Installation of libsepol fails when using /usr/lib #2

fishilico · 2014-10-18T17:01:37Z

Hi,

I'm packaging libsepol for Arch Linux and as this distro is using /usr/lib for all libraries, I'm using this command line to install libsepol:

make DESTDIR="${pkgdir}" LIBDIR="${pkgdir}"/usr/lib SHLIBDIR="${pkgdir}"/usr/lib install

However this creates a broken symlink, as /usr/lib/libsepol.so is linked to ../../lib/libsepol.so.1 which does not exists in the temporary build directory.

This symlink is created by https://github.com/SELinuxProject/selinux/blob/libsepol-2.4-rc3/libsepol/src/Makefile#L73 :

cd $(LIBDIR) && ln -sf ../../`basename $(SHLIBDIR)`/$(LIBSO) $(TARGET)

... which is expanded to:

cd /tmp/makepkg-user/libsepol/pkg/libsepol/usr/lib && ln -sf ../../`basename /tmp/makepkg-user/libsepol/pkg/libsepol/usr/lib`/libsepol.so.1 libsepol.so

... which is buggy.

A possible solution consists in replacing the command in the Makefile with ln -sf --relative $(SHLIBDIR)/$(LIBSO) $(LIBDIR)/$(TARGET), available since coreutils-8.16 (according to http://savannah.gnu.org/forum/forum.php?forum_id=7170).

Could you please do this before the next release, for all libraries in this project?

The text was updated successfully, but these errors were encountered:

When hll/pp reads an invalid policy module where some scopes use required symbols which are not defined, the program crashes with a segmentation fault in required_scopes_to_cil(): Program received signal SIGSEGV, Segmentation fault. required_scopes_to_cil (decl_stack=0x6040b0, block=0x607780, pdb=0x6042e0, indent=0) at module_to_cil.c:3479 3479 for (j = 0; j < scope_datum->decl_ids_len; j++) { => 0x00007ffff7a7b1a8 <block_to_cil+5224>: 44 8b 58 10 mov 0x10(%rax),%r11d (gdb) bt #0 required_scopes_to_cil (decl_stack=0x6040b0, block=0x607780, pdb=0x6042e0, indent=0) at module_to_cil.c:3479 #1 block_to_cil (pdb=pdb@entry=0x6042e0, block=block@entry=0x607780, stack=stack@entry=0x6040b0, indent=indent@entry=0) at module_to_cil.c:3622 #2 0x00007ffff7a85a18 in global_block_to_cil (stack=0x6040b0, block=0x607780, pdb=0x6042e0) at module_to_cil.c:3738 #3 blocks_to_cil (pdb=0x6042e0) at module_to_cil.c:3764 #4 sepol_module_policydb_to_cil (fp=fp@entry=0x7ffff79d05e0 <_IO_2_1_stdout_>, pdb=0x6042e0, linked=linked@entry=0) at module_to_cil.c:4051 #5 0x00007ffff7a86b55 in sepol_module_package_to_cil (fp=fp@entry=0x7ffff79d05e0 <_IO_2_1_stdout_>, mod_pkg=0x604280) at module_to_cil.c:4080 #6 0x0000000000401acc in main (argc=<optimized out>, argv=<optimized out>) at pp.c:150 (gdb) p scope_datum $1 = (struct scope_datum *) 0x0 Detect such errors and exit with an error return value. Signed-off-by: Nicolas Iooss <[email protected]>

When scope_index_read() fails while attempting to allocate memory for scope_index->class_perms_map, scope_index_destroy() gets called with scope->class_perms_len != 0 and scope->class_perms_map == NULL. This triggers the following segmentation fault (in semodule_package): Program received signal SIGSEGV, Segmentation fault. ebitmap_destroy (e=0x10) at ebitmap.c:362 362 n = e->node; => 0x00007ffff79ff7f6 <ebitmap_destroy+134>: 48 8b 3f mov (%rdi),%rdi (gdb) bt #0 ebitmap_destroy (e=0x10) at ebitmap.c:362 #1 0x00007ffff79e2c37 in scope_index_destroy (scope=0x608860) at avrule_block.c:87 #2 avrule_decl_destroy (x=0x608830) at avrule_block.c:103 #3 0x00007ffff7aae99c in avrule_block_read (fp=0x605090, num_scope_syms=8, block=0x6054e8, p=0x605360) at policydb.c:3598 #4 policydb_read (p=0x605360, fp=fp@entry=0x605090, verbose=verbose@entry=0) at policydb.c:3946 #5 0x00007ffff7ab4ab4 in sepol_policydb_read (p=<optimized out>, pf=pf@entry=0x605090) at policydb_public.c:174 #6 0x0000000000401d33 in main (argc=<optimized out>, argv=0x7fffffffdc88) at semodule_package.c:220 (gdb) f 1 (gdb) p *scope $1 = {scope = {{node = 0x0, highbit = 0}, {node = 0x0, highbit = 0}, {node = 0x0, highbit = 0}, {node = 0x0, highbit = 0}, {node = 0x0, highbit = 0}, {node = 0x0, highbit = 0}, {node = 0x0, highbit = 0}, {node = 0x0, highbit = 0}}, class_perms_map = 0x0, class_perms_len = 4294934272} Signed-off-by: Nicolas Iooss <[email protected]>

