From eb31c5c734978fe03d3d234cdb8de24e9a098eab Mon Sep 17 00:00:00 2001 From: Vit Mojzis Date: Wed, 16 Oct 2024 12:17:01 +0200 Subject: [PATCH] libsepol-3.7-3 - cil: Check that sym_index is within bounds (RHEL-34823) - cil: Initialize avtab_datum on declaration (RHEL-34810) - mls: Do not destroy context on memory error (RHEL-34810) - cil/cil_post: Initialize tmp on declaration (RHEL-34810) - Initialize "strs" on declaration (RHEL-34810) Resolves: RHEL-34823, RHEL-34810 --- ...heck-that-sym_index-is-within-bounds.patch | 40 +++++++++ ...nitialize-avtab_datum-on-declaration.patch | 81 +++++++++++++++++++ ...-not-destroy-context-on-memory-error.patch | 74 +++++++++++++++++ ...l_post-Initialize-tmp-on-declaration.patch | 40 +++++++++ ...sepol-Initialize-strs-on-declaration.patch | 63 +++++++++++++++ changelog | 13 +++ libsepol.spec | 13 ++- 7 files changed, 317 insertions(+), 7 deletions(-) create mode 100644 0002-libsepol-cil-Check-that-sym_index-is-within-bounds.patch create mode 100644 0003-libsepol-cil-Initialize-avtab_datum-on-declaration.patch create mode 100644 0004-libsepol-mls-Do-not-destroy-context-on-memory-error.patch create mode 100644 0005-libsepol-cil-cil_post-Initialize-tmp-on-declaration.patch create mode 100644 0006-libsepol-Initialize-strs-on-declaration.patch diff --git a/0002-libsepol-cil-Check-that-sym_index-is-within-bounds.patch b/0002-libsepol-cil-Check-that-sym_index-is-within-bounds.patch new file mode 100644 index 0000000..014c873 --- /dev/null +++ b/0002-libsepol-cil-Check-that-sym_index-is-within-bounds.patch @@ -0,0 +1,40 @@ +From d045edd5298a75284ce1cc289d039cce8b7a24ae Mon Sep 17 00:00:00 2001 +From: Vit Mojzis +Date: Tue, 23 Jul 2024 16:41:57 +0200 +Subject: [PATCH] libsepol/cil: Check that sym_index is within bounds + +Make sure sym_index is within the bounds of symtab array before using it +to index the array. + +Fixes: + Error: OVERRUN (CWE-119): + libsepol-3.6/cil/src/cil_resolve_ast.c:3157: assignment: Assigning: "sym_index" = "CIL_SYM_UNKNOWN". + libsepol-3.6/cil/src/cil_resolve_ast.c:3189: overrun-call: Overrunning callee's array of size 19 by passing argument "sym_index" (which evaluates to 20) in call to "cil_resolve_name". + \# 3187| switch (curr->flavor) { + \# 3188| case CIL_STRING: + \# 3189|-> rc = cil_resolve_name(parent, curr->data, sym_index, db, &res_datum); + \# 3190| if (rc != SEPOL_OK) { + \# 3191| goto exit; + +Signed-off-by: Vit Mojzis +Acked-by: James Carter +--- + libsepol/cil/src/cil_resolve_ast.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/libsepol/cil/src/cil_resolve_ast.c b/libsepol/cil/src/cil_resolve_ast.c +index 427a320c..da8863c4 100644 +--- a/libsepol/cil/src/cil_resolve_ast.c ++++ b/libsepol/cil/src/cil_resolve_ast.c +@@ -4291,7 +4291,7 @@ int cil_resolve_name_keep_aliases(struct cil_tree_node *ast_node, char *name, en + int rc = SEPOL_ERR; + struct cil_tree_node *node = NULL; + +- if (name == NULL) { ++ if (name == NULL || sym_index >= CIL_SYM_NUM) { + cil_log(CIL_ERR, "Invalid call to cil_resolve_name\n"); + goto exit; + } +-- +2.47.0 + diff --git