91 lines
4.2 KiB
Diff
91 lines
4.2 KiB
Diff
From 521e6a2f478a4c7a7c198c017d4d12e8667d89e7 Mon Sep 17 00:00:00 2001
|
|
From: Nicolas Iooss <nicolas.iooss@m4x.org>
|
|
Date: Sat, 3 Oct 2020 15:19:08 +0200
|
|
Subject: [PATCH] libsepol/cil: fix signed overflow caused by using (1 << 31) -
|
|
1
|
|
|
|
When compiling SELinux userspace tools with -ftrapv (this option
|
|
generates traps for signed overflow on addition, subtraction,
|
|
multiplication operations, instead of silently wrapping around),
|
|
semodule crashes when running the tests from
|
|
scripts/ci/fedora-test-runner.sh in a Fedora 32 virtual machine:
|
|
|
|
[root@localhost selinux-testsuite]# make test
|
|
make -C policy load
|
|
make[1]: Entering directory '/root/selinux-testsuite/policy'
|
|
# Test for "expand-check = 0" in /etc/selinux/semanage.conf
|
|
# General policy build
|
|
make[2]: Entering directory '/root/selinux-testsuite/policy/test_policy'
|
|
Compiling targeted test_policy module
|
|
Creating targeted test_policy.pp policy package
|
|
rm tmp/test_policy.mod.fc
|
|
make[2]: Leaving directory '/root/selinux-testsuite/policy/test_policy'
|
|
# General policy load
|
|
domain_fd_use --> off
|
|
/usr/sbin/semodule -i test_policy/test_policy.pp test_mlsconstrain.cil test_overlay_defaultrange.cil test_add_levels.cil test_glblub.cil
|
|
make[1]: *** [Makefile:174: load] Aborted (core dumped)
|
|
|
|
Using "coredumpctl gdb" leads to the following strack trace:
|
|
|
|
(gdb) bt
|
|
#0 0x00007f608fe4fa25 in raise () from /lib64/libc.so.6
|
|
#1 0x00007f608fe38895 in abort () from /lib64/libc.so.6
|
|
#2 0x00007f6090028aca in __addvsi3.cold () from /lib64/libsepol.so.1
|
|
#3 0x00007f6090096f59 in __avrule_xperm_setrangebits (low=30, high=30, xperms=0x8b9eea0)
|
|
at ../cil/src/cil_binary.c:1551
|
|
#4 0x00007f60900970dd in __cil_permx_bitmap_to_sepol_xperms_list (xperms=0xb650a30, xperms_list=0x7ffce2653b18)
|
|
at ../cil/src/cil_binary.c:1596
|
|
#5 0x00007f6090097286 in __cil_avrulex_ioctl_to_policydb (k=0xb8ec200 "@\023\214\022\006", datum=0xb650a30,
|
|
args=0x239a640) at ../cil/src/cil_binary.c:1649
|
|
#6 0x00007f609003f1e5 in hashtab_map (h=0x41f8710, apply=0x7f60900971da <__cil_avrulex_ioctl_to_policydb>,
|
|
args=0x239a640) at hashtab.c:234
|
|
#7 0x00007f609009ea19 in cil_binary_create_allocated_pdb (db=0x2394f10, policydb=0x239a640)
|
|
at ../cil/src/cil_binary.c:4969
|
|
#8 0x00007f609009d19d in cil_binary_create (db=0x2394f10, policydb=0x7ffce2653d30) at ../cil/src/cil_binary.c:4329
|
|
#9 0x00007f609008ec23 in cil_build_policydb_create_pdb (db=0x2394f10, sepol_db=0x7ffce2653d30)
|
|
at ../cil/src/cil.c:631
|
|
#10 0x00007f608fff4bf3 in semanage_direct_commit () from /lib64/libsemanage.so.1
|
|
#11 0x00007f608fff9fae in semanage_commit () from /lib64/libsemanage.so.1
|
|
#12 0x0000000000403e2b in main (argc=7, argv=0x7ffce2655058) at semodule.c:753
|
|
|
|
(gdb) f 3
|
|
#3 0x00007f6090096f59 in __avrule_xperm_setrangebits (low=30, high=30, xperms=0x8b9eea0)
|
|
at ../cil/src/cil_binary.c:1551
|
|
1551 xperms->perms[i] |= XPERM_SETBITS(h) - XPERM_SETBITS(low);
|
|
|
|
A signed integer overflow therefore occurs in XPERM_SETBITS(h):
|
|
|
|
#define XPERM_SETBITS(x) ((1 << (x & 0x1f)) - 1)
|
|
|
|
This macro is expanded with h=31, so "(1 << 31) - 1" is computed:
|
|
|
|
* (1 << 31) = -0x80000000 is the lowest signed 32-bit integer value
|
|
* (1 << 31) - 1 overflows the capacity of a signed 32-bit integer and
|
|
results in 0x7fffffff (which is unsigned)
|
|
|
|
Using unsigned integers (with "1U") fixes the crash, as
|
|
(1U << 31) = 0x80000000U has no overflowing issues.
|
|
|
|
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
|
|
Acked-by: Petr Lautrbach <plautrba@redhat.com>
|
|
---
|
|
libsepol/cil/src/cil_binary.c | 2 +-
|
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
|
diff --git a/libsepol/cil/src/cil_binary.c b/libsepol/cil/src/cil_binary.c
|
|
index 36720eda4549..e417c5c28b8b 100644
|
|
--- a/libsepol/cil/src/cil_binary.c
|
|
+++ b/libsepol/cil/src/cil_binary.c
|
|
@@ -1526,7 +1526,7 @@ int cil_avrule_to_policydb(policydb_t *pdb, const struct cil_db *db, struct cil_
|
|
/* index of the u32 containing the permission */
|
|
#define XPERM_IDX(x) (x >> 5)
|
|
/* set bits 0 through x-1 within the u32 */
|
|
-#define XPERM_SETBITS(x) ((1 << (x & 0x1f)) - 1)
|
|
+#define XPERM_SETBITS(x) ((1U << (x & 0x1f)) - 1)
|
|
/* low value for this u32 */
|
|
#define XPERM_LOW(x) (x << 5)
|
|
/* high value for this u32 */
|
|
--
|
|
2.29.0.rc2
|
|
|