When loading an invalid module which uses a declaration ID 0, semodule_package crashes in policydb_index_decls(): p->decl_val_to_struct[decl->decl_id - 1] = decl; gdb shows the following stack trace: #0 0x00007ffff7aa1bbd in policydb_index_decls (p=p@entry=0x605360) at policydb.c:1034 #1 0x00007ffff7aaa9fc in policydb_read (p=<optimized out>, fp=fp@entry=0x605090, verbose=verbose@entry=0) at policydb.c:3958 #2 0x00007ffff7ab4764 in sepol_policydb_read (p=<optimized out>, pf=pf@entry=0x605090) at policydb_public.c:174 #3 0x0000000000401d33 in main (argc=<optimized out>, argv=0x7fffffffdc88) at semodule_package.c:220 Change policydb_index_decls() to report an error instead: libsepol.policydb_index_decls: invalid decl ID 0 Signed-off-by: Nicolas Iooss <[email protected]>

When sepol_polcap_getname() is called with a negative capnum, it dereferences polcap_names[capnum] which produces a segmentation fault most of the time. For information, here is a gdb session when hll/pp loads a policy module which has been mutated by American Fuzzy Lop: Program received signal SIGSEGV, Segmentation fault. sepol_polcap_getname (capnum=capnum@entry=-4259840) at polcaps.c:34 34 return polcap_names[capnum]; => 0x00007ffff7a8da07 <sepol_polcap_getname+135>: 48 8b 04 f8 mov (%rax,%rdi,8),%rax (gdb) bt #0 sepol_polcap_getname (capnum=capnum@entry=-4259840) at polcaps.c:34 #1 0x00007ffff7a7c440 in polcaps_to_cil (pdb=0x6042e0) at module_to_cil.c:2492 #2 sepol_module_policydb_to_cil (fp=fp@entry=0x7ffff79c75e0 <_IO_2_1_stdout_>, pdb=0x6042e0, linked=linked@entry=0) at module_to_cil.c:4039 #3 0x00007ffff7a7e695 in sepol_module_package_to_cil (fp=fp@entry=0x7ffff79c75e0 <_IO_2_1_stdout_>, mod_pkg=0x604280) at module_to_cil.c:4087 #4 0x0000000000401acc in main (argc=<optimized out>, argv=<optimized out>) at pp.c:150 Signed-off-by: Nicolas Iooss <[email protected]>

While checkmodule tries to compile the following policy file and fails because class "process" is not found, it does not free some allocated memory: module ckpol_leaktest 1.0.0; require {type TYPE1;} allow TYPE1 self:process fork; clang memory sanitier output is: ================================================================= ==16050==ERROR: LeakSanitizer: detected memory leaks Direct leak of 136 byte(s) in 1 object(s) allocated from: #0 0x7f8bd8127608 in malloc (/usr/lib/clang/3.9.1/lib/linux/libclang_rt.asan-x86_64.so+0xf6608) #1 0x41a620 in define_te_avtab_helper /usr/src/selinux/checkpolicy/policy_define.c:2450:24 #2 0x41b6c8 in define_te_avtab /usr/src/selinux/checkpolicy/policy_define.c:2621:6 #3 0x40522b in yyparse /usr/src/selinux/checkpolicy/policy_parse.y:470:10 #4 0x411816 in read_source_policy /usr/src/selinux/checkpolicy/parse_util.c:64:6 #5 0x7f8bd7cb3290 in __libc_start_main (/usr/lib/libc.so.6+0x20290) Direct leak of 8 byte(s) in 1 object(s) allocated from: #0 0x7f8bd8127608 in malloc (/usr/lib/clang/3.9.1/lib/linux/libclang_rt.asan-x86_64.so+0xf6608) #1 0x411c87 in insert_id /usr/src/selinux/checkpolicy/policy_define.c:120:18 Indirect leak of 24 byte(s) in 1 object(s) allocated from: #0 0x7f8bd8127608 in malloc (/usr/lib/clang/3.9.1/lib/linux/libclang_rt.asan-x86_64.so+0xf6608) #1 0x43133c in ebitmap_set_bit /usr/src/selinux/libsepol/src/ebitmap.c:321:27 Indirect leak of 18 byte(s) in 1 object(s) allocated from: #0 0x7f8bd80b5eb0 in __interceptor___strdup (/usr/lib/clang/3.9.1/lib/linux/libclang_rt.asan-x86_64.so+0x84eb0) #1 0x41a6e5 in define_te_avtab_helper /usr/src/selinux/checkpolicy/policy_define.c:2460:28 #2 0x41b6c8 in define_te_avtab /usr/src/selinux/checkpolicy/policy_define.c:2621:6 #3 0x40522b in yyparse /usr/src/selinux/checkpolicy/policy_parse.y:470:10 #4 0x411816 in read_source_policy /usr/src/selinux/checkpolicy/parse_util.c:64:6 #5 0x7f8bd7cb3290 in __libc_start_main (/usr/lib/libc.so.6+0x20290) SUMMARY: AddressSanitizer: 186 byte(s) leaked in 4 allocation(s). Signed-off-by: Nicolas Iooss <[email protected]>

