-add-check-for-category-value-before-printin.patch @@ -0,0 +1,35 @@ +From d3c2992ed0358c8e86a83c7f55fc529cba545298 Mon Sep 17 00:00:00 2001 +From: Huaxin Lu +Date: Thu, 16 Nov 2023 07:32:07 +0800 +Subject: [PATCH] libsepol: add check for category value before printing + +In mls_semantic_level_expand(), there is a explicitly determine +whether category is 0, which may cause an potential integer +overflow in error branch. + +Signed-off-by: Huaxin Lu +Acked-by: James Carter + +Reference: https://github.com/SELinuxProject/selinux/commit/d3c2992ed0358c8e86a83c7f55fc529cba545298 +Conflict: NA +--- + libsepol/src/expand.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/libsepol/src/expand.c b/libsepol/src/expand.c +index ee5f9185..e63414b1 100644 +--- a/libsepol/src/expand.c ++++ b/libsepol/src/expand.c +@@ -945,8 +945,8 @@ int mls_semantic_level_expand(mls_semantic_level_t * sl, mls_level_t * l, + for (cat = sl->cat; cat; cat = cat->next) { + if (!cat->low || cat->low > cat->high) { + ERR(h, "Category range is not valid %s.%s", +- p->p_cat_val_to_name[cat->low - 1], +- p->p_cat_val_to_name[cat->high - 1]); ++ cat->low > 0 ? p->p_cat_val_to_name[cat->low - 1] : "Invalid", ++ cat->high > 0 ? p->p_cat_val_to_name[cat->high - 1] : "Invalid"); + return -1; + } + for (i = cat->low - 1; i < cat->high; i++) { +-- +2.33.0 diff --git a/backport-libsepol-adjust-type-for-saturation-check.patch b/backport-libsepol-adjust-type-for-saturation-check.patch new file mode 100644 index 0000000..df0804c --- /dev/null +++ b/backport-libsepol-adjust-type-for-saturation-check.patch @@ -0,0 +1,39 @@ +From 44375cb4a21dfdf3ac037237c5529049123336c2 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= +Date: Thu, 9 Nov 2023 14:51:19 +0100 +Subject: [PATCH] libsepol: adjust type for saturation check +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Change the type for the number of primary names in a symtab to uint32_t, +which conforms to the bytes read and the type used in the symtab. +The type is important for the saturation check via is_saturated(), since +it checks against -1 casted to the specific type. + +Signed-off-by: Christian Göttsche +Acked-by: James Carter + +Reference: https://github.com/SELinuxProject/selinux/commit/44375cb4a21dfdf3ac037237c5529049123336c2 +Conflict: NA +--- + libsepol/src/policydb.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/libsepol/src/policydb.c b/libsepol/src/policydb.c +index f608aba4..bc7bc9dc 100644 +--- a/libsepol/src/policydb.c ++++ b/libsepol/src/policydb.c +@@ -4120,8 +4120,8 @@ int policydb_read(policydb_t * p, struct policy_file *fp, unsigned verbose) + { + + unsigned int i, j, r_policyvers; +- uint32_t buf[5]; +- size_t len, nprim, nel; ++ uint32_t buf[5], nprim; ++ size_t len, nel; + char *policydb_str; + const struct policydb_compat_info *info; + unsigned int policy_type, bufindex; +-- +2.33.0 diff --git a/backport-libsepol-avoid-integer-overflow-in-add_i_to_a.patch b/backport-libsepol-avoid-integer-overflow-in-add_i_to_a.patch new file mode 100644 index 0000000..bac5bed --- /dev/null +++ b/backport-libsepol-avoid-integer-overflow-in-add_i_to_a.patch @@ -0,0 +1,32 @@ +From a55cd37461f2e1ef4cec3b09aa8b99f2d12a529d Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= +Date: Mon, 11 Dec 2023 15:48:25 +0100 +Subject: [PATCH] libsepol: avoid integer overflow in add_i_to_a() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Signed-off-by: Christian Göttsche +Acked-by: James Carter + +Reference: https://github.com/SELinuxProject/selinux/commit/a55cd37461f2e1ef4cec3b09aa8b99f2d12a529d +Conflict: NA +--- + libsepol/src/util.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/libsepol/src/util.c b/libsepol/src/util.c +index 571f6c93..4a6f7d11 100644 +--- a/libsepol/src/util.c ++++ b/libsepol/src/util.c +@@ -44,7 +44,7 @@ int add_i_to_a(uint32_t i, uint32_t * cnt, uint32_t ** a) + { + uint32_t *new; + +- if (cnt == NULL || a == NULL) ++ if (cnt == NULL || *cnt == UINT32_MAX || a == NULL) + return -1; + + /* FIX ME: This is not very elegant! We use an array that we +-- +2.33.0 diff --git a/backport-libsepol-avoid-leak-in-OOM-branch.patch b/backport-libsepol-avoid-leak-in-OOM-branch.patch new file mode 100644 index 0000000..ec28e1c --- /dev/null +++ b/backport-libsepol-avoid-leak-in-OOM-branch.patch @@ -0,0 +1,39 @@ +From 3b05202621539843069bb1477da0d6cfdd384ebc Mon Sep 17 00:00:00 2001 +From: root +Date: Mon, 8 Jan 2024 19:51:09 +0800 +Subject: [PATCH] libsepol: avoid leak in OOM branch +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +In case the member sid_key failed to allocate, free the parent struct. + +Reported by Clang Analyzer: + + module_to_cil.c:2607:9: warning: Potential leak of memory pointed to by 'item' [unix.Malloc] + 2607 | return rc; + | ^~ + +Signed-off-by: Christian Göttsche +Acked-by: James Carter + +Reference: https://github.com/SELinuxProject/selinux/commit/5e425b4165b801666e478b19efbf8ddb14d82a02 +Conflict: Context adaptation +--- + libsepol/src/module_to_cil.