49 lines
1.6 KiB
Diff
49 lines
1.6 KiB
Diff
|
From 69fc31d1fb5d3bc1d4a919285284d1fb9d679a6e Mon Sep 17 00:00:00 2001
|
||
|
From: James Carter <jwcart2@gmail.com>
|
||
|
Date: Thu, 13 May 2021 12:37:59 -0400
|
||
|
Subject: [PATCH] libsepol/cil: Limit the number of open parenthesis allowed
|
||
|
|
||
|
When parsing a CIL policy, the number of open parenthesis is tracked
|
||
|
to verify that each has a matching close parenthesis. If there are
|
||
|
too many open parenthesis, a stack overflow could occur during later
|
||
|
processing.
|
||
|
|
||
|
Exit with an error if the number of open parenthesis exceeds 4096
|
||
|
(which should be enough for any policy.)
|
||
|
|
||
|
This bug was found by the secilc-fuzzer.
|
||
|
|
||
|
Signed-off-by: James Carter <jwcart2@gmail.com>
|
||
|
---
|
||
|
libsepol/cil/src/cil_parser.c | 7 ++++++-
|
||
|
1 file changed, 6 insertions(+), 1 deletion(-)
|
||
|
|
||
|
diff --git a/libsepol/cil/src/cil_parser.c b/libsepol/cil/src/cil_parser.c
|
||
|
index a93062180ff8..fb95f401f1c7 100644
|
||
|
--- a/libsepol/cil/src/cil_parser.c
|
||
|
+++ b/libsepol/cil/src/cil_parser.c
|
||
|
@@ -42,6 +42,8 @@
|
||
|
#include "cil_strpool.h"
|
||
|
#include "cil_stack.h"
|
||
|
|
||
|
+#define CIL_PARSER_MAX_EXPR_DEPTH (0x1 << 12)
|
||
|
+
|
||
|
char *CIL_KEY_HLL_LMS;
|
||
|
char *CIL_KEY_HLL_LMX;
|
||
|
char *CIL_KEY_HLL_LME;
|
||
|
@@ -245,7 +247,10 @@ int cil_parser(const char *_path, char *buffer, uint32_t size, struct cil_tree *
|
||
|
break;
|
||
|
case OPAREN:
|
||
|
paren_count++;
|
||
|
-
|
||
|
+ if (paren_count > CIL_PARSER_MAX_EXPR_DEPTH) {
|
||
|
+ cil_log(CIL_ERR, "Number of open parenthesis exceeds limit of %d at line %d of %s\n", CIL_PARSER_MAX_EXPR_DEPTH, tok.line, path);
|
||
|
+ goto exit;
|
||
|
+ }
|
||
|
create_node(&node, current, tok.line, hll_lineno, NULL);
|
||
|
insert_node(node, current);
|
||
|
current = node;
|
||
|
--
|
||
|
2.32.0
|
||
|
|