When running secilc on the following CIL file, the program tries to free the data associated with type X using cil_destroy_typeattribute(): (macro sys_obj_type ((user ARG1)) (typeattribute X)) (block B (type X) (call sys_obj_type (Y)) ) By adding some printf statements to cil_typeattribute_init(), cil_type_init() and cil_destroy_typeattribute(), the error message I get when using gcc's address sanitizer is: $ secilc -o /dev/null -f /dev/null test.cil -vvvvvv creating TYPE 0x60400000dfd0 Parsing 2017-02-02_crashing_nulptrderef_cil.cil Building AST from Parse Tree creating TYPEATTR 0x60600000e420 creating TYPE 0x60400000df50 Destroying Parse Tree Resolving AST Failed to resolve call statement at 2017-02-02_crashing_nulptrderef_cil.cil:5 Problem at 2017-02-02_crashing_nulptrderef_cil.cil:5 Pass 8 of resolution failed Failed to resolve ast Failed to compile cildb: -2 Destroying TYPEATTR 0x60600000e420, types (nil) name X Destroying TYPEATTR 0x60400000df50, types 0xbebebebe00000000 name X ASAN:DEADLYSIGNAL ================================================================= ==30684==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fc0539d114a bp 0x7ffc1fbcb300 sp 0x7ffc1fbcb2f0 T0) #0 0x7fc0539d1149 in ebitmap_destroy /usr/src/selinux/libsepol/src/ebitmap.c:356 #1 0x7fc053b96201 in cil_destroy_typeattribute ../cil/src/cil_build_ast.c:2370 #2 0x7fc053b42ea4 in cil_destroy_data ../cil/src/cil.c:616 #3 0x7fc053c595bf in cil_tree_node_destroy ../cil/src/cil_tree.c:235 #4 0x7fc053c59819 in cil_tree_children_destroy ../cil/src/cil_tree.c:201 #5 0x7fc053c59958 in cil_tree_subtree_destroy ../cil/src/cil_tree.c:172 #6 0x7fc053c59a27 in cil_tree_destroy ../cil/src/cil_tree.c:165 #7 0x7fc053b44fd7 in cil_db_destroy ../cil/src/cil.c:299 #8 0x4026a1 in main /usr/src/selinux/secilc/secilc.c:335 #9 0x7fc0535e5290 in __libc_start_main (/usr/lib/libc.so.6+0x20290) #10 0x403af9 in _start (/usr/src/selinux/DESTDIR/usr/bin/secilc+0x403af9) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /usr/src/selinux/libsepol/src/ebitmap.c:356 in ebitmap_destroy ==30684==ABORTING When copying the AST tree in cil_resolve_call1(), __cil_copy_node_helper() calls cil_copy_typeattribute() to grab type X in the symbol table of block B, and creates a node with the data of X but with CIL_TYPEATTRIBUTE flavor. This example is a "type confusion" bug between cil_type and cil_typeattribute structures. It can be generalized to any couple of structures sharing the same symbol table (an easy way of finding other couples is by reading the code of cil_flavor_to_symtab_index()). Fix this issue in a "generic" way in __cil_copy_node_helper(), by verifying that the flavor of the found data is the same as expected and triggering an error when it is not. Signed-off-by: Nicolas Iooss <[email protected]>

…garbage Currently this Python program triggers a segmentation fault in libselinux SWIG wrapper: import selinux selinux.get_ordered_context_list() gdb shows that the segmentation fault occurs when freeing some memory: Reading symbols from python...(no debugging symbols found)...done. Starting program: /usr/bin/python -c import\ selinux\;selinux.get_ordered_context_list [Thread debugging using libthread_db enabled] Using host libthread_db library "/usr/lib/libthread_db.so.1". Program received signal SIGSEGV, Segmentation fault. 0x00007ffff789a304 in free () from /usr/lib/libc.so.6 (gdb) bt #0 0x00007ffff789a304 in free () from /usr/lib/libc.so.6 #1 0x00007ffff6011499 in freeconary (con=0x7ffff6ac5d00) at freeconary.c:14 #2 0x00007ffff6296899 in _wrap_get_ordered_context_list (self=<optimized out>, args=<optimized out>) at selinuxswig_wrap.c:6185 #3 0x00007ffff741891f in _PyCFunction_FastCallDict () from /usr/lib/libpython3.6m.so.1.0 ... SWIG generated the following code for _wrap_get_ordered_context_list(): char ***arg3 = (char ***) 0 ; char **temp3 ; arg3 = &temp3; if (!PyArg_ParseTuple(args, "OO:get_ordered_context_list",&obj0,&obj1)) SWIG_fail; /* ... */ fail: if (*arg3) freeconary(*arg3); If PyArg_ParseTuple fails, freeconary() is called on the value of "temp3", which has not been initialized. Fix this by initializing temp to NULL in the SWIG template. A similar issue exists with security_get_boolean_names(). Fix it too. This issue has been found using clang's static analyzer, on a system which uses SWIG 3.0.12. Signed-off-by: Nicolas Iooss <[email protected]>

