From ac8b35d910750b56d38d54f312a712a73c95749c Mon Sep 17 00:00:00 2001 From: James Carter Date: Mon, 21 Jun 2021 10:34:33 -0400 Subject: [PATCH] libsepol/cil: Fix syntax checking of defaultrange rule When "glblub" was added as a default for the defaultrange rule, the syntax array was updated because the "glblub" default does not need to specify a range of "low", "high", or "low-high". Unfortunately, additional checking was not added for the "source" and "target" defaults to make sure they specified a range. This means that using the "source" or "target" defaults without specifying the range will result in a segfault. When the "source" or "target" defaults are used, check that the rule specifies a range as well. This bug was found by the secilc-fuzzer. Signed-off-by: James Carter Acked-by: Nicolas Iooss --- libsepol/cil/src/cil_build_ast.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/libsepol/cil/src/cil_build_ast.c b/libsepol/cil/src/cil_build_ast.c index ea665a323f78..baed3e581be4 100644 --- a/libsepol/cil/src/cil_build_ast.c +++ b/libsepol/cil/src/cil_build_ast.c @@ -5886,6 +5886,11 @@ int cil_gen_defaultrange(struct cil_tree_node *parse_current, struct cil_tree_no object = parse_current->next->next->data; if (object == CIL_KEY_SOURCE) { + if (!parse_current->next->next->next) { + cil_log(CIL_ERR, "Missing 'low', 'high', or 'low-high'\n"); + rc = SEPOL_ERR; + goto exit; + } range = parse_current->next->next->next->data; if (range == CIL_KEY_LOW) { def->object_range = CIL_DEFAULT_SOURCE_LOW; @@ -5899,6 +5904,11 @@ int cil_gen_defaultrange(struct cil_tree_node *parse_current, struct cil_tree_no goto exit; } } else if (object == CIL_KEY_TARGET) { + if (!parse_current->next->next->next) { + cil_log(CIL_ERR, "Missing 'low', 'high', or 'low-high'\n"); + rc = SEPOL_ERR; + goto exit; + } range = parse_current->next->next->next->data; if (range == CIL_KEY_LOW) { def->object_range = CIL_DEFAULT_TARGET_LOW; -- 2.32.0