From 7027991c3e578be1f5cff62d07e26947179c1ee7 Mon Sep 17 00:00:00 2001 From: markeryang Date: Sat, 12 Oct 2024 02:09:33 +0000 Subject: [PATCH] sync backport patches from upstream (cherry picked from commit 2004af46f1363c6d40480ad54ab8ff4f623c155f) --- ...fer-overflow-when-using-sepol_av_to_.patch | 98 +++++++++++++++++++ ...eck-common-perms-when-verifiying-all.patch | 53 ++++++++++ ...l-Fix-detected-RESOURCE_LEAK-CWE-772.patch | 29 ++++++ ...re-transitivity-in-compare-functions.patch | 77 +++++++++++++++ ...re-transitivity-in-compare-functions.patch | 47 +++++++++ ...rt-libsepol-fix-reallocarray-imports.patch | 45 +++++++++ libsepol.spec | 11 ++- 7 files changed, 359 insertions(+), 1 deletion(-) create mode 100644 backport-libsepol-Fix-buffer-overflow-when-using-sepol_av_to_.patch create mode 100644 backport-libsepol-cil-Check-common-perms-when-verifiying-all.patch create mode 100644 backport-libsepol-cil-Fix-detected-RESOURCE_LEAK-CWE-772.patch create mode 100644 backport-libsepol-cil-ensure-transitivity-in-compare-functions.patch create mode 100644 backport-libsepol-ensure-transitivity-in-compare-functions.patch create mode 100644 backport-libsepol-fix-reallocarray-imports.patch diff --git a/backport-libsepol-Fix-buffer-overflow-when-using-sepol_av_to_.patch b/backport-libsepol-Fix-buffer-overflow-when-using-sepol_av_to_.patch new file mode 100644 index 0000000..3472427 --- /dev/null +++ b/backport-libsepol-Fix-buffer-overflow-when-using-sepol_av_to_.patch @@ -0,0 +1,98 @@ +From c205b924e280c4ee161c79d2442c5026ec89597c Mon Sep 17 00:00:00 2001 +From: James Carter +Date: Fri, 8 Mar 2024 16:55:56 -0500 +Subject: [PATCH] libsepol: Fix buffer overflow when using +sepol_av_to_string() + +The function sepol_av_to_string() normally returns a list of +permissions with a space at the beginning, but it will return '\0' +if there are no permissions. Unfortunately, functions in +kernel_to_cil, kernel_to_conf, and module_to_cil assume there is a +space at the beginning and skip the space by using "perms+1". + +In kernel_to_cil, kernel_to_conf, and module_to_cil, check for the +permission string being '\0' and return an error if it is. + +Reported-by: oss-fuzz (issue 67276) +Signed-off-by: James Carter +--- + libsepol/src/kernel_to_cil.c | 11 +++++++++++ + libsepol/src/kernel_to_conf.c | 11 +++++++++++ + libsepol/src/module_to_cil.c | 12 ++++++++++++ + 3 files changed, 34 insertions(+) + +diff --git a/libsepol/src/kernel_to_cil.c b/libsepol/src/kernel_to_cil.c +index 69efc97..6d7d815 100644 +--- a/libsepol/src/kernel_to_cil.c ++++ b/libsepol/src/kernel_to_cil.c +@@ -1754,6 +1760,11 @@ static char *avtab_node_to_str(struct policydb *pdb, avtab_key_t *key, avtab_dat + sepol_log_err("Failed to generate permission string"); + goto exit; + } ++ if (*perms == '\0') { ++ sepol_log_err("No permisisons in permission string"); ++ free(perms); ++ goto exit; ++ } + rule = create_str("(%s %s %s (%s (%s)))", 5, + flavor, src, tgt, class, perms+1); + } else if (key->specified & AVTAB_XPERMS) { +diff --git a/libsepol/src/kernel_to_conf.c b/libsepol/src/kernel_to_conf.c +index a1bf05f..f484e2b 100644 +--- a/libsepol/src/kernel_to_conf.c ++++ b/libsepol/src/kernel_to_conf.c +@@ -291,6 +291,12 @@ static int class_constraint_rules_to_strs(struct policydb *pdb, char *classkey, + } + + perms = sepol_av_to_string(pdb, class->s.value, curr->permissions); ++ if (*perms == '\0') { ++ sepol_log_err("No permisisons in permission string"); ++ free(perms); ++ rc = -1; ++ goto exit; ++ } + if (strchr(perms, ' ')) { + format_str = "%s %s { %s } %s;"; + } else { +@@ -1728,6 +1734,11 @@ static char *avtab_node_to_str(struct policydb *pdb, avtab_key_t *key, avtab_dat + sepol_log_err("Failed to generate permission string"); + goto exit; + } ++ if (*perms == '\0') { ++ sepol_log_err("No permisisons in permission string"); ++ free(perms); ++ goto exit; ++ } + rule = create_str("%s %s %s:%s { %s };", 5, + flavor, src, tgt, class, perms+1); + } else if (key->specified & AVTAB_XPERMS) { +diff --git a/libsepol/src/module_to_cil.c b/libsepol/src/module_to_cil.c +index 410a41d..e5e632e 100644 +--- a/libsepol/src/module_to_cil.c ++++ b/libsepol/src/module_to_cil.c +@@ -606,6 +606,12 @@ static int avrule_to_cil(int indent, struct policydb *pdb, uint32_t type, const + rc = -1; + goto exit; + } ++ if (*perms == '\0') { ++ log_err("No permissions in permission string"); ++ free(perms); ++ rc = -1; ++ goto exit; ++ } + cil_println(indent, "(%s %s %s (%s (%s)))", + rule, src, tgt, + pdb->p_class_val_to_name[classperm->tclass - 1], +@@ -1955,6 +1961,12 @@ static int constraints_to_cil(int indent, struct policydb *pdb, char *classkey, + + if (is_constraint) { + perms = sepol_av_to_string(pdb, class->s.value, node->permissions); ++ if (*perms == '\0') { ++ log_err("No permissions in permission string"); ++ free(perms); ++ rc = -1; ++ goto exit; ++ } + cil_println(indent, "(%sconstrain (%s (%s)) %s)", mls, classkey, perms + 1, expr); + } else { + cil_println(indent, "(%svalidatetrans %s %s)", mls, classkey, expr); diff --git a/backport-libsepol-cil-Check-common-perms-when-verifiying-all.patch b/backport-libsepol-cil-Check-common-perms-when-verifiying-all.patch new file mode 100644 index 0000000..332727a --- /dev/null +++ b/backport-libsepol-cil-Check-common-perms-when-verifiying-all.patch @@ -0,0 +1,53 @@ +From c071aa2e635935216e8e504a5b398f58aed2838e Mon Sep 17 00:00:00 2001 +From: James Carter +Date: Mon, 1 Apr 2024 10:49:24 -0400 +Subject: [PATCH] libsepol/cil: Check common perms when verifiying "all" + +Commit e81c466 "Fix class permission verification in CIL", added a +check for the use of "all" in a permission expression for a class +that had no permissions. Unfortunately, that change did not take +into account a class that had common permissions, so a class that +has no permmissions of its own, but inherits permissions from a +common, will fail the verification check. + +If the class inherits from a common, then add those permissions to +the permmission list when verifying the permission expression. + +Example/ +(common co1 (cop1)) +(class cl1 ()) +(classcommon cl1 co1) +(classorder (CLASS cl1)) + +(classpermission cp1) +(classpermissionset cp1 (cl1 (all))) + +(classmap cm1 (cmp1)) +(classmapping cm1 cmp1 (cl1 (all))) + +Previously, both the classpermissionset and the classmapping rules +would fail verification, but now they pass as expected. + +Patch originally from Ben Cressey , I have +expanded the explanation. + +Reported-by: Ben Cressey +Signed-off-by: James Carter +--- + libsepol/cil/src/cil_verify.