When a function called by sepol_module_policydb_to_cil() fails before role_list_create() has been called, role_list is still NULL but is dereferenced in role_list_destroy(). Here is a gdb session on hll/pp: Unknown value for handle-unknown: 6 Program received signal SIGSEGV, Segmentation fault. 0x00007ffff7a68a37 in role_list_destroy () at module_to_cil.c:215 215 struct list_node *curr = role_list->head; (gdb) bt #0 0x00007ffff7a68a37 in role_list_destroy () at module_to_cil.c:215 #1 sepol_module_policydb_to_cil (fp=fp@entry=0x7ffff79925e0 <_IO_2_1_stdout_>, pdb=<optimized out>, linked=linked@entry=0) at module_to_cil.c:4060 #2 0x00007ffff7a6ac75 in sepol_module_package_to_cil (fp=fp@entry=0x7ffff79925e0 <_IO_2_1_stdout_>, mod_pkg=0x604280) at module_to_cil.c:4080 #3 0x0000000000401a58 in main (argc=<optimized out>, argv=<optimized out>) at pp.c:150 This issue has been found while fuzzing hll/pp with the American Fuzzy Lop. Signed-off-by: Nicolas Iooss <[email protected]>

… fails In mls_semantic_range_expand(), when a call to mls_semantic_level_expand() fails, the function destroys the semantic level instead of the expanded one. This leads to a use-after-free which is reported by gcc's Address Sanitizer: libsepol.mls_semantic_level_expand: mls_semantic_level_expand: invalid sensitivity level found 128/0. libsepol.sepol_module_package_read: invalid module in module package (at section 0) Failed to read policy package ================================================================= ==24456==ERROR: AddressSanitizer: heap-use-after-free on address 0x60200000ee58 at pc 0x7fe6c4fb96b4 bp 0x7fffa5ea6b70 sp 0x7fffa5ea6b60 READ of size 8 at 0x60200000ee58 thread T0 #0 0x7fe6c4fb96b3 in mls_semantic_level_destroy /usr/src/selinux/libsepol/src/mls.c:755 #1 0x7fe6c4fb9b88 in mls_semantic_range_destroy /usr/src/selinux/libsepol/src/mls.c:802 #2 0x7fe6c500e8ab in user_datum_destroy /usr/src/selinux/libsepol/src/policydb.c:535 #3 0x7fe6c500e980 in user_destroy /usr/src/selinux/libsepol/src/policydb.c:1390 #4 0x7fe6c4f36c48 in hashtab_map /usr/src/selinux/libsepol/src/hashtab.c:235 #5 0x7fe6c50152da in symtabs_destroy /usr/src/selinux/libsepol/src/policydb.c:1595 #6 0x7fe6c5015433 in policydb_destroy /usr/src/selinux/libsepol/src/policydb.c:1503 #7 0x7fe6c5040e0d in sepol_policydb_free /usr/src/selinux/libsepol/src/policydb_public.c:82 #8 0x7fe6c4fbc503 in sepol_module_package_free /usr/src/selinux/libsepol/src/module.c:143 #9 0x7fe6c4fefefb in sepol_ppfile_to_module_package /usr/src/selinux/libsepol/src/module_to_cil.c:4293 #10 0x401e51 in main /usr/src/selinux/policycoreutils/hll/pp/pp.c:124 #11 0x7fe6c4add510 in __libc_start_main (/usr/lib/libc.so.6+0x20510) #12 0x402589 in _start (/usr/src/selinux/DESTDIR/usr/libexec/selinux/hll/pp+0x402589) 0x60200000ee58 is located 8 bytes inside of 16-byte region [0x60200000ee50,0x60200000ee60) freed by thread T0 here: #0 0x7fe6c5537ae0 in __interceptor_free /build/gcc-multilib/src/gcc/libsanitizer/asan/asan_malloc_linux.cc:45 #1 0x7fe6c4fb969b in mls_semantic_level_destroy /usr/src/selinux/libsepol/src/mls.c:757 #2 0x7fe6c4f02a57 in mls_semantic_range_expand /usr/src/selinux/libsepol/src/expand.c:948 #3 0x7fe6c5007a98 in policydb_user_cache /usr/src/selinux/libsepol/src/policydb.c:939 #4 0x7fe6c4f36c48 in hashtab_map /usr/src/selinux/libsepol/src/hashtab.c:235 #5 0x7fe6c5013859 in policydb_index_others /usr/src/selinux/libsepol/src/policydb.c:1286 #6 0x7fe6c5020b65 in policydb_read /usr/src/selinux/libsepol/src/policydb.c:4342 #7 0x7fe6c4fc0cdb in sepol_module_package_read /usr/src/selinux/libsepol/src/module.c:618 #8 0x7fe6c4ff008d in sepol_ppfile_to_module_package /usr/src/selinux/libsepol/src/module_to_cil.c:4276 #9 0x401e51 in main /usr/src/selinux/policycoreutils/hll/pp/pp.c:124 #10 0x7fe6c4add510 in __libc_start_main (/usr/lib/libc.so.6+0x20510) previously allocated by thread T0 here: #0 0x7fe6c5537e40 in __interceptor_malloc /build/gcc-multilib/src/gcc/libsanitizer/asan/asan_malloc_linux.cc:62 #1 0x7fe6c5004efc in mls_read_semantic_level_helper /usr/src/selinux/libsepol/src/policydb.c:1976 #2 0x7fe6c500f596 in mls_read_semantic_range_helper /usr/src/selinux/libsepol/src/policydb.c:2010 #3 0x7fe6c500f596 in user_read /usr/src/selinux/libsepol/src/policydb.c:3258 #4 0x7fe6c502055b in policydb_read /usr/src/selinux/libsepol/src/policydb.c:4286 #5 0x7fe6c4fc0cdb in sepol_module_package_read /usr/src/selinux/libsepol/src/module.c:618 #6 0x7fe6c4ff008d in sepol_ppfile_to_module_package /usr/src/selinux/libsepol/src/module_to_cil.c:4276 #7 0x401e51 in main /usr/src/selinux/policycoreutils/hll/pp/pp.c:124 #8 0x7fe6c4add510 in __libc_start_main (/usr/lib/libc.so.6+0x20510) SUMMARY: AddressSanitizer: heap-use-after-free /usr/src/selinux/libsepol/src/mls.c:755 in mls_semantic_level_destroy Shadow bytes around the buggy address: 0x0c047fff9d70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9d80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9d90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9da0: fa fa fa fa fa fa fa fa fa fa 01 fa fa fa 01 fa 0x0c047fff9db0: fa fa 01 fa fa fa 01 fa fa fa 01 fa fa fa 01 fa =>0x0c047fff9dc0: fa fa 00 00 fa fa 00 00 fa fa fd[fd]fa fa fd fd 0x0c047fff9dd0: fa fa fd fd fa fa fd fd fa fa fd fa fa fa fd fd 0x0c047fff9de0: fa fa 04 fa fa fa 00 01 fa fa fd fd fa fa fd fd 0x0c047fff9df0: fa fa fd fd fa fa fd fd fa fa 00 00 fa fa fd fd 0x0c047fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==24456==ABORTING This issue has been found while fuzzing hll/pp with the American Fuzzy Lop. Signed-off-by: Nicolas Iooss <[email protected]>

