From c3f0124b1817dd4bdc79c86491d77a7a2b08d479 Mon Sep 17 00:00:00 2001 From: James Carter Date: Wed, 16 Mar 2022 16:15:57 -0400 Subject: [PATCH] libsepol: Validate conditional expressions When validating a policydb, validate the conditional expressions including the values of the booleans within them. Found by oss-fuzz (#45523) Signed-off-by: James Carter Reference: https://github.com/SELinuxProject/selinux/commit/c3f0124b1817dd4bdc79c86491d77a7a2b08d479 Conflict: NA --- libsepol/src/policydb_validate.c | 43 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 43 insertions(+) diff --git a/libsepol/src/policydb_validate.c b/libsepol/src/policydb_validate.c index 40e68ac..da3c7c5 100644 --- a/libsepol/src/policydb_validate.c +++ b/libsepol/src/policydb_validate.c @@ -470,9 +470,52 @@ bad: return -1; } +static int validate_cond_expr(sepol_handle_t *handle, struct cond_expr *expr, validate_t *bool) +{ + int depth = -1; + + for (; expr; expr = expr->next) { + switch(expr->expr_type) { + case COND_BOOL: + if (validate_value(expr->bool, bool)) + goto bad; + if (depth == (COND_EXPR_MAXDEPTH - 1)) + goto bad; + depth++; + break; + case COND_NOT: + if (depth < 0) + goto bad; + break; + case COND_OR: + case COND_AND: + case COND_XOR: + case COND_EQ: + case COND_NEQ: + if (depth < 1) + goto bad; + depth--; + break; + default: + goto bad; + } + } + + if (depth != 0) + goto bad; + + return 0; + +bad: + ERR(handle, "Invalid cond expression"); + return -1; +} + static int validate_cond_list(sepol_handle_t *handle, cond_list_t *cond, validate_t flavors[]) { for (; cond; cond = cond->next) { + if (validate_cond_expr(handle, cond->expr, &flavors[SYM_BOOLS])) + goto bad; if (validate_cond_av_list(handle, cond->true_list, flavors)) goto bad; if (validate_cond_av_list(handle, cond->false_list, flavors))