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/libsepol/src/module_to_cil.c b/libsepol/src/module_to_cil.c +index cc8066d..9a45cee 100644 +--- a/libsepol/src/module_to_cil.c ++++ b/libsepol/src/module_to_cil.c +@@ -2570,6 +2570,7 @@ static int ocontext_isid_to_cil(struct policydb *pdb, const char *const *sid_to_ + item->sid_key = strdup(sid); + if (!item->sid_key) { + log_err("Out of memory"); ++ free(item); + rc = -1; + goto exit; + } +-- +2.33.0 diff --git a/backport-libsepol-avtab-check-read-counts-for-saturation.patch b/backport-libsepol-avtab-check-read-counts-for-saturation.patch new file mode 100644 index 0000000..ec8a436 --- /dev/null +++ b/backport-libsepol-avtab-check-read-counts-for-saturation.patch @@ -0,0 +1,37 @@ +From f9fd25005f815d996c4344967a8ad13dee853303 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= +Date: Wed, 1 Nov 2023 17:37:25 +0100 +Subject: [PATCH] libsepol: avtab: check read counts for saturation +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Ensure counts are not set to the maximum value of their type. +Also limit their size during fuzzing to prevent OOM reports. + +Reported-by: oss-fuzz (issue 60572), caused at the time by the filetrans + prefix proposal +Signed-off-by: Christian Göttsche +Acked-by: James Carter + +Reference: https://github.com/SELinuxProject/selinux/commit/f9fd25005f815d996c4344967a8ad13dee853303 +Conflict: NA +--- + libsepol/src/avtab.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/libsepol/src/avtab.c b/libsepol/src/avtab.c +index 1ef5ee00..7c2328b7 100644 +--- a/libsepol/src/avtab.c ++++ b/libsepol/src/avtab.c +@@ -600,7 +600,7 @@ int avtab_read(avtab_t * a, struct policy_file *fp, uint32_t vers) + goto bad; + } + nel = le32_to_cpu(buf[0]); +- if (!nel) { ++ if (zero_or_saturated(nel)) { + ERR(fp->handle, "table is empty"); + goto bad; + } +-- +2.33.0 diff --git a/backport-libsepol-cil-Check-common-perms-when-verifiying-all.patch b/backport-libsepol-cil-Check-common-perms-when-verifiying-all.patch new file mode 100644 index 0000000..332727a --- /dev/null +++ b/backport-libsepol-cil-Check-common-perms-when-verifiying-all.patch @@ -0,0 +1,53 @@ +From c071aa2e635935216e8e504a5b398f58aed2838e Mon Sep 17 00:00:00 2001 +From: James Carter +Date: Mon, 1 Apr 2024 10:49:24 -0400 +Subject: [PATCH] libsepol/cil: Check common perms when verifiying "all" + +Commit e81c466 "Fix class permission verification in CIL", added a +check for the use of "all" in a permission expression for a class +that had no permissions. Unfortunately, that change did not take +into account a class that had common permissions, so a class that +has no permmissions of its own, but inherits permissions from a +common, will fail the verification check. + +If the class inherits from a common, then add those permissions to +the permmission list when verifying the permission expression. + +Example/ +(common co1 (cop1)) +(class cl1 ()) +(classcommon cl1 co1) +(classorder (CLASS cl1)) + +(classpermission cp1) +(classpermissionset cp1 (cl1 (all))) + +(classmap cm1 (cmp1)) +(classmapping cm1 cmp1 (cl1 (all))) + +Previously, both the classpermissionset and the classmapping rules +would fail verification, but now they pass as expected. + +Patch originally from Ben Cressey , I have +expanded the explanation. + +Reported-by: Ben Cressey +Signed-off-by: James Carter +--- + libsepol/cil/src/cil_verify.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/libsepol/cil/src/cil_verify.c b/libsepol/cil/src/cil_verify.c +index 0c6d50a18..4ef2cbab3 100644 +--- a/libsepol/cil/src/cil_verify.c ++++ b/libsepol/cil/src/cil_verify.c +@@ -1842,6 +1842,9 @@ static int __cil_verify_perms(struct cil_class *class, struct cil_list *perms, s + int count2 = 0; + cil_list_init(&perm_list, CIL_MAP_PERM); + cil_symtab_map(&class->perms, __add_perm_to_list, perm_list); ++ if (class->common != NULL) { ++ cil_symtab_map(&class->common->perms, __add_perm_to_list, perm_list); ++ } + cil_list_for_each(j, perm_list) { + count2++; + struct cil_perm *perm = j->data; diff --git a/backport-libsepol-cil-Do-not-allow-classpermissionset-to-use-.patch b/backport-libsepol-cil-Do-not-allow-classpermissionset-to-use-.patch new file mode 100644 index 0000000..8f9578b --- /dev/null +++ b/backport-libsepol-cil-Do-not-allow-classpermissionset-to-use-.patch @@ -0,0 +1,87 @@ +From 903e8cf26e2ab874618e0fdaef537bc3d9a8b69d Mon Sep 17 00:00:00 2001 +From: James Carter +Date: Fri, 13 Oct 2023 09:26:50 -0400 +Subject: [PATCH] libsepol/cil: Do not allow classpermissionset to use + anonymous classpermission + +Macros can use classpermission arguments. These are used in two +different ways. Either a named classpermission is passed (which is +declared using a classpermisison rule) or an anonymous classpermission +is passed (something like "(CLASS (PERM))"). + +Usually this will look like either of the following: +Ex1/ +(classpermission cp1) +(classpermisisonset cp1 (CLASS (PERM))) +(macro m1 ((classpermisison ARG1)) + (allow t1 self ARG1) +) +(call m1 (cp1)) +or +Ex2/ +(macro m2 ((classpermission ARG2)) + (allow t2 self ARG2) +) +(call m2 ((CLASS (PERM)))) + +The following would also be valid: +Ex3/ +(classpermission cp3) +(macro m3 ((classpermission ARG3)) + (classpermissionset ARG3 (CLASS (PERM))) + (allow t3 self ARG3) +) +(call m3 (cp3)) + +The oss-fuzzer did the equivalent of the following: + +(classpermission cp4) +(macro m4 ((classpermission ARG4)) + (classpermissionset ARG4 (CLASS (PERM1))) + (allow t4 self ARG4) +) +(call m4 (CLASS (PERM2))) + +It passed an anonymous classpermission into a macro where there +was a classpermissionset rule. Suprisingly, everything worked well +until it was time to destroy the AST. There is no way to distinguish +between the anonymous classpermission being passed in which needs +to be destroyed and the classpermission in the classpermissionset +rule which is destroyed when the classpermissionset rule is +destroyed. This led to CIL trying to destroy the classpermission +in the classpermissionset rule twice. + +To fix this, when resolving the classpermission name in the +classpermissionset rule, check if the datum returned is for +an anonymous classpermission (it has no name) and return an +error if it is. + +This fixes oss-fuzz issue 60670. + +Signed-off-by: James Carter + +Reference: https://github.com/SELinuxProject/selinux/commit/903e8cf26e2ab874618e0fdaef537bc3d9a8b69d +Conflict: Context adaptation +--- + libsepol/cil/src/cil_resolve_ast.