TODO: does it make sense to have a policy with ->global=NULL? gdb session: Program received signal SIGSEGV, Segmentation fault. blocks_to_cil (pdb=0x6042e0) at module_to_cil.c:3760 3760 rc = global_block_to_cil(pdb, block, stack); (gdb) bt #0 blocks_to_cil (pdb=0x6042e0) at module_to_cil.c:3760 SELinuxProject#1 sepol_module_policydb_to_cil (fp=fp@entry=0x7ffff79d05e0 <_IO_2_1_stdout_>, pdb=0x6042e0, linked=linked@entry=0) at module_to_cil.c:4047 SELinuxProject#2 0x00007ffff7a86ac5 in sepol_module_package_to_cil (fp=fp@entry=0x7ffff79d05e0 <_IO_2_1_stdout_>, mod_pkg=0x604280) at module_to_cil.c:4076 SELinuxProject#3 0x0000000000401acc in main (argc=<optimized out>, argv=<optimized out>) at pp.c:150 (gdb) p pdb->global $1 = (avrule_block_t *) 0x0 Signed-off-by: Nicolas Iooss <[email protected]>

Free the allocated avrule in define_te_avtab_xperms_helper() on failures. Also free the target classes ebitmap on allocation failure. Direct leak of 136 byte(s) in 1 object(s) allocated from: #0 0x49bb5d in __interceptor_malloc (./checkpolicy/checkpolicy+0x49bb5d) SELinuxProject#1 0x4e6eea in define_te_avtab_xperms_helper ./checkpolicy/policy_define.c:2041:24 SELinuxProject#2 0x4e6eea in define_te_avtab_extended_perms ./checkpolicy/policy_define.c:2487:6 SELinuxProject#3 0x4cef0b in yyparse ./checkpolicy/policy_parse.y:494:30 SELinuxProject#4 0x4e0575 in read_source_policy ./checkpolicy/parse_util.c:63:6 SELinuxProject#5 0x4ff121 in main ./checkpolicy/checkpolicy.c:616:7 SELinuxProject#6 0x7fe31628b7ec in __libc_start_main csu/../csu/libc-start.c:332:16 Indirect leak of 32 byte(s) in 1 object(s) allocated from: #0 0x4877b4 in strdup (./checkpolicy/checkpolicy+0x4877b4) SELinuxProject#1 0x4e6fa7 in define_te_avtab_xperms_helper ./checkpolicy/policy_define.c:2051:28 SELinuxProject#2 0x4e6fa7 in define_te_avtab_extended_perms ./checkpolicy/policy_define.c:2487:6 SELinuxProject#3 0x4cef0b in yyparse ./checkpolicy/policy_parse.y:494:30 SELinuxProject#4 0x4e0575 in read_source_policy ./checkpolicy/parse_util.c:63:6 SELinuxProject#5 0x4ff121 in main ./checkpolicy/checkpolicy.c:616:7 SELinuxProject#6 0x7fe31628b7ec in __libc_start_main csu/../csu/libc-start.c:332:16 Indirect leak of 24 byte(s) in 1 object(s) allocated from: #0 0x49bb5d in __interceptor_malloc (./checkpolicy/checkpolicy+0x49bb5d) SELinuxProject#1 0x50f2fa in ebitmap_set_bit ./libsepol/src/ebitmap.c:346:27 SELinuxProject#2 0x4eb632 in set_types ./checkpolicy/policy_define.c SELinuxProject#3 0x4e7055 in define_te_avtab_xperms_helper ./checkpolicy/policy_define.c:2059:7 SELinuxProject#4 0x4e7055 in define_te_avtab_extended_perms ./checkpolicy/policy_define.c:2487:6 SELinuxProject#5 0x4cef0b in yyparse ./checkpolicy/policy_parse.y:494:30 SELinuxProject#6 0x4e0575 in read_source_policy ./checkpolicy/parse_util.c:63:6 SELinuxProject#7 0x4ff121 in main ./checkpolicy/checkpolicy.c:616:7 SELinuxProject#8 0x7fe31628b7ec in __libc_start_main csu/../csu/libc-start.c:332:16 Signed-off-by: Christian Göttsche <[email protected]>

