c59879b8aa
Rebase on upstream commit 32611aea6543
See
$ cd SELinuxProject/selinux
$ git log --pretty=oneline libsepol-3.2..32611aea6543 -- libsepol
49 lines
1.6 KiB
Diff
49 lines
1.6 KiB
Diff
From 69fc31d1fb5d3bc1d4a919285284d1fb9d679a6e Mon Sep 17 00:00:00 2001
|
|
From: James Carter <jwcart2@gmail.com>
|
|
Date: Thu, 13 May 2021 12:37:59 -0400
|
|
Subject: [PATCH] libsepol/cil: Limit the number of open parenthesis allowed
|
|
|
|
When parsing a CIL policy, the number of open parenthesis is tracked
|
|
to verify that each has a matching close parenthesis. If there are
|
|
too many open parenthesis, a stack overflow could occur during later
|
|
processing.
|
|
|
|
Exit with an error if the number of open parenthesis exceeds 4096
|
|
(which should be enough for any policy.)
|
|
|
|
This bug was found by the secilc-fuzzer.
|
|
|
|
Signed-off-by: James Carter <jwcart2@gmail.com>
|
|
---
|
|
libsepol/cil/src/cil_parser.c | 7 ++++++-
|
|
1 file changed, 6 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/libsepol/cil/src/cil_parser.c b/libsepol/cil/src/cil_parser.c
|
|
index a93062180ff8..fb95f401f1c7 100644
|
|
--- a/libsepol/cil/src/cil_parser.c
|
|
+++ b/libsepol/cil/src/cil_parser.c
|
|
@@ -42,6 +42,8 @@
|
|
#include "cil_strpool.h"
|
|
#include "cil_stack.h"
|
|
|
|
+#define CIL_PARSER_MAX_EXPR_DEPTH (0x1 << 12)
|
|
+
|
|
char *CIL_KEY_HLL_LMS;
|
|
char *CIL_KEY_HLL_LMX;
|
|
char *CIL_KEY_HLL_LME;
|
|
@@ -245,7 +247,10 @@ int cil_parser(const char *_path, char *buffer, uint32_t size, struct cil_tree *
|
|
break;
|
|
case OPAREN:
|
|
paren_count++;
|
|
-
|
|
+ if (paren_count > CIL_PARSER_MAX_EXPR_DEPTH) {
|
|
+ cil_log(CIL_ERR, "Number of open parenthesis exceeds limit of %d at line %d of %s\n", CIL_PARSER_MAX_EXPR_DEPTH, tok.line, path);
|
|
+ goto exit;
|
|
+ }
|
|
create_node(&node, current, tok.line, hll_lineno, NULL);
|
|
insert_node(node, current);
|
|
current = node;
|
|
--
|
|
2.32.0
|
|
|