a/0003-libsepol-cil-Initialize-avtab_datum-on-declaration.patch b/0003-libsepol-cil-Initialize-avtab_datum-on-declaration.patch new file mode 100644 index 0000000..638b7bb --- /dev/null +++ b/0003-libsepol-cil-Initialize-avtab_datum-on-declaration.patch @@ -0,0 +1,81 @@ +From b332edfc248f7c5bcf651be033e2f06aa5959776 Mon Sep 17 00:00:00 2001 +From: Vit Mojzis +Date: Wed, 23 Oct 2024 15:43:15 +0200 +Subject: [PATCH] libsepol/cil: Initialize avtab_datum on declaration + +avtab_datum.xperms was not always initialized before being used. + +Fixes: +Error: UNINIT (CWE-457): +libsepol-3.7/cil/src/cil_binary.c:977:2: var_decl: Declaring variable "avtab_datum" without initializer. +libsepol-3.7/cil/src/cil_binary.c:1059:3: uninit_use_in_call: Using uninitialized value "avtab_datum". Field "avtab_datum.xperms" is uninitialized when calling "__cil_cond_insert_rule". + \# 1057| } + \# 1058| } + \# 1059|-> rc = __cil_cond_insert_rule(&pdb->te_cond_avtab, &avtab_key, &avtab_datum, cond_node, cond_flavor); + \# 1060| } + +Error: UNINIT (CWE-457): +libsepol-3.7/cil/src/cil_binary.c:1348:2: var_decl: Declaring variable "avtab_datum" without initializer. +libsepol-3.7/cil/src/cil_binary.c:1384:3: uninit_use_in_call: Using uninitialized value "avtab_datum". Field "avtab_datum.xperms" is uninitialized when calling "__cil_cond_insert_rule". + \# 1382| } else { + \# 1383| avtab_datum.data = data; + \# 1384|-> rc = __cil_cond_insert_rule(&pdb->te_cond_avtab, &avtab_key, &avtab_datum, cond_node, cond_flavor); + \# 1385| } + \# 1386| + +Signed-off-by: Vit Mojzis +Acked-by: James Carter +--- + libsepol/cil/src/cil_binary.c | 8 ++------ + 1 file changed, 2 insertions(+), 6 deletions(-) + +diff --git a/libsepol/cil/src/cil_binary.c b/libsepol/cil/src/cil_binary.c +index c8144a5a..66c461eb 100644 +--- a/libsepol/cil/src/cil_binary.c ++++ b/libsepol/cil/src/cil_binary.c +@@ -974,7 +974,7 @@ static int __cil_insert_type_rule(policydb_t *pdb, uint32_t kind, uint32_t src, + { + int rc = SEPOL_OK; + avtab_key_t avtab_key; +- avtab_datum_t avtab_datum; ++ avtab_datum_t avtab_datum = { .data = res, .xperms = NULL }; + avtab_ptr_t existing; + + avtab_key.source_type = src; +@@ -996,8 +996,6 @@ static int __cil_insert_type_rule(policydb_t *pdb, uint32_t kind, uint32_t src, + goto exit; + } + +- avtab_datum.data = res; +- + existing = avtab_search_node(&pdb->te_avtab, &avtab_key); + if (existing) { + /* Don't add duplicate type rule and warn if they conflict. +@@ -1345,7 +1343,7 @@ static int __cil_insert_avrule(policydb_t *pdb, uint32_t kind, uint32_t src, uin + { + int rc = SEPOL_OK; + avtab_key_t avtab_key; +- avtab_datum_t avtab_datum; ++ avtab_datum_t avtab_datum = { .data = data, .xperms = NULL }; + avtab_datum_t *avtab_dup = NULL; + + avtab_key.source_type = src; +@@ -1371,7 +1369,6 @@ static int __cil_insert_avrule(policydb_t *pdb, uint32_t kind, uint32_t src, uin + if (!cond_node) { + avtab_dup = avtab_search(&pdb->te_avtab, &avtab_key); + if (!avtab_dup) { +- avtab_datum.data = data; + rc = avtab_insert(&pdb->te_avtab, &avtab_key, &avtab_datum); + } else { + if (kind == CIL_AVRULE_DONTAUDIT) +@@ -1380,7 +1377,6 @@ static int __cil_insert_avrule(policydb_t *pdb, uint32_t kind, uint32_t src, uin + avtab_dup->data |= data; + } + } else { +- avtab_datum.data = data; + rc = __cil_cond_insert_rule(&pdb->te_cond_avtab, &avtab_key, &avtab_datum, cond_node, cond_flavor); + } + +-- +2.47.0 + diff --git a/0004-libsepol-mls-Do-not-destroy-context-on-memory-error.patch b/0004-libsepol-mls-Do-not-destroy-context-on-memory-error.patch new file mode 100644 index 0000000..bb9078f --- /dev/null +++ b/0004-libsepol-mls-Do-not-destroy-context-on-memory-error.patch @@ -0,0 +1,74 @@ +From a67e7419e09e8954dd8d96baaab9ee663a00990c Mon Sep 17 00:00:00 2001 +From: Vit Mojzis +Date: Wed, 23 Oct 2024 15:43:16 +0200 +Subject: [PATCH] libsepol/mls: Do not destroy context on memory error + +In case of malloc error, ctx1, or ctx2 may be pointing to uninitialized +space and context_destroy should not be used on it. + +Fixes: +Error: UNINIT (CWE-457): +libsepol-3.7/src/mls.c:673:2: alloc_fn: Calling "malloc" which returns uninitialized memory. +libsepol-3.7/src/mls.c:673:2: assign: Assigning: "ctx1" = "malloc(64UL)", which points to uninitialized data. +libsepol-3.7/src/mls.c:699:2: uninit_use_in_call: Using uninitialized value "ctx1->range.level[0].cat.node" when calling "context_destroy". + \# 697| ERR(handle, "could not check if mls context %s contains %s", + \# 698| mls1, mls2); + \# 699|-> context_destroy(ctx1); + \# 700| context_destroy(ctx2); + \# 701| free(ctx1); + +Error: UNINIT (CWE-457): +libsepol-3.7/src/mls.c:674:2: alloc_fn: Calling "malloc" which returns uninitialized memory. +libsepol-3.7/src/mls.c:674:2: assign: Assigning: "ctx2" = "malloc(64UL)", which points to uninitialized data. +libsepol-3.7/src/mls.c:700:2: uninit_use_in_call: Using uninitialized value "ctx2->range.level[0].cat.node" when calling "context_destroy". + \# 698| mls1, mls2); + \# 699| context_destroy(ctx1); + \# 700|-> context_destroy(ctx2); + \# 701| free(ctx1); + \# 702| free(ctx2); + +Signed-off-by: Vit Mojzis +Acked-by: James Carter +--- + libsepol/src/mls.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/libsepol/src/mls.c b/libsepol/src/mls.c +index 45db8920..a37405d1 100644 +--- a/libsepol/src/mls.c ++++ b/libsepol/src/mls.c +@@ -672,8 +672,10 @@ int sepol_mls_contains(sepol_handle_t * handle, + context_struct_t *ctx1 = NULL, *ctx2 = NULL; + ctx1 = malloc(sizeof(context_struct_t)); + ctx2 = malloc(sizeof(context_struct_t)); +- if (ctx1 == NULL || ctx2 == NULL) ++ if (ctx1 == NULL || ctx2 == NULL){ ++ ERR(handle, "out of memory"); + goto omem; ++ } + context_init(ctx1); + context_init(ctx2); + +@@ -690,16 +692,14 @@ int sepol_mls_contains(sepol_handle_t * handle, + free(ctx2); + return STATUS_SUCCESS; + +- omem: +- ERR(handle, "out of memory"); +- + err: +- ERR(handle, "could not check if mls context %s contains %s", +- mls1, mls2); + context_destroy(ctx1); + context_destroy(ctx2); ++ omem: + free(ctx1); + free(ctx2); ++ ERR(handle, "could not check if mls context %s contains %s", ++ mls1, mls2); + return STATUS_ERR; + } + +-- +2.47.0 + diff --git a/0005-libsepol-cil-cil_post-Initialize-tmp-on-declaration.patch b/0005-libsepol-cil-cil_post-Initialize-tmp-on-declaration.patch new file mode 100644 index 0000000..12611be --- /dev/null +++ b/0005-libsepol-cil-cil_post-Initialize-tmp-on-declaration.patch @@ -0,0 +1,40 @@ +From 77e225361129f02d379e930859406a61420836d7 Mon Sep 17 00:00:00 2001 +From: Vit Mojzis +Date: Wed, 23 Oct 2024 15:43:17 +0200 +Subject: [PATCH] libsepol/cil/cil_post: Initialize tmp on declaration + +tmp.node was not always initialized before being used by +ebitmap_destroy. + +Fixes: +Error: UNINIT (CWE-457): +libsepol-3.7/cil/src/cil_post.c:1309:2: var_decl: Declaring variable "tmp" without initializer. +libsepol-3.7/cil/src/cil_post.c:1382:6: uninit_use_in_call: Using uninitialized value "tmp.node" when calling "ebitmap_destroy". + \# 1380| if (rc != SEPOL_OK) { + \# 1381| cil_log(CIL_INFO, "Failed to apply operator to bitmaps\n"); + \# 1382|-> ebitmap_destroy(&tmp); + \# 1383| goto exit; + \# 1384| } + +Signed-off-by: Vit Mojzis +Acked-by: James Carter +--- + libsepol/cil/src/cil_post.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/libsepol/cil/src/cil_post.c b/libsepol/cil/src/cil_post.c +index ac99997f..d63a5496 100644 +--- a/libsepol/cil/src/cil_post.c ++++ b/libsepol/cil/src/cil_post.c +@@ -1315,6 +1315,8 @@ static int __cil_expr_to_bitmap(struct cil_list *expr, ebitmap_t *out, int max, + curr = expr->head; + flavor = expr->flavor; + ++ ebitmap_init(&tmp); ++ + if (curr->flavor == CIL_OP) { + enum cil_flavor op = (enum cil_flavor)(uintptr_t)curr->data; + +-- +2.47.0 + diff --git a/0006-libsepol-Initialize-strs-on-declaration.patch b/0006-libsepol-Initialize-strs-on-declaration.patch new file mode 100644 index 0000000..f45bdbe --- /dev/null +++ b/0006-libsepol-Initialize-strs-on-declaration.patch @@ -0,0 +1,63 @@ +From 49926e313ca995ae72d5b6bd82f3f5bbbe5ba0df Mon Sep 17 00:00:00 2001 +From: Vit Mojzis +Date: Wed, 23 Oct 2024 15:43:18 +0200 +Subject: [PATCH] libsepol: Initialize "strs" on declaration + +The value of "strs" was not always initialized before being used by +strs_destroy. + +Fixes: +Error: UNINIT (CWE-457): +libsepol-3.7/src/kernel_to_cil.c:1439:2: var_decl: Declaring variable "strs" without initializer. +libsepol-3.7/src/kernel_to_cil.c:1487:2: uninit_use_in_call: Using uninitialized value "strs" when calling "strs_destroy". + \# 1485| + \# 1486| exit: + \# 1487|-> strs_destroy(&strs); + \# 1488| + \# 1489| if (rc != 0) { + +Error: UNINIT (CWE-457): +libsepol-3.7/src/kernel_to_conf.c:1422:2: var_decl: Declaring variable "strs" without initializer. +libsepol-3.7/src/kernel_to_conf.c:1461:2: uninit_use_in_call: Using uninitialized value "strs" when calling "strs_destroy". + \# 1459| + \# 1460| exit: + \# 1461|-> strs_destroy(&strs); + \# 1462| + \# 1463| if (rc != 0) { + +Signed-off-by: Vit Mojzis +Acked-by: James Carter +--- + libsepol/src/kernel_to_cil.c | 2 +- + libsepol/src/kernel_to_conf.