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/libsepol/cil/src/cil_resolve_ast.c b/libsepol/cil/src/cil_resolve_ast.c +index 4e8a375d6..427a320c9 100644 +--- a/libsepol/cil/src/cil_resolve_ast.c ++++ b/libsepol/cil/src/cil_resolve_ast.c +@@ -253,6 +253,12 @@ int cil_resolve_classpermissionset(struct cil_tree_node *current, struct cil_cla + goto exit; + } + ++ if (!datum->fqn) { ++ cil_tree_log(current, CIL_ERR, "Anonymous classpermission used in a classpermissionset"); ++ rc = SEPOL_ERR; ++ goto exit; ++ } ++ + rc = cil_resolve_classperms_list(current, cps->classperms, extra_args); + if (rc != SEPOL_OK) { + goto exit; +-- +2.33.0 diff --git a/backport-libsepol-cil-Fix-detected-RESOURCE_LEAK-CWE-772.patch b/backport-libsepol-cil-Fix-detected-RESOURCE_LEAK-CWE-772.patch new file mode 100644 index 0000000..ea734ce --- /dev/null +++ b/backport-libsepol-cil-Fix-detected-RESOURCE_LEAK-CWE-772.patch @@ -0,0 +1,29 @@ +From 1f173f8efab8e9931898d924057bd0ea8da759b7 Mon Sep 17 00:00:00 2001 +From: Vit Mojzis +Date: Tue, 30 Apr 2024 17:30:24 +0200 +Subject: [PATCH] libsepol/cil: Fix detected RESOURCE_LEAK (CWE-772) + +libsepol-3.6/cil/src/cil_binary.c:902: alloc_fn: Storage is returned from allocation function "cil_malloc". +libsepol-3.6/cil/src/cil_binary.c:902: var_assign: Assigning: "mls_level" = storage returned from "cil_malloc(24UL)". +libsepol-3.6/cil/src/cil_binary.c:903: noescape: Resource "mls_level" is not freed or pointed-to in "mls_level_init". +libsepol-3.6/cil/src/cil_binary.c:905: noescape: Resource "mls_level" is not freed or pointed-to in "mls_level_cpy". +libsepol-3.6/cil/src/cil_binary.c:919: leaked_storage: Variable "mls_level" going out of scope leaks the storage it points to. + +Signed-off-by: Vit Mojzis +Acked-by: James Carter +--- + libsepol/cil/src/cil_binary.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/libsepol/cil/src/cil_binary.c b/libsepol/cil/src/cil_binary.c +index 95bd18baa..c8144a5af 100644 +--- a/libsepol/cil/src/cil_binary.c ++++ b/libsepol/cil/src/cil_binary.c +@@ -904,6 +904,7 @@ static int cil_sensalias_to_policydb(policydb_t *pdb, struct cil_alias *cil_alia + + rc = mls_level_cpy(mls_level, sepol_level->level); + if (rc != SEPOL_OK) { ++ free(mls_level); + goto exit; + } + sepol_alias->level = mls_level; diff --git a/backport-libsepol-cil-ensure-transitivity-in-compare-functions.patch b/backport-libsepol-cil-ensure-transitivity-in-compare-functions.patch new file mode 100644 index 0000000..6e2d603 --- /dev/null +++ b/backport-libsepol-cil-ensure-transitivity-in-compare-functions.patch @@ -0,0 +1,77 @@ +From 162a0884cccce80b76e35bc1094d5eaef84728e5 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= +Date: Wed, 31 Jan 2024 13:56:11 +0100 +Subject: [PATCH] libsepol/cil: ensure transitivity in compare functions +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Ensure comparison functions used by qsort(3) fulfill transitivity, since +otherwise the resulting array might not be sorted correctly or worse[1] +in case of integer overflows. + +[1]: https://www.qualys.com/2024/01/30/qsort.txt + +Signed-off-by: Christian Göttsche +Acked-by: James Carter +--- + libsepol/cil/src/cil_post.c | 18 ++++++++++-------- + 1 file changed, 10 insertions(+), 8 deletions(-) + +diff --git a/libsepol/cil/src/cil_post.c b/libsepol/cil/src/cil_post.c +index 7f45299a3..ac99997f7 100644 +--- a/libsepol/cil/src/cil_post.c ++++ b/libsepol/cil/src/cil_post.c +@@ -52,6 +52,8 @@ + #define GEN_REQUIRE_ATTR "cil_gen_require" /* Also in libsepol/src/module_to_cil.c */ + #define TYPEATTR_INFIX "_typeattr_" /* Also in libsepol/src/module_to_cil.c */ + ++#define spaceship_cmp(a, b) (((a) > (b)) - ((a) < (b))) ++ + struct fc_data { + unsigned int meta; + size_t stem_len; +@@ -263,8 +265,8 @@ int cil_post_ibpkeycon_compare(const void *a, const void *b) + if (rc) + return rc; + +- rc = (aibpkeycon->pkey_high - aibpkeycon->pkey_low) +- - (bibpkeycon->pkey_high - bibpkeycon->pkey_low); ++ rc = spaceship_cmp(aibpkeycon->pkey_high - aibpkeycon->pkey_low, ++ bibpkeycon->pkey_high - bibpkeycon->pkey_low); + if (rc == 0) { + if (aibpkeycon->pkey_low < bibpkeycon->pkey_low) + rc = -1; +@@ -281,8 +283,8 @@ int cil_post_portcon_compare(const void *a, const void *b) + struct cil_portcon *aportcon = *(struct cil_portcon**)a; + struct cil_portcon *bportcon = *(struct cil_portcon**)b; + +- rc = (aportcon->port_high - aportcon->port_low) +- - (bportcon->port_high - bportcon->port_low); ++ rc = spaceship_cmp(aportcon->port_high - aportcon->port_low, ++ bportcon->port_high - bportcon->port_low); + if (rc == 0) { + if (aportcon->port_low < bportcon->port_low) { + rc = -1; +@@ -394,8 +396,8 @@ static int cil_post_iomemcon_compare(const void *a, const void *b) + struct cil_iomemcon *aiomemcon = *(struct cil_iomemcon**)a; + struct cil_iomemcon *biomemcon = *(struct cil_iomemcon**)b; + +- rc = (aiomemcon->iomem_high - aiomemcon->iomem_low) +- - (biomemcon->iomem_high - biomemcon->iomem_low); ++ rc = spaceship_cmp(aiomemcon->iomem_high - aiomemcon->iomem_low, ++ biomemcon->iomem_high - biomemcon->iomem_low); + if (rc == 0) { + if (aiomemcon->iomem_low < biomemcon->iomem_low) { + rc = -1; +@@ -413,8 +415,8 @@ static int cil_post_ioportcon_compare(const void *a, const