From 2b2f42f9311ede75c3fe61d356094999e8e161b9 Mon Sep 17 00:00:00 2001 From: James Carter Date: Thu, 8 Apr 2021 13:24:29 -0400 Subject: [PATCH] libsepol/cil: Fix out-of-bound read of file context pattern ending with "\" Based on patch by Nicolas Iooss, who writes: OSS-Fuzz found a Heap-buffer-overflow in the CIL compiler when trying to compile the following policy: (sid SID) (sidorder(SID)) (filecon "\" any ()) (filecon "" any ()) When cil_post_fc_fill_data() processes "\", it goes beyond the NUL terminator of the string. Fix this by returning when '\0' is read after a backslash. To be consistent with the function compute_diffdata() in refpolicy/support/fc_sort.py, also increment str_len in this case. Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28484 Reported-by: Nicolas Iooss Signed-off-by: James Carter --- libsepol/cil/src/cil_post.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/libsepol/cil/src/cil_post.c b/libsepol/cil/src/cil_post.c index 0b09cecc..bdeaa7c6 100644 --- a/libsepol/cil/src/cil_post.c +++ b/libsepol/cil/src/cil_post.c @@ -179,6 +179,13 @@ void cil_post_fc_fill_data(struct fc_data *fc, char *path) break; case '\\': c++; + if (path[c] == '\0') { + if (!fc->meta) { + fc->stem_len++; + } + fc->str_len++; + return; + } /* FALLTHRU */ default: if (!fc->meta) { -- 2.30.2