TODO: does it make sense to have a policy with ->global=NULL? gdb session: Program received signal SIGSEGV, Segmentation fault. blocks_to_cil (pdb=0x6042e0) at module_to_cil.c:3760 3760 rc = global_block_to_cil(pdb, block, stack); (gdb) bt #0 blocks_to_cil (pdb=0x6042e0) at module_to_cil.c:3760 SELinuxProject#1 sepol_module_policydb_to_cil (fp=fp@entry=0x7ffff79d05e0 <_IO_2_1_stdout_>, pdb=0x6042e0, linked=linked@entry=0) at module_to_cil.c:4047 SELinuxProject#2 0x00007ffff7a86ac5 in sepol_module_package_to_cil (fp=fp@entry=0x7ffff79d05e0 <_IO_2_1_stdout_>, mod_pkg=0x604280) at module_to_cil.c:4076 SELinuxProject#3 0x0000000000401acc in main (argc=<optimized out>, argv=<optimized out>) at pp.c:150 (gdb) p pdb->global $1 = (avrule_block_t *) 0x0 Signed-off-by: Nicolas Iooss <[email protected]>

Free the allocated avrule in define_te_avtab_xperms_helper() on failures. Also free the target classes ebitmap on allocation failure. Direct leak of 136 byte(s) in 1 object(s) allocated from: #0 0x49bb5d in __interceptor_malloc (./checkpolicy/checkpolicy+0x49bb5d) SELinuxProject#1 0x4e6eea in define_te_avtab_xperms_helper ./checkpolicy/policy_define.c:2041:24 SELinuxProject#2 0x4e6eea in define_te_avtab_extended_perms ./checkpolicy/policy_define.c:2487:6 SELinuxProject#3 0x4cef0b in yyparse ./checkpolicy/policy_parse.y:494:30 SELinuxProject#4 0x4e0575 in read_source_policy ./checkpolicy/parse_util.c:63:6 SELinuxProject#5 0x4ff121 in main ./checkpolicy/checkpolicy.c:616:7 SELinuxProject#6 0x7fe31628b7ec in __libc_start_main csu/../csu/libc-start.c:332:16 Indirect leak of 32 byte(s) in 1 object(s) allocated from: #0 0x4877b4 in strdup (./checkpolicy/checkpolicy+0x4877b4) SELinuxProject#1 0x4e6fa7 in define_te_avtab_xperms_helper ./checkpolicy/policy_define.c:2051:28 SELinuxProject#2 0x4e6fa7 in define_te_avtab_extended_perms ./checkpolicy/policy_define.c:2487:6 SELinuxProject#3 0x4cef0b in yyparse ./checkpolicy/policy_parse.y:494:30 SELinuxProject#4 0x4e0575 in read_source_policy ./checkpolicy/parse_util.c:63:6 SELinuxProject#5 0x4ff121 in main ./checkpolicy/checkpolicy.c:616:7 SELinuxProject#6 0x7fe31628b7ec in __libc_start_main csu/../csu/libc-start.c:332:16 Indirect leak of 24 byte(s) in 1 object(s) allocated from: #0 0x49bb5d in __interceptor_malloc (./checkpolicy/checkpolicy+0x49bb5d) SELinuxProject#1 0x50f2fa in ebitmap_set_bit ./libsepol/src/ebitmap.c:346:27 SELinuxProject#2 0x4eb632 in set_types ./checkpolicy/policy_define.c SELinuxProject#3 0x4e7055 in define_te_avtab_xperms_helper ./checkpolicy/policy_define.c:2059:7 SELinuxProject#4 0x4e7055 in define_te_avtab_extended_perms ./checkpolicy/policy_define.c:2487:6 SELinuxProject#5 0x4cef0b in yyparse ./checkpolicy/policy_parse.y:494:30 SELinuxProject#6 0x4e0575 in read_source_policy ./checkpolicy/parse_util.c:63:6 SELinuxProject#7 0x4ff121 in main ./checkpolicy/checkpolicy.c:616:7 SELinuxProject#8 0x7fe31628b7ec in __libc_start_main csu/../csu/libc-start.c:332:16 Signed-off-by: Christian Göttsche <[email protected]>