void *b) + struct cil_ioportcon *aioportcon = *(struct cil_ioportcon**)a; + struct cil_ioportcon *bioportcon = *(struct cil_ioportcon**)b; + +- rc = (aioportcon->ioport_high - aioportcon->ioport_low) +- - (bioportcon->ioport_high - bioportcon->ioport_low); ++ rc = spaceship_cmp(aioportcon->ioport_high - aioportcon->ioport_low, ++ bioportcon->ioport_high - bioportcon->ioport_low); + if (rc == 0) { + if (aioportcon->ioport_low < bioportcon->ioport_low) { + rc = -1; diff --git a/backport-libsepol-enhance-saturation-check.patch b/backport-libsepol-enhance-saturation-check.patch new file mode 100644 index 0000000..0ec45a7 --- /dev/null +++ b/backport-libsepol-enhance-saturation-check.patch @@ -0,0 +1,138 @@ +From bd1b7848c66b69bdb1ef25332c90c47d61656437 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= +Date: Thu, 9 Nov 2023 14:51:20 +0100 +Subject: [PATCH] libsepol: enhance saturation check +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Several values while parsing kernel policies, like symtab sizes or +string lengths, are checked for saturation. They may not be set to the +maximum value, to avoid overflows or occupying a reserved value, and +many of those sizes must not be 0. This is currently handled via the +two macros is_saturated() and zero_or_saturated(). + +Both macros are tweaked for the fuzzer, because the fuzzer can create +input with huge sizes. While there is no subsequent data to provide +the announced sizes, which will be caught later, memory of the requested +size is allocated, which would lead to OOM reports. Thus the sizes for +the fuzzer are limited to 2^16. This has the drawback of the fuzzer +not checking the complete input space. + +Check the sizes in question for actual enough bytes available in the +input. This is (only) possible for mapped memory, which the fuzzer +uses. + +Application like setools do currently not benefit from this change, +since they load the policy via a stream. There are currently multiple +interfaces to load a policy, so reworking them to use mapped memory by +default might be subject for future work. + +Signed-off-by: Christian Göttsche +Acked-by: James Carter + +Reference: https://github.com/SELinuxProject/selinux/commit/bd1b7848c66b69bdb1ef25332c90c47d61656437 +Conflict: Context adaptation +--- + libsepol/src/avtab.c | 2 +- + libsepol/src/policydb.c | 9 ++++++--- + libsepol/src/private.h | 22 ++++++++++++++++------ + libsepol/src/services.c | 2 +- + 4 files changed, 24 insertions(+), 11 deletions(-) + +diff --git a/libsepol/src/avtab.c b/libsepol/src/avtab.c +index 7c2328b7..b2fa8d85 100644 +--- a/libsepol/src/avtab.c ++++ b/libsepol/src/avtab.c +@@ -600,7 +600,7 @@ int avtab_read(avtab_t * a, struct policy_file *fp, uint32_t vers) + goto bad; + } + nel = le32_to_cpu(buf[0]); +- if (zero_or_saturated(nel)) { ++ if (zero_or_saturated(nel) || exceeds_available_bytes(fp, nel, sizeof(uint32_t) * 3)) { + ERR(fp->handle, "table is empty"); + goto bad; + } +diff --git a/libsepol/src/policydb.c b/libsepol/src/policydb.c +index bc7bc9dc..6ba4f916 100644 +--- a/libsepol/src/policydb.c ++++ b/libsepol/src/policydb.c +@@ -3857,7 +3857,8 @@ static int scope_index_read(scope_index_t * scope_index, + if (rc < 0) + return -1; + scope_index->class_perms_len = le32_to_cpu(buf[0]); +- if (is_saturated(scope_index->class_perms_len)) ++ if (is_saturated(scope_index->class_perms_len) || ++ exceeds_available_bytes(fp, scope_index->class_perms_len, sizeof(uint32_t) * 3)) + return -1; + if (scope_index->class_perms_len == 0) { + scope_index->class_perms_map = NULL; +@@ -4036,7 +4037,8 @@ static int scope_read(policydb_t * p, int symnum, struct policy_file *fp) + goto cleanup; + scope->scope = le32_to_cpu(buf[0]); + scope->decl_ids_len = le32_to_cpu(buf[1]); +- if (zero_or_saturated(scope->decl_ids_len)) { ++ if (zero_or_saturated(scope->decl_ids_len) || ++ exceeds_available_bytes(fp, scope->decl_ids_len, sizeof(uint32_t))) { + ERR(fp->handle, "invalid scope with no declaration"); + goto cleanup; + } +@@ -4315,7 +4317,8 @@ int policydb_read(policydb_t * p, struct policy_file *fp, unsigned verbose) + if (rc < 0) + goto bad; + nprim = le32_to_cpu(buf[0]); +- if (is_saturated(nprim)) ++ if (is_saturated(nprim) || ++ exceeds_available_bytes(fp, nprim, sizeof(uint32_t) * 3)) + goto bad; + nel = le32_to_cpu(buf[1]); + if (nel && !nprim) { +diff --git a/libsepol/src/private.h b/libsepol/src/private.h +index 1833b497..1500bbc2 100644 +--- a/libsepol/src/private.h ++++ b/libsepol/src/private.h +@@ -44,13 +44,23 @@ + + #define ARRAY_SIZE(x) (sizeof(x)/sizeof((x)[0])) + +-#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION +-# define is_saturated(x) (x == (typeof(x))-1 || (x) > (1U << 16)) +-#else +-# define is_saturated(x) (x == (typeof(x))-1) +-#endif ++static inline int exceeds_available_bytes(const struct policy_file *fp, size_t x, size_t req_elem_size) ++{ ++ size_t req_size; ++ ++ /* Remaining input size is only available for mmap'ed memory */ ++ if (fp->type != PF_USE_MEMORY) ++ return 0; ++ ++ if (__builtin_mul_overflow(x, req_elem_size, &req_size)) ++ return 1; ++ ++ return req_size > fp->len; ++} ++ ++#define is_saturated(x) ((x) == (typeof(x))-1) + +-#define zero_or_saturated(x) ((x == 0) || is_saturated(x)) ++#define zero_or_saturated(x) (((x) == 0) || is_saturated(x)) + + #define spaceship_cmp(a, b) (((a) > (b)) - ((a) < (b))) + +diff --git a/libsepol/src/services.c b/libsepol/src/services.c +index 51bd56a0..aa1ad52c 100644 +--- a/libsepol/src/services.c ++++ b/libsepol/src/services.c +@@ -1748,7 +1748,7 @@ int str_read(char **strp, struct policy_file *fp, size_t len) + int rc; + char *str; + +- if (zero_or_saturated(len)) { ++ if (zero_or_saturated(len) || exceeds_available_bytes(fp, len, sizeof(char))) { + errno = EINVAL; + return -1; + } +-- +2.27.0 diff --git a/backport-libsepol-ensure-transitivity-in-compare-functions.patch b/backport-libsepol-ensure-transitivity-in-compare-functions.patch new file mode 100644 index 0000000..cd1292e --- /dev/null +++ b/backport-libsepol-ensure-transitivity-in-compare-functions.patch @@ -0,0 +1,47 @@ +From b52e27aeaa563ac998345a6a670493172411b166 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= +Date: Wed, 31 Jan 2024 13:56:10 +0100 +Subject: [PATCH] libsepol: ensure transitivity in compare functions +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Ensure comparison functions used by qsort(3) fulfill transitivity, since +otherwise the resulting array might not be sorted correctly or worse[1] +in case of integer overflows. + +[1]: https://www.qualys.com/2024/01/30/qsort.txt + +Signed-off-by: Christian Göttsche +Acked-by: James Carter +--- + libsepol/src/kernel_to_common.c | 2 +- + libsepol/src/module_to_cil.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/libsepol/src/kernel_to_common.c b/libsepol/src/kernel_to_common.c +index 2422eed08..44f0be23a 100644 +--- a/libsepol/src/kernel_to_common.c ++++ b/libsepol/src/kernel_to_common.c +@@ -503,7 +503,7 @@ static int ibendport_data_cmp(const void *a, const void *b) + if (rc) + return rc; + +- return (*aa)->u.ibendport.port - (*bb)->u.ibendport.port; ++ return spaceship_cmp((*aa)->u.ibendport.port, (*bb)->u.ibendport.port); + } + + static int pirq_data_cmp(const void *a, const void *b) +diff --git a/libsepol/src/module_to_cil.c b/libsepol/src/module_to_cil.c +index 0fce7cc7e..6699a46be 100644 +--- a/libsepol/src/module_to_cil.c ++++ b/libsepol/src/module_to_cil.c +@@ -1681,7 +1681,7 @@ static int class_perm_cmp(const void *a, const void *b) + const struct class_perm_datum *aa = a; + const struct class_perm_datum *bb = b; + +- return aa->val - bb->val; ++ return spaceship_cmp(aa->val, bb->val); + } + + static int common_to_cil(char *key, void *data, void *UNUSED(arg)) diff --git a/backport-libsepol-expand-skip-invalid-cat.patch b/backport-libsepol-expand-skip-invalid-cat.patch new file mode 100644 index 0000000..a6a37b0 --- /dev/null +++ b/backport-libsepol-expand-skip-invalid-cat.patch @@ -0,0 +1,38 @@ +From cae65d9a10623bb9063a2e3ca5357bb1602d55af Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= +Date: Fri, 12 May 2023 11:30:01 +0200 +Subject: [PATCH] libsepol: expand: skip invalid cat +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Bail out on expanding levels with invalid low category. + +UBSAN report: + + expand.c:952:21: runtime error: unsigned integer overflow: 0 - 1 cannot be represented in type 'uint32_t' (aka 'unsigned int') + +Signed-off-by: Christian Göttsche +Acked-by: James Carter + +Reference: https://github.com/SELinuxProject/selinux/commit/cae65d9a10623bb9063a2e3ca5357bb1602d55af +Conflict: NA +--- + libsepol/src/expand.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/libsepol/src/expand.c b/libsepol/src/expand.c +index c08d3a35..8795229a 100644 +--- a/libsepol/src/expand.c ++++ b/libsepol/src/expand.c +@@ -943,7 +943,7 @@ int mls_semantic_level_expand(mls_semantic_level_t * sl, mls_level_t * l, + return -1; + } + for (cat = sl->cat; cat; cat = cat->next) { +- if (cat->low > cat->high) { ++ if (!cat->low || cat->low > cat->high) { + ERR(h, "Category range is not valid %s.%s", + p->p_cat_val_to_name[cat->low - 1], + p->p_cat_val_to_name[cat->high - 1]); +-- +2.33.0 diff --git a/backport-libsepol-more-strict-validation.patch b/backport-libsepol-more-strict-validation.patch new file mode 100644 index 0000000..a396401 --- /dev/null +++ b/backport-libsepol-more-strict-validation.patch @@ -0,0 +1,55 @@ +From 6ed7dcf2f6f71d6db5fa89e0b965c10a165f315c Mon Sep 17 00:00:00 2001 +From: root +Date: Mon, 8 Jan 2024 17:09:46 +0800 +Subject: [PATCH] libsepol: more strict validation +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Ensure the ibendport port is not 0 (similar to the kernel). + +More general depth test for boolean expressions. + +Ensure the boolean id is not set for logic operators. + +Signed-off-by: Christian Göttsche +Acked-by: James Carter + +Reference: https://github.com/SELinuxProject/selinux/commit/7b754f703d704c9d9931497536771e6124ca2418 +Conflict: Context adaptation +--- + libsepol/src/policydb_validate.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/libsepol/src/policydb_validate.c b/libsepol/src/policydb_validate.c +index da3c7c5..09f0813 100644 +--- a/libsepol/src/policydb_validate.c ++++ b/libsepol/src/policydb_validate.c +@@ -479,13 +479,15 @@ static int validate_cond_expr(sepol_handle_t *handle, struct cond_expr *expr, va + case COND_BOOL: + if (validate_value(expr->bool, boolean)) + goto bad; +- if (depth == (COND_EXPR_MAXDEPTH - 1)) ++ if (depth >= (COND_EXPR_MAXDEPTH - 1)) + goto bad; + depth++; + break; + case COND_NOT: + if (depth < 0) + goto bad; ++ if (expr->bool != 0) ++ goto bad; + break; + case COND_OR: + case COND_AND: +@@ -494,6 +496,8 @@ static int validate_cond_expr(sepol_handle_t *handle, struct cond_expr *expr, va + case COND_NEQ: + if (depth < 1) + goto bad; ++ if (expr->bool != 0) ++ goto bad; + depth--; + break; + default: +-- +2.33.0 diff --git a/backport-libsepol-reject-avtab-entries-with-invalid-specifier.patch b/backport-libsepol-reject-avtab-entries-with-invalid-specifier.patch new file mode 100644 index 0000000..9e7bede --- /dev/null +++ b/backport-libsepol-reject-avtab-entries-with-invalid-specifier.patch @@ -0,0 +1,61 @@ +From b1b3467a476b109f20ad581d73c56262205a021e Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= +Date: Wed, 1 Nov 2023 17:37:24 +0100 +Subject: [PATCH] libsepol: reject avtab entries with invalid specifier +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Neverallow avtab entries are not supported (normal and extended). Reject +them to avoid lookup confusions via avtab_search(), e.g. when searching +for a invalid key of AVTAB_TRANSITION|AVTAB_NEVERALLOW and the result of +only AVTAB_NEVERALLOW has no transition value. + +Simplify the check for the number of specifiers by using the compiler +popcount builtin (already used in libsepol). + +Reported-by: oss-fuzz (issue 60568), caused at the time by the filetrans + prefix proposal +Signed-off-by: Christian Göttsche +Acked-by: James Carter + +Reference: https://github.com/SELinuxProject/selinux/commit/b1b3467a476b109f20ad581d73c56262205a021e +Conflict: NA +--- + libsepol/src/avtab.c | 13 ++++++------- + 1 file changed, 6 insertions(+), 7 deletions(-) + +diff --git a/libsepol/src/avtab.c b/libsepol/src/avtab.c +index 6ab49c5e..1ef5ee00 100644 +--- a/libsepol/src/avtab.c ++++ b/libsepol/src/avtab.c +@@ -441,7 +441,6 @@ int avtab_read_item(struct policy_file *fp, uint32_t vers, avtab_t * a, + avtab_key_t key; + avtab_datum_t datum; + avtab_extended_perms_t xperms; +- unsigned set; + unsigned int i; + int rc; + +@@ -535,13 +534,13 @@ int avtab_read_item(struct policy_file *fp, uint32_t vers, avtab_t * a, + key.target_class = le16_to_cpu(buf16[items++]); + key.specified = le16_to_cpu(buf16[items++]); + +- set = 0; +- for (i = 0; i < ARRAY_SIZE(spec_order); i++) { +- if (key.specified & spec_order[i]) +- set++; ++ if (key.specified & ~(AVTAB_AV | AVTAB_TYPE | AVTAB_XPERMS | AVTAB_ENABLED)) { ++ ERR(fp->handle, "invalid specifier"); ++ return -1; + } +- if (!set || set > 1) { +- ERR(fp->handle, "more than one specifier"); ++ ++ if (__builtin_popcount(key.specified & ~AVTAB_ENABLED) != 1) { ++ ERR(fp->handle, "not exactly one specifier"); + return -1; + } + +-- +2.33.0 diff --git a/backport-libsepol-reject-invalid-class-datums.patch b/backport-libsepol-reject-invalid-class-datums.patch new file mode 100644 index 0000000..73c3ff7 --- /dev/null +++ b/backport-libsepol-reject-invalid-class-datums.patch @@ -0,0 +1,54 @@ +From 68c3a9991679702a7adc6e040e5703a7abb50b16 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= +Date: Tue, 28 Nov 2023 19:23:32 +0100 +Subject: [PATCH] libsepol: reject invalid class datums +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Internally class values are stored in multiple placed in a 16-bit wide +integer. Reject class values exceeding the maximum representable value. +This avoids truncations in the helper +policydb_string_to_security_class(), which gets called before validation +of the policy: + + policydb.c:4082:9: runtime error: implicit conversion from type 'uint32_t' (aka 'unsigned int') of value 2113929220 (32-bit, unsigned) to type 'sepol_security_class_t' (aka 'unsigned short') changed the value to 4 (16-bit, unsigned) + +Signed-off-by: Christian Göttsche +Acked-by: James Carter + +Reference: https://github.com/SELinuxProject/selinux/commit/68c3a9991679702a7adc6e040e5703a7abb50b16 +Conflict: Context adaptation +--- + libsepol/src/policydb.c | 2 ++ + libsepol/src/policydb_validate.c | 2 +- + 2 files changed, 3 insertions(+), 1 deletion(-) + +diff --git a/libsepol/src/policydb.c b/libsepol/src/policydb.c +index 6ba4f9168..f10a8a95a 100644 +--- a/libsepol/src/policydb.c ++++ b/libsepol/src/policydb.c +@@ -2250,6 +2250,8 @@ static int class_read(policydb_t * p, hashtab_t h, struct policy_file *fp) + if (is_saturated(len2)) + goto bad; + cladatum->s.value = le32_to_cpu(buf[2]); ++ if (cladatum->s.value > UINT16_MAX) ++ goto bad; + + if (symtab_init(&cladatum->permissions, PERM_SYMTAB_SIZE)) + goto bad; +diff --git a/libsepol/src/policydb_validate.c b/libsepol/src/policydb_validate.c +index 6d8641f..69a436b 100644 +--- a/libsepol/src/policydb_validate.c ++++ b/libsepol/src/policydb_validate.c +@@ -199,7 +199,7 @@ bad: + + static int validate_class_datum(sepol_handle_t *handle, const class_datum_t *class, validate_t flavors[]) + { +- if (validate_value(class->s.value, &flavors[SYM_CLASSES])) ++ if (class->s.value > UINT16_MAX || validate_value(class->s.value, &flavors[SYM_CLASSES])) + goto bad; + if (class->comdatum && validate_common_datum(handle, class->comdatum, flavors)) + goto bad; +-- +2.33.0 diff --git a/backport-libsepol-reject-linking-modules-with-no-avrules.patch b/backport-libsepol-reject-linking-modules-with-no-avrules.patch new file mode 100644 index 0000000..0856aea --- /dev/null +++ b/backport-libsepol-reject-linking-modules-with-no-avrules.patch @@ -0,0 +1,47 @@ +From 4724538b62e4eb846057b227ce12052749bd4473 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= +Date: Tue, 28 Nov 2023 19:23:34 +0100 +Subject: [PATCH] libsepol: reject linking modules with no avrules +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Standard policy modules generated by compilers have at least one global +av rule. Reject modules otherwise, e.g. generated by a fuzzer. + +Signed-off-by: Christian Göttsche +Acked-by: James Carter + +Reference: https://github.com/SELinuxProject/selinux/commit/4724538b62e4eb846057b227ce12052749bd4473 +Conflict: NA +--- + libsepol/src/link.