45 lines
1.6 KiB
Diff
45 lines
1.6 KiB
Diff
From f56a72ac9e86ddfbefedc41080f33fb06639f96b Mon Sep 17 00:00:00 2001
|
|
From: =?UTF-8?q?Thi=C3=A9baud=20Weksteen?= <tweek@google.com>
|
|
Date: Mon, 24 Oct 2022 20:13:54 +1100
|
|
Subject: [PATCH] libselinux: ignore invalid class name lookup
|
|
MIME-Version: 1.0
|
|
Content-Type: text/plain; charset=UTF-8
|
|
Content-Transfer-Encoding: 8bit
|
|
Content-type: text/plain
|
|
|
|
selinux_check_access relies on string_to_security_class to resolve the
|
|
class index from its char* argument. There is no input validation done
|
|
on the string provided. It is possible to supply an argument containing
|
|
trailing backslashes (i.e., "sock_file//////") so that the paths built
|
|
in discover_class get truncated. The processing will then reference the
|
|
same permission file multiple time (e.g., perms/watch_reads will be
|
|
truncated to perms/watch). This will leak the memory allocated when
|
|
strdup'ing the permission name. The discover_class_cache will end up in
|
|
an invalid state (but not corrupted).
|
|
|
|
Ensure that the class provided does not contain any path separator.
|
|
|
|
Signed-off-by: Thiébaud Weksteen <tweek@google.com>
|
|
Acked-by: James Carter <jwcart2@gmail.com>
|
|
---
|
|
libselinux/src/stringrep.c | 3 +++
|
|
1 file changed, 3 insertions(+)
|
|
|
|
diff --git a/libselinux/src/stringrep.c b/libselinux/src/stringrep.c
|
|
index 2fe69f4391ae..592410e55da0 100644
|
|
--- a/libselinux/src/stringrep.c
|
|
+++ b/libselinux/src/stringrep.c
|
|
@@ -63,6 +63,9 @@ static struct discover_class_node * discover_class(const char *s)
|
|
return NULL;
|
|
}
|
|
|
|
+ if (strchr(s, '/') != NULL)
|
|
+ return NULL;
|
|
+
|
|
/* allocate a node */
|
|
node = malloc(sizeof(struct discover_class_node));
|
|
if (node == NULL)
|
|
--
|
|
2.38.1
|
|
|