From f56a72ac9e86ddfbefedc41080f33fb06639f96b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thi=C3=A9baud=20Weksteen?= Date: Mon, 24 Oct 2022 20:13:54 +1100 Subject: [PATCH] libselinux: ignore invalid class name lookup MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Content-type: text/plain selinux_check_access relies on string_to_security_class to resolve the class index from its char* argument. There is no input validation done on the string provided. It is possible to supply an argument containing trailing backslashes (i.e., "sock_file//////") so that the paths built in discover_class get truncated. The processing will then reference the same permission file multiple time (e.g., perms/watch_reads will be truncated to perms/watch). This will leak the memory allocated when strdup'ing the permission name. The discover_class_cache will end up in an invalid state (but not corrupted). Ensure that the class provided does not contain any path separator. Signed-off-by: ThiƩbaud Weksteen Acked-by: James Carter --- libselinux/src/stringrep.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libselinux/src/stringrep.c b/libselinux/src/stringrep.c index 2fe69f4391ae..592410e55da0 100644 --- a/libselinux/src/stringrep.c +++ b/libselinux/src/stringrep.c @@ -63,6 +63,9 @@ static struct discover_class_node * discover_class(const char *s) return NULL; } + if (strchr(s, '/') != NULL) + return NULL; + /* allocate a node */ node = malloc(sizeof(struct discover_class_node)); if (node == NULL) -- 2.38.1