tequilaOS/platform_external_selinux
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

libsepol/cil: Use empty list for category expression evaluated as empty

Browse source 
Nicolas Iooss found while fuzzing secilc with AFL that the following
policy will cause a segfault.

(category c0)
(category c1)
(categoryorder (c0 c1))
(sensitivity s0)
(sensitivitycategory s0 (not (all)))

The expression "(not (all))" is evaluated as containing no categories.
There is a check for the resulting empty list and the category datum
expression is set to NULL. The segfault occurs because the datum
expression is assumed to be non-NULL after evaluation.

Assign the list to the datum expression even if it is empty.

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
This commit is contained in:
James Carter 2016-10-18 14:19:03 -04:00
parent 1fc2f2f5ca
commit 1b3b36aeec
1 changed files with 1 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
libsepol/cil/src/cil_post.c
View file

@ -865,13 +865,7 @@ static int __evaluate_cat_expression(struct cil_cats *cats, struct cil_db *db)
ebitmap_destroy(&bitmap);
cil_list_destroy(&cats->datum_expr, CIL_FALSE);
if (new->head != NULL) {
cats->datum_expr = new;
} else {
/* empty list */
cil_list_destroy(&new, CIL_FALSE);
cats->datum_expr = NULL;
}
cats->datum_expr = new;
cats->evaluated = CIL_TRUE;