Add return check for regex_data_create() to avoid NULL reference of regex_data (gdb) bt #0 0x00007fbde5caec14 in pthread_mutex_init () from /usr/lib64/libc.so.6 #1 0x00007fbde5e3a489 in regex_data_create () at regex.c:260 SELinuxProject#2 0x00007fbde5e3a4af in regex_prepare_data (regex=regex@entry=0x7fbde4613770, pattern_string=pattern_string@entry=0x563c6799a820 "^/home$", errordata=errordata@entry=0x7ffeb83fa950) at regex.c:76 SELinuxProject#3 0x00007fbde5e32fe6 in compile_regex (errbuf=0x0, spec=0x7fbde4613748) at label_file.h:407 SELinuxProject#4 lookup_all (key=0x563c679974e5 "/var/log/kadmind.log", type=<optimized out>, partial=partial@entry=false, match_count=match_count@entry=0x0, rec=<optimized out>, rec=<optimized out>) at label_file.c:949 SELinuxProject#5 0x00007fbde5e33350 in lookup (rec=<optimized out>, key=<optimized out>, type=<optimized out>) at label_file.c:1092 SELinuxProject#6 0x00007fbde5e31878 in selabel_lookup_common (rec=0x563c67998cc0, translating=1, key=<optimized out>, type=<optimized out>) at label.c:167 Signed-off-by: Jie Lu <[email protected]> Acked-by: James Carter <[email protected]>

Add return check for regex_data_create() to avoid NULL reference of regex_data (gdb) bt #0 0x00007fbde5caec14 in pthread_mutex_init () from /usr/lib64/libc.so.6 #1 0x00007fbde5e3a489 in regex_data_create () at regex.c:260 #2 0x00007fbde5e3a4af in regex_prepare_data (regex=regex@entry=0x7fbde4613770, pattern_string=pattern_string@entry=0x563c6799a820 "^/home$", errordata=errordata@entry=0x7ffeb83fa950) at regex.c:76 #3 0x00007fbde5e32fe6 in compile_regex (errbuf=0x0, spec=0x7fbde4613748) at label_file.h:407 #4 lookup_all (key=0x563c679974e5 "/var/log/kadmind.log", type=<optimized out>, partial=partial@entry=false, match_count=match_count@entry=0x0, rec=<optimized out>, rec=<optimized out>) at label_file.c:949 #5 0x00007fbde5e33350 in lookup (rec=<optimized out>, key=<optimized out>, type=<optimized out>) at label_file.c:1092 #6 0x00007fbde5e31878 in selabel_lookup_common (rec=0x563c67998cc0, translating=1, key=<optimized out>, type=<optimized out>) at label.c:167 Signed-off-by: Jie Lu <[email protected]> Acked-by: James Carter <[email protected]>

Free the allocated avrule in define_te_avtab_xperms_helper() on failures. Also free the target classes ebitmap on allocation failure. Direct leak of 136 byte(s) in 1 object(s) allocated from: #0 0x49bb5d in __interceptor_malloc (./checkpolicy/checkpolicy+0x49bb5d) SELinuxProject#1 0x4e6eea in define_te_avtab_xperms_helper ./checkpolicy/policy_define.c:2041:24 SELinuxProject#2 0x4e6eea in define_te_avtab_extended_perms ./checkpolicy/policy_define.c:2487:6 SELinuxProject#3 0x4cef0b in yyparse ./checkpolicy/policy_parse.y:494:30 SELinuxProject#4 0x4e0575 in read_source_policy ./checkpolicy/parse_util.c:63:6 SELinuxProject#5 0x4ff121 in main ./checkpolicy/checkpolicy.c:616:7 SELinuxProject#6 0x7fe31628b7ec in __libc_start_main csu/../csu/libc-start.c:332:16 Indirect leak of 32 byte(s) in 1 object(s) allocated from: #0 0x4877b4 in strdup (./checkpolicy/checkpolicy+0x4877b4) SELinuxProject#1 0x4e6fa7 in define_te_avtab_xperms_helper ./checkpolicy/policy_define.c:2051:28 SELinuxProject#2 0x4e6fa7 in define_te_avtab_extended_perms ./checkpolicy/policy_define.c:2487:6 SELinuxProject#3 0x4cef0b in yyparse ./checkpolicy/policy_parse.y:494:30 SELinuxProject#4 0x4e0575 in read_source_policy ./checkpolicy/parse_util.c:63:6 SELinuxProject#5 0x4ff121 in main ./checkpolicy/checkpolicy.c:616:7 SELinuxProject#6 0x7fe31628b7ec in __libc_start_main csu/../csu/libc-start.c:332:16 Indirect leak of 24 byte(s) in 1 object(s) allocated from: #0 0x49bb5d in __interceptor_malloc (./checkpolicy/checkpolicy+0x49bb5d) SELinuxProject#1 0x50f2fa in ebitmap_set_bit ./libsepol/src/ebitmap.c:346:27 SELinuxProject#2 0x4eb632 in set_types ./checkpolicy/policy_define.c SELinuxProject#3 0x4e7055 in define_te_avtab_xperms_helper ./checkpolicy/policy_define.c:2059:7 SELinuxProject#4 0x4e7055 in define_te_avtab_extended_perms ./checkpolicy/policy_define.c:2487:6 SELinuxProject#5 0x4cef0b in yyparse ./checkpolicy/policy_parse.y:494:30 SELinuxProject#6 0x4e0575 in read_source_policy ./checkpolicy/parse_util.c:63:6 SELinuxProject#7 0x4ff121 in main ./checkpolicy/checkpolicy.c:616:7 SELinuxProject#8 0x7fe31628b7ec in __libc_start_main csu/../csu/libc-start.c:332:16 Signed-off-by: Christian Göttsche <[email protected]>