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/libsepol/cil/src/cil_verify.c b/libsepol/cil/src/cil_verify.c +index 0c6d50a18..4ef2cbab3 100644 +--- a/libsepol/cil/src/cil_verify.c ++++ b/libsepol/cil/src/cil_verify.c +@@ -1842,6 +1842,9 @@ static int __cil_verify_perms(struct cil_class *class, struct cil_list *perms, s + int count2 = 0; + cil_list_init(&perm_list, CIL_MAP_PERM); + cil_symtab_map(&class->perms, __add_perm_to_list, perm_list); ++ if (class->common != NULL) { ++ cil_symtab_map(&class->common->perms, __add_perm_to_list, perm_list); ++ } + cil_list_for_each(j, perm_list) { + count2++; + struct cil_perm *perm = j->data; diff --git a/backport-libsepol-cil-Fix-detected-RESOURCE_LEAK-CWE-772.patch b/backport-libsepol-cil-Fix-detected-RESOURCE_LEAK-CWE-772.patch new file mode 100644 index 0000000..ea734ce --- /dev/null +++ b/backport-libsepol-cil-Fix-detected-RESOURCE_LEAK-CWE-772.patch @@ -0,0 +1,29 @@ +From 1f173f8efab8e9931898d924057bd0ea8da759b7 Mon Sep 17 00:00:00 2001 +From: Vit Mojzis +Date: Tue, 30 Apr 2024 17:30:24 +0200 +Subject: [PATCH] libsepol/cil: Fix detected RESOURCE_LEAK (CWE-772) + +libsepol-3.6/cil/src/cil_binary.c:902: alloc_fn: Storage is returned from allocation function "cil_malloc". +libsepol-3.6/cil/src/cil_binary.c:902: var_assign: Assigning: "mls_level" = storage returned from "cil_malloc(24UL)". +libsepol-3.6/cil/src/cil_binary.c:903: noescape: Resource "mls_level" is not freed or pointed-to in "mls_level_init". +libsepol-3.6/cil/src/cil_binary.c:905: noescape: Resource "mls_level" is not freed or pointed-to in "mls_level_cpy". +libsepol-3.6/cil/src/cil_binary.c:919: leaked_storage: Variable "mls_level" going out of scope leaks the storage it points to. + +Signed-off-by: Vit Mojzis +Acked-by: James Carter +--- + libsepol/cil/src/cil_binary.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/libsepol/cil/src/cil_binary.c b/libsepol/cil/src/cil_binary.c +index 95bd18baa..c8144a5af 100644 +--- a/libsepol/cil/src/cil_binary.c ++++ b/libsepol/cil/src/cil_binary.c +@@ -904,6 +904,7 @@ static int cil_sensalias_to_policydb(policydb_t *pdb, struct cil_alias *cil_alia + + rc = mls_level_cpy(mls_level, sepol_level->level); + if (rc != SEPOL_OK) { ++ free(mls_level); + goto exit; + } + sepol_alias->level = mls_level; diff --git a/backport-libsepol-cil-ensure-transitivity-in-compare-functions.patch b/backport-libsepol-cil-ensure-transitivity-in-compare-functions.patch new file mode 100644 index 0000000..6e2d603 --- /dev/null +++ b/backport-libsepol-cil-ensure-transitivity-in-compare-functions.patch @@ -0,0 +1,77 @@ +From 162a0884cccce80b76e35bc1094d5eaef84728e5 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= +Date: Wed, 31 Jan 2024 13:56:11 +0100 +Subject: [PATCH] libsepol/cil: ensure transitivity in compare functions +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Ensure comparison functions used by qsort(3) fulfill transitivity, since +otherwise the resulting array might not be sorted correctly or worse[1] +in case of integer overflows. + +[1]: https://www.qualys.com/2024/01/30/qsort.txt + +Signed-off-by: Christian Göttsche +Acked-by: James Carter +--- + libsepol/cil/src/cil_post.c | 18 ++++++++++-------- + 1 file changed, 10 insertions(+), 8 deletions(-) + +diff --git a/libsepol/cil/src/cil_post.c b/libsepol/cil/src/cil_post.c +index 7f45299a3..ac99997f7 100644 +--- a/libsepol/cil/src/cil_post.c ++++ b/libsepol/cil/src/cil_post.c +@@ -52,6 +52,8 @@ + #define GEN_REQUIRE_ATTR "cil_gen_require" /* Also in libsepol/src/module_to_cil.c */ + #define TYPEATTR_INFIX "_typeattr_" /* Also in libsepol/src/module_to_cil.c */ + ++#define spaceship_cmp(a, b) (((a) > (b)) - ((a) < (b))) ++ + struct fc_data { + unsigned int meta; + size_t stem_len; +@@ -263,8 +265,8 @@ int cil_post_ibpkeycon_compare(const void *a, const void *b) + if (rc) + return rc; + +- rc = (aibpkeycon->pkey_high - aibpkeycon->pkey_low) +- - (bibpkeycon->pkey_high - bibpkeycon->pkey_low); ++ rc = spaceship_cmp(aibpkeycon->pkey_high - aibpkeycon->pkey_low, ++ bibpkeycon->pkey_high - bibpkeycon->pkey_low); + if (rc == 0) { + if (aibpkeycon->pkey_low < bibpkeycon->pkey_low) + rc = -1; +@@ -281,8 +283,8 @@ int cil_post_portcon_compare(const void *a, const void *b) + struct cil_portcon *aportcon = *(struct cil_portcon**)a; + struct cil_portcon *bportcon = *(struct cil_portcon**)b; + +- rc = (aportcon->port_high - aportcon->port_low) +- - (bportcon->port_high - bportcon->port_low); ++ rc = spaceship_cmp(aportcon->port_high - aportcon->port_low, ++ bportcon->port_high - bportcon->port_low); + if (rc == 0) { + if (aportcon->port_low < bportcon->port_low) { + rc = -1; +@@ -394,8 +396,8 @@ static int cil_post_iomemcon_compare(const void *a, const void *b) + struct cil_iomemcon *aiomemcon = *(struct cil_iomemcon**)a; + struct cil_iomemcon *biomemcon = *(struct cil_iomemcon**)b; + +- rc = (aiomemcon->iomem_high - aiomemcon->iomem_low) +- - (biomemcon->iomem_high - biomemcon->iomem_low); ++ rc = spaceship_cmp(aiomemcon->iomem_high - aiomemcon->iomem_low, ++ biomemcon->iomem_high - biomemcon->iomem_low); + if (rc == 0) { + if (aiomemcon->iomem_low < biomemcon->iomem_low) { + rc = -1; +@@ -413,8 +415,8 @@ static int cil_post_ioportcon_compare(const void *a, const void *b) + struct cil_ioportcon *aioportcon = *(struct cil_ioportcon**)a; + struct cil_ioportcon *bioportcon = *(struct cil_ioportcon**)b; + +- rc = (aioportcon->ioport_high - aioportcon->ioport_low) +- - (bioportcon->ioport_high - bioportcon->ioport_low); ++ rc = spaceship_cmp(aioportcon->ioport_high - aioportcon->ioport_low, ++ bioportcon->ioport_high - bioportcon->ioport_low); + if (rc == 0) { + if (aioportcon->ioport_low < bioportcon->ioport_low) { + rc = -1; diff --git a/backport-libsepol-ensure-transitivity-in-compare-functions.patch b/backport-libsepol-ensure-transitivity-in-compare-functions.patch new file mode 100644 index 0000000..cd1292e --- /dev/null +++ b/backport-libsepol-ensure-transitivity-in-compare-functions.patch @@ -0,0 +1,47 @@ +From b52e27aeaa563ac998345a6a670493172411b166 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= +Date: Wed, 31 Jan 2024 13:56:10 +0100 +Subject: [PATCH] libsepol: ensure transitivity in compare functions +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Ensure comparison functions used by qsort(3) fulfill transitivity, since +otherwise the resulting array might not be sorted correctly or worse[1] +in case of integer overflows. + +[1]: https://www.qualys.com/2024/01/30/qsort.txt + +Signed-off-by: Christian Göttsche +Acked-by: James Carter +--- + libsepol/src/kernel_to_common.c | 2 +- + libsepol/src/module_to_cil.