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/libsepol/src/link.c b/libsepol/src/link.c +index 3b7742bc..b8272308 100644 +--- a/libsepol/src/link.c ++++ b/libsepol/src/link.c +@@ -2019,7 +2019,7 @@ static int debug_requirements(link_state_t * state, policydb_t * p) + memset(&req, 0, sizeof(req)); + + for (cur = p->global; cur != NULL; cur = cur->next) { +- if (cur->enabled != NULL) ++ if (cur->enabled != NULL || cur->branch_list == NULL) + continue; + + ret = is_decl_requires_met(state, cur->branch_list, &req); +@@ -2142,6 +2142,11 @@ static int enable_avrules(link_state_t * state, policydb_t * pol) + /* 1) enable all of the non-else blocks */ + for (block = pol->global; block != NULL; block = block->next) { + block->enabled = block->branch_list; ++ if (!block->enabled) { ++ ERR(state->handle, "Global block has no avrules!"); ++ ret = SEPOL_ERR; ++ goto out; ++ } + block->enabled->enabled = 1; + for (decl = block->branch_list->next; decl != NULL; + decl = decl->next) +-- +2.33.0 diff --git a/backport-libsepol-reject-unsupported-policy-capabilities.patch b/backport-libsepol-reject-unsupported-policy-capabilities.patch new file mode 100644 index 0000000..1413e42 --- /dev/null +++ b/backport-libsepol-reject-unsupported-policy-capabilities.patch @@ -0,0 +1,75 @@ +From e22b7dee0d8de9bc49992fa80b9ceb53925ea36c Mon Sep 17 00:00:00 2001 +From: root +Date: Mon, 8 Jan 2024 17:16:30 +0800 +Subject: [PATCH] libsepol: reject unsupported policy capabilities +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Kernel policies with unsupported policy capabilities enabled can +currently be parsed, since they result just in a bit set inside an +ebitmap. Writing such a loaded policy into the traditional language or +CIL will fail however, since the unsupported policy capabilities can not +be converted into a name. + +Reject kernel policies with invalid policy capabilities. + +Reported-by: oss-fuzz (issue 60573) + +Signed-off-by: Christian Göttsche +Acked-by: James Carter + +Reference: https://github.com/SELinuxProject/selinux/commit/7cf2bfb59313eeef59e916834c3243b7a0ce7b4f +Conflict: Context adaptation +--- + libsepol/src/policydb_validate.c | 21 +++++++++++++++++++++ + 1 file changed, 21 insertions(+) + +diff --git a/libsepol/src/policydb_validate.c b/libsepol/src/policydb_validate.c +index 09f0813..9553812 100644 +--- a/libsepol/src/policydb_validate.c ++++ b/libsepol/src/policydb_validate.c +@@ -2,6 +2,7 @@ + #include + #include + #include ++#include + #include + + #include "debug.h" +@@ -771,6 +772,23 @@ bad: + return -1; + } + ++static int validate_policycaps(sepol_handle_t *handle, const policydb_t *p) ++{ ++ ebitmap_node_t *node; ++ uint32_t i; ++ ++ ebitmap_for_each_positive_bit(&p->policycaps, node, i) { ++ if (!sepol_polcap_getname(i)) ++ goto bad; ++ } ++ ++ return 0; ++ ++bad: ++ ERR(handle, "Invalid policy capability"); ++ return -1; ++} ++ + static void validate_array_destroy(validate_t flavors[]) + { + unsigned int i; +@@ -790,6 +808,9 @@ int policydb_validate(sepol_handle_t *handle, policydb_t *p) + if (validate_properties(handle, p)) + goto bad; + ++ if (validate_policycaps(handle, p)) ++ goto bad; ++ + if (p->policy_type == POLICY_KERN) { + if (validate_avtab(handle, &p->te_avtab, p, flavors)) + goto bad; +-- +2.33.0 diff --git a/backport-libsepol-use-correct-type-to-avoid-truncations.patch b/backport-libsepol-use-correct-type-to-avoid-truncations.patch new file mode 100644 index 0000000..216abc9 --- /dev/null +++ b/backport-libsepol-use-correct-type-to-avoid-truncations.patch @@ -0,0 +1,50 @@ +From 4f1435dd51f832fa3b122e5e98be2a5ab176780c Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= +Date: Tue, 28 Nov 2023 19:23:29 +0100 +Subject: [PATCH] libsepol: use correct type to avoid truncations +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Avoid truncations of the read 32 bit unsigned integer: + + conditional.c:764:8: runtime error: implicit conversion from type 'uint32_t' (aka 'unsigned int') of value 3758096384 (32-bit, unsigned) to type 'int' changed the value to -536870912 (32-bit, signed) + conditional.c:831:8: runtime error: implicit conversion from type 'uint32_t' (aka 'unsigned int') of value 4280295456 (32-bit, unsigned) to type 'int' changed the value to -14671840 (32-bit, signed) + +Signed-off-by: Christian Göttsche +Acked-by: James Carter + +Reference: https://github.com/SELinuxProject/selinux/commit/4f1435dd51f832fa3b122e5e98be2a5ab176780c +Conflict: NA +--- + libsepol/src/conditional.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/libsepol/src/conditional.c b/libsepol/src/conditional.c +index 24380ea0..420c7b6c 100644 +--- a/libsepol/src/conditional.c ++++ b/libsepol/src/conditional.c +@@ -746,8 +746,8 @@ static int expr_isvalid(policydb_t * p, cond_expr_t * expr) + + static int cond_read_node(policydb_t * p, cond_node_t * node, void *fp) + { +- uint32_t buf[2]; +- int len, i, rc; ++ uint32_t buf[2], i, len; ++ int rc; + cond_expr_t *expr = NULL, *last = NULL; + + rc = next_entry(buf, fp, sizeof(uint32_t)); +@@ -821,8 +821,8 @@ static int cond_read_node(policydb_t * p, cond_node_t * node, void *fp) + int cond_read_list(policydb_t * p, cond_list_t ** list, void *fp) + { + cond_node_t *node, *last = NULL; +- uint32_t buf[1]; +- int i, len, rc; ++ uint32_t buf[1], i, len; ++ int rc; + + rc = next_entry(buf, fp, sizeof(uint32_t)); + if (rc < 0) +-- +2.33.0 diff --git a/backport-libsepol-validate-empty-common-classes-in-scope-indi.patch b/backport-libsepol-validate-empty-common-classes-in-scope-indi.patch new file mode 100644 index 0000000..f858af0 --- /dev/null +++ b/backport-libsepol-validate-empty-common-classes-in-scope-indi.patch @@ -0,0 +1,35 @@ +From e54bedce80267b4fbd79b16f548a278c097bd675 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= +Date: Mon, 11 Dec 2023 15:55:40 +0100 +Subject: [PATCH] libsepol: validate empty common classes in scope indices +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Validate no common classes inside scope indices are defined. + +Reported-by: oss-fuzz (issue 64849) +Signed-off-by: Christian Göttsche +Acked-by: James Carter + +Reference: https://github.com/SELinuxProject/selinux/commit/e54bedce80267b4fbd79b16f548a278c097bd675 +Conflict: Context adaptation +--- + libsepol/src/policydb_validate.