In case the init function for a selabel backend fails, free the possible already allocated data: Direct leak of 16 byte(s) in 1 object(s) allocated from: #0 0x5e7e2bf001e3 in malloc (/tmp/destdir/usr/sbin/selabel_digest+0xc71e3) #1 0x7233764baa65 in selabel_media_init /home/christian/Coding/workspaces/selinux/libselinux/src/label_media.c:226:30 SELinuxProject#2 0x7233764ac1fe in selabel_open /home/christian/Coding/workspaces/selinux/libselinux/src/label.c:227:6 SELinuxProject#3 0x5e7e2bf3ebfc in main /home/christian/Coding/workspaces/selinux/libselinux/utils/selabel_digest.c:125:8 SELinuxProject#4 0x7233761856c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16 SUMMARY: AddressSanitizer: 16 byte(s) leaked in 1 allocation(s). Signed-off-by: Christian Göttsche <[email protected]> Acked-by: James Carter <[email protected]>

In case the init function for a selabel backend fails, free the possible already allocated data: Direct leak of 16 byte(s) in 1 object(s) allocated from: #0 0x5e7e2bf001e3 in malloc (/tmp/destdir/usr/sbin/selabel_digest+0xc71e3) #1 0x7233764baa65 in selabel_media_init /home/christian/Coding/workspaces/selinux/libselinux/src/label_media.c:226:30 #2 0x7233764ac1fe in selabel_open /home/christian/Coding/workspaces/selinux/libselinux/src/label.c:227:6 #3 0x5e7e2bf3ebfc in main /home/christian/Coding/workspaces/selinux/libselinux/utils/selabel_digest.c:125:8 #4 0x7233761856c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16 SUMMARY: AddressSanitizer: 16 byte(s) leaked in 1 allocation(s). Signed-off-by: Christian Göttsche <[email protected]> Acked-by: James Carter <[email protected]>

Free the allocated avrule in define_te_avtab_xperms_helper() on failures. Also free the target classes ebitmap on allocation failure. Direct leak of 136 byte(s) in 1 object(s) allocated from: #0 0x49bb5d in __interceptor_malloc (./checkpolicy/checkpolicy+0x49bb5d) SELinuxProject#1 0x4e6eea in define_te_avtab_xperms_helper ./checkpolicy/policy_define.c:2041:24 SELinuxProject#2 0x4e6eea in define_te_avtab_extended_perms ./checkpolicy/policy_define.c:2487:6 SELinuxProject#3 0x4cef0b in yyparse ./checkpolicy/policy_parse.y:494:30 SELinuxProject#4 0x4e0575 in read_source_policy ./checkpolicy/parse_util.c:63:6 SELinuxProject#5 0x4ff121 in main ./checkpolicy/checkpolicy.c:616:7 SELinuxProject#6 0x7fe31628b7ec in __libc_start_main csu/../csu/libc-start.c:332:16 Indirect leak of 32 byte(s) in 1 object(s) allocated from: #0 0x4877b4 in strdup (./checkpolicy/checkpolicy+0x4877b4) SELinuxProject#1 0x4e6fa7 in define_te_avtab_xperms_helper ./checkpolicy/policy_define.c:2051:28 SELinuxProject#2 0x4e6fa7 in define_te_avtab_extended_perms ./checkpolicy/policy_define.c:2487:6 SELinuxProject#3 0x4cef0b in yyparse ./checkpolicy/policy_parse.y:494:30 SELinuxProject#4 0x4e0575 in read_source_policy ./checkpolicy/parse_util.c:63:6 SELinuxProject#5 0x4ff121 in main ./checkpolicy/checkpolicy.c:616:7 SELinuxProject#6 0x7fe31628b7ec in __libc_start_main csu/../csu/libc-start.c:332:16 Indirect leak of 24 byte(s) in 1 object(s) allocated from: #0 0x49bb5d in __interceptor_malloc (./checkpolicy/checkpolicy+0x49bb5d) SELinuxProject#1 0x50f2fa in ebitmap_set_bit ./libsepol/src/ebitmap.c:346:27 SELinuxProject#2 0x4eb632 in set_types ./checkpolicy/policy_define.c SELinuxProject#3 0x4e7055 in define_te_avtab_xperms_helper ./checkpolicy/policy_define.c:2059:7 SELinuxProject#4 0x4e7055 in define_te_avtab_extended_perms ./checkpolicy/policy_define.c:2487:6 SELinuxProject#5 0x4cef0b in yyparse ./checkpolicy/policy_parse.y:494:30 SELinuxProject#6 0x4e0575 in read_source_policy ./checkpolicy/parse_util.c:63:6 SELinuxProject#7 0x4ff121 in main ./checkpolicy/checkpolicy.c:616:7 SELinuxProject#8 0x7fe31628b7ec in __libc_start_main csu/../csu/libc-start.c:332:16 Signed-off-by: Christian Göttsche <[email protected]>

stevedlawrence closed this as completed in 71393a1 Oct 29, 2014

muyu888 mentioned this issue Jul 12, 2023

libsepol：The libsepol package detects memory leaks and segmentation errors when tested by OSS-fuzz. #404

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Installation of libsepol fails when using /usr/lib #2

Installation of libsepol fails when using /usr/lib #2

fishilico commented Oct 18, 2014

Installation of libsepol fails when using /usr/lib #2

Installation of libsepol fails when using /usr/lib #2

Comments

fishilico commented Oct 18, 2014