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/libsepol/src/kernel_to_common.c b/libsepol/src/kernel_to_common.c +index 2422eed08..44f0be23a 100644 +--- a/libsepol/src/kernel_to_common.c ++++ b/libsepol/src/kernel_to_common.c +@@ -503,7 +503,7 @@ static int ibendport_data_cmp(const void *a, const void *b) + if (rc) + return rc; + +- return (*aa)->u.ibendport.port - (*bb)->u.ibendport.port; ++ return spaceship_cmp((*aa)->u.ibendport.port, (*bb)->u.ibendport.port); + } + + static int pirq_data_cmp(const void *a, const void *b) +diff --git a/libsepol/src/module_to_cil.c b/libsepol/src/module_to_cil.c +index 0fce7cc7e..6699a46be 100644 +--- a/libsepol/src/module_to_cil.c ++++ b/libsepol/src/module_to_cil.c +@@ -1681,7 +1681,7 @@ static int class_perm_cmp(const void *a, const void *b) + const struct class_perm_datum *aa = a; + const struct class_perm_datum *bb = b; + +- return aa->val - bb->val; ++ return spaceship_cmp(aa->val, bb->val); + } + + static int common_to_cil(char *key, void *data, void *UNUSED(arg)) diff --git a/backport-libsepol-fix-reallocarray-imports.patch b/backport-libsepol-fix-reallocarray-imports.patch new file mode 100644 index 0000000..8150197 --- /dev/null +++ b/backport-libsepol-fix-reallocarray-imports.patch @@ -0,0 +1,45 @@ +From cc1bd5e8344db1016a207c42f8c2962f42c2ffad Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Thi=C3=A9baud=20Weksteen?= +Date: Thu, 3 Mar 2022 16:23:06 +1100 +Subject: [PATCH] libsepol: fix reallocarray imports +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +In f0a5f6e, calls to reallocarray were introduced. Ensure that the +correct header (private.h) is included when necessary. + +Fixes: f0a5f6e ("libsepol: use reallocarray wrapper to avoid overflows") +Signed-off-by: Thiébaud Weksteen +Acked-by: James Carter +Test: Built using Android CI (glibc 2.17) +--- + libsepol/src/kernel_to_common.c | 1 + + libsepol/src/util.c | 2 ++ + 2 files changed, 3 insertions(+) + +diff --git a/libsepol/src/kernel_to_common.c b/libsepol/src/kernel_to_common.c +index dc9e689e57..972499abc5 100644 +--- a/libsepol/src/kernel_to_common.c ++++ b/libsepol/src/kernel_to_common.c +@@ -18,6 +18,7 @@ + #include + #include + ++#include "private.h" + #include "kernel_to_common.h" + + +diff --git a/libsepol/src/util.c b/libsepol/src/util.c +index b7230564ba..1cd1308d16 100644 +--- a/libsepol/src/util.c ++++ b/libsepol/src/util.c +@@ -28,6 +28,8 @@ + #include + #include + ++#include "private.h" ++ + struct val_to_name { + unsigned int val; + char *name; diff --git a/libsepol.spec b/libsepol.spec index aff2b3d..f8812fd 100644 --- a/libsepol.spec +++ b/libsepol.spec @@ -1,6 +1,6 @@ Name: libsepol Version: 3.3 -Release: 7 +Release: 8 Summary: SELinux binary policy manipulation library License: LGPLv2+ URL: https://github.com/SELinuxProject/selinux/wiki/Releases @@ -42,6 +42,12 @@ Patch0033: backport-libsepol-validate-MLS-levels.patch Patch0034: backport-libsepol-validate-ocontexts.patch Patch0035: backport-libsepol-validate-the-identifier-for-initials-SID-is.patch Patch0036: backport-libsepol-reorder-calloc-3-arguments.patch +Patch0037: backport-libsepol-fix-reallocarray-imports.patch +Patch0038: backport-libsepol-ensure-transitivity-in-compare-functions.patch +Patch0039: backport-libsepol-cil-ensure-transitivity-in-compare-functions.patch +Patch0040: backport-libsepol-Fix-buffer-overflow-when-using-sepol_av_to_.patch +Patch0041: backport-libsepol-cil-Check-common-perms-when-verifiying-all.patch +Patch0042: backport-libsepol-cil-Fix-detected-RESOURCE_LEAK-CWE-772.patch BuildRequires: gcc flex @@ -101,6 +107,9 @@ make DESTDIR="%{buildroot}" LIBDIR="%{_libdir}" SHLIBDIR="%{_libdir}" install %{_mandir}/man3/* %changelog +* Sat Oct 12 2024 yanglongkang - 3.3-8 +- backport bugfix from upstream + * Tue Mar 26 2024 gengqihu - 3.3-7 - backport bugfix from upstream -- Gitee