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/libsepol/src/kernel_to_cil.c b/libsepol/src/kernel_to_cil.c +index f94cb245..9c2690be 100644 +--- a/libsepol/src/kernel_to_cil.c ++++ b/libsepol/src/kernel_to_cil.c +@@ -1436,7 +1436,7 @@ static int map_type_aliases_to_strs(char *key, void *data, void *args) + static int write_type_alias_rules_to_cil(FILE *out, struct policydb *pdb) + { + type_datum_t *alias; +- struct strs *strs; ++ struct strs *strs = NULL; + char *name; + char *type; + unsigned i, num = 0; +diff --git a/libsepol/src/kernel_to_conf.c b/libsepol/src/kernel_to_conf.c +index ca91ffae..661546af 100644 +--- a/libsepol/src/kernel_to_conf.c ++++ b/libsepol/src/kernel_to_conf.c +@@ -1419,7 +1419,7 @@ static int map_type_aliases_to_strs(char *key, void *data, void *args) + static int write_type_alias_rules_to_conf(FILE *out, struct policydb *pdb) + { + type_datum_t *alias; +- struct strs *strs; ++ struct strs *strs = NULL; + char *name; + char *type; + unsigned i, num = 0; +-- +2.47.0 + diff --git a/changelog b/changelog index 50f2a80..d464875 100644 --- a/changelog +++ b/changelog @@ -1,3 +1,16 @@ +* Tue Nov 12 2024 Vit Mojzis - 3.7-4 +- cil: Check that sym_index is within bounds (RHEL-34823) +- cil: Initialize avtab_datum on declaration (RHEL-34810) +- mls: Do not destroy context on memory error (RHEL-34810) +- cil/cil_post: Initialize tmp on declaration (RHEL-34810) +- Initialize "strs" on declaration (RHEL-34810) + +* Tue Oct 29 2024 Troy Dawson - 3.7-3 +- Bump release for October 2024 mass rebuild (RHEL-64018) + +* Fri Aug 09 2024 Vit Mojzis - 3.7-2 +- sepol_compute_sid: Do not destroy uninitialized context (RHEL-34808) + * Thu Jun 27 2024 Petr Lautrbach - 3.7-1 - SELinux userspace 3.7 release diff --git a/libsepol.spec b/libsepol.spec index de0c2f1..9a91180 100644 --- a/libsepol.spec +++ b/libsepol.spec @@ -1,7 +1,7 @@ Summary: SELinux binary policy manipulation library Name: libsepol Version: 3.7 -Release: 3%{?dist} +Release: 4%{?dist} License: LGPL-2.1-or-later Source0: https://github.com/SELinuxProject/selinux/releases/download/3.7/libsepol-3.7.tar.gz Source1: https://github.com/SELinuxProject/selinux/releases/download/3.7/libsepol-3.7.tar.gz.asc @@ -13,6 +13,11 @@ URL: https://github.com/SELinuxProject/selinux/wiki # $ i=1; for j in 0*patch; do printf "Patch%04d: %s\n" $i $j; i=$((i+1));done # Patch list start Patch0001: 0001-libsepol-sepol_compute_sid-Do-not-destroy-uninitiali.patch +Patch0002: 0002-libsepol-cil-Check-that-sym_index-is-within-bounds.patch +Patch0003: 0003-libsepol-cil-Initialize-avtab_datum-on-declaration.patch +Patch0004: 0004-libsepol-mls-Do-not-destroy-context-on-memory-error.patch +Patch0005: 0005-libsepol-cil-cil_post-Initialize-tmp-on-declaration.patch +Patch0006: 0006-libsepol-Initialize-strs-on-declaration.patch # Patch list end BuildRequires: make BuildRequires: gcc @@ -111,11 +116,5 @@ rm -rf ${RPM_BUILD_ROOT}%{_mandir}/ru/man8 %{_mandir}/man8/chkcon.8.gz %changelog -* Tue Oct 29 2024 Troy Dawson - 3.7-3 -- Bump release for October 2024 mass rebuild: - Resolves: RHEL-64018 - -* Fri Aug 09 2024 Vit Mojzis - 3.7-2 -- sepol_compute_sid: Do not destroy uninitialized context (RHEL-34808) %autochangelog