From af29a235531f66882e5a027e1348658b8d8c1e68 Mon Sep 17 00:00:00 2001

From: Nicolas Iooss <nicolas.iooss@m4x.org>

Date: Mon, 12 Jul 2021 10:44:28 +0200

Subject: [PATCH] libsepol/cil: do not allow \0 in quoted strings

Using the '\0' character in strings in a CIL policy is not expected to

happen, and makes the flex tokenizer very slow. For example when

generating a file with:

    python -c 'print("\"" + "\0"*100000 + "\"")' > policy.cil

secilc fails after 26 seconds, on my desktop computer. Increasing the

numbers of \0 makes this time increase significantly. But replacing \0

with another character makes secilc fail in only few milliseconds.

Fix this "possible denial of service" issue by forbidding \0 in strings

in CIL policies.

Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=36016

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>

---

 libsepol/cil/src/cil_lexer.l | 2 +-

 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libsepol/cil/src/cil_lexer.l b/libsepol/cil/src/cil_lexer.l

index e28c33ecb9f1..8bf2b6e7765a 100644

--- a/libsepol/cil/src/cil_lexer.l

+++ b/libsepol/cil/src/cil_lexer.l

@@ -49,7 +49,7 @@ spec_char	[\[\]\.\@\=\/\*\-\_\$\%\+\-\!\|\&\^\:\~\`\#\{\}\'\<\>\?\,]

 symbol		({digit}|{alpha}|{spec_char})+

 white		[ \t]

 newline		[\n\r]

-qstring		\"[^"\n]*\"

+qstring		\"[^"\n\0]*\"

 hll_lm          ^;;\*

 comment		;

-- 

2.32.0