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/libsepol/src/policydb_validate.c b/libsepol/src/policydb_validate.c +index bd8e9f8f3..d86f885e4 100644 +--- a/libsepol/src/policydb_validate.c ++++ b/libsepol/src/policydb_validate.c +@@ -730,6 +730,8 @@ bad: + + static int validate_scope_index(sepol_handle_t *handle, const scope_index_t *scope_index, validate_t flavors[]) + { ++ if (!ebitmap_is_empty(&scope_index->scope[SYM_COMMONS])) ++ goto bad; + if (validate_ebitmap(&scope_index->p_classes_scope, &flavors[SYM_CLASSES])) + goto bad; + if (validate_ebitmap(&scope_index->p_roles_scope, &flavors[SYM_ROLES])) +-- +2.33.0 diff --git a/backport-libsepol-validate-the-identifier-for-initials-SID-is.patch b/backport-libsepol-validate-the-identifier-for-initials-SID-is.patch new file mode 100644 index 0000000..4d108c7 --- /dev/null +++ b/backport-libsepol-validate-the-identifier-for-initials-SID-is.patch @@ -0,0 +1,50 @@ +From cf6ddded1650098c05f4245df41395420cf41838 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= +Date: Thu, 9 Nov 2023 14:51:21 +0100 +Subject: [PATCH] libsepol: validate the identifier for initials SID is valid +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Check the identifier for initial SIDs is less than the maximum known ID. +The kernel will ignore all unknown IDs, see +security/selinux/ss/policydb.c:policydb_load_isids(). + +Without checking huge IDs result in OOM events, while writing policies, +e.g. in write_sids_to_conf() or write_sids_to_cil(), due to allocation +of large (continuous) string lists. + +Signed-off-by: Christian Göttsche +Acked-by: James Carter + +Reference: https://github.com/SELinuxProject/selinux/commit/cf6ddded1650098c05f4245df41395420cf41838 +Conflict: Context adaptation +--- + libsepol/src/policydb_validate.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/libsepol/src/policydb_validate.c b/libsepol/src/policydb_validate.c +index 016ab6550..32ad5a18b 100644 +--- a/libsepol/src/policydb_validate.c ++++ b/libsepol/src/policydb_validate.c +@@ -6,6 +6,7 @@ + #include + + #include "debug.h" ++#include "kernel_to_common.h" + #include "policydb_validate.h" + + #define bool_xor(a, b) (!(a) != !(b)) +@@ -635,6 +636,10 @@ static int validate_ocontexts(sepol_handle_t *handle, const policydb_t *p, validate_t + + if (p->target_platform == SEPOL_TARGET_SELINUX) { + switch (i) { ++ case OCON_ISID: ++ if (octx->sid[0] == SEPOL_SECSID_NULL || octx->sid[0] >= SELINUX_SID_SZ) ++ goto bad; ++ break; + case OCON_FS: + case OCON_NETIF: + if (validate_context(&octx->context[1], flavors, p->mls)) +-- +2.33.0 diff --git a/libsepol.spec b/libsepol.spec index af41b27..7783d68 100644 --- a/libsepol.spec +++ b/libsepol.spec @@ -1,6 +1,6 @@ Name: libsepol Version: 3.5 -Release: 3 +Release: 4 Summary: SELinux binary policy manipulation library License: LGPLv2+ URL: https://github.com/SELinuxProject/selinux/wiki/Releases @@ -14,6 +14,26 @@ Patch0005: backport-libsepol-cil-Fix-class-permission-verification-in-CIL.p Patch0006: backport-libsepol-validate-old-style-range-trans-classes.patch Patch0007: backport-libsepol-validate-check-low-category-is-not-bigger-than-high.patch Patch0008: backport-libsepol-reorder-calloc-3-arguments.patch +Patch0009: backport-libsepol-reject-avtab-entries-with-invalid-specifier.patch +Patch0010: backport-libsepol-avtab-check-read-counts-for-saturation.patch +Patch0011: backport-libsepol-expand-skip-invalid-cat.patch +Patch0012: backport-libsepol-more-strict-validation.patch +Patch0013: backport-libsepol-reject-unsupported-policy-capabilities.patch +Patch0014: backport-libsepol-adjust-type-for-saturation-check.patch +Patch0015: backport-libsepol-enhance-saturation-check.patch +Patch0016: backport-libsepol-avoid-leak-in-OOM-branch.patch +Patch0017: backport-libsepol-cil-Do-not-allow-classpermissionset-to-use-.patch +Patch0018: backport-libsepol-add-check-for-category-value-before-printin.patch +Patch0019: backport-libsepol-use-correct-type-to-avoid-truncations.patch +Patch0020: backport-libsepol-reject-invalid-class-datums.patch +Patch0021: backport-libsepol-reject-linking-modules-with-no-avrules.patch +Patch0022: backport-libsepol-avoid-integer-overflow-in-add_i_to_a.patch +Patch0023: backport-libsepol-validate-empty-common-classes-in-scope-indi.patch +Patch0024: backport-libsepol-validate-the-identifier-for-initials-SID-is.patch +Patch0025: backport-libsepol-ensure-transitivity-in-compare-functions.patch +Patch0026: backport-libsepol-cil-ensure-transitivity-in-compare-functions.patch +Patch0027: backport-libsepol-cil-Check-common-perms-when-verifiying-all.patch +Patch0028: backport-libsepol-cil-Fix-detected-RESOURCE_LEAK-CWE-772.patch BuildRequires: gcc flex @@ -74,6 +94,9 @@ make DESTDIR="%{buildroot}" LIBDIR="%{_libdir}" SHLIBDIR="%{_libdir}" install %{_mandir}/man3/* %changelog +* Tue Oct 15 2024 yanglongkang - 3.5-4 +- backport bugfix from upstream + * Tue Mar 26 2024 gengqihu - 3.5-3 - backport bugfix from upstream -- Gitee