wrong magic number (using old sources)

wrong magic number (using old sources)

[selinux770]

Hi everyone,

i try to integrate SELinux into my Nokia 770 Internet Tablet. For this I'm using some old sources which fit best to the architecture (no compile errors or missing components). My current state is, that everything seems to work fine. "sestatus" tells me selinux is enabled.

But my problem is to compile a policy without error messages. It tells me, that loading fails because of a wrong magic number and I don't know where this error comes from. http://www.nsa.gov/selinux/list-archive/0206/2155.cfm tells me that it "Looks like your kernel doesn't have the same policy version as the database." I recompiled the kernel after making and make install the libraries... so I don't understand my error. A full log of the error is provided at the end of my mail.

What can be responsible for a wrong magic number? The python wrapper classes? The libraries? The policy source files i try to compile?

Thanks in advance for any help.

I'm using the following versions from the debian servers (original source packages, debian changes not included):
 Apr 10  2006 checkpolicy_1.30.orig.tar.gz
 Mar 23  2006 libselinux_1.30.orig.tar.gz
 Apr 10  2006 libsemanage_1.6.orig.tar.gz
 Mar 22  2006 libsepol_1.12.orig.tar.gz
 Apr 10  2006 policycoreutils_1.30.orig.tar.gz

Don't fit these versions?

The error log:
/usr/share/selinux/policy/beta1.0# make load
Makefile:154: warning: overriding commands for target
`/etc/selinux/./policy/policy.20'
Makefile:149: warning: ignoring old commands for target
`/etc/selinux/./policy/policy.20'
( cd domains/program/ ; for n in *.te ; do echo "define(\`$n')"; done
) > tmp/program_used_flags.te.tmp
( cd domains/misc/ ; for n in *.te ; do echo "define(\`$n')"; done )
>> tmp/program_used_flags.te.tmp
mv tmp/program_used_flags.te.tmp tmp/program_used_flags.te
Building policy.conf ...
m4  -Imacros -s flask/security_classes [... shortened by me ...]
 > policy.conf.tmp
Compiling policy ...
/usr/bin/checkpolicy  -o /etc/selinux/./policy/policy.20 policy.conf
/usr/bin/checkpolicy:  loading policy configuration from policy.conf
/usr/bin/checkpolicy:  policy configuration loaded
/usr/bin/checkpolicy:  writing binary representation (version 20) to
/etc/selinux/./policy/policy.20
Loading Policy ...
/usr/sbin/load_policy /etc/selinux/./policy/policy.20
/usr/sbin/load_policy:  Warning!  Policy file argument
(/etc/selinux/./policy/policy.20) is no longer supported, installed
policy is always loaded.  Continuing...
libsepol.policydb_read: policydb magic number 0x8c007cff does not
match expected magic number 0xf97cff8c or 0xf97cff8d
libsepol.policydb_from_image: policy image is invalid
libsepol.policydb_read: policydb magic number 0x8c8c7cff does not
match expected magic number 0xf97cff8c or 0xf97cff8d
libsepol.policydb_from_image: policy image is invalid
touch tmp/load
Building file contexts files...
Validating file contexts files ...
/usr/sbin/setfiles -q -c /etc/selinux/./policy/policy.20
file_contexts/file_contexts
libsepol.policydb_read: policydb magic number 0x8c007cff does not
match expected magic number 0xf97cff8c or 0xf97cff8d
libsepol.sepol_set_policydb_from_file: can't read binary policy: Success
Error reading policy /etc/selinux/./policy/policy.20: Success
make: *** [tmp/valid_fc] Error 1

-- 
GMX FreeMail: 1 GB Postfach, 5 E-Mail-Adressen, 10 Free SMS.
Alle Infos und kostenlose Anmeldung: http://www.gmx.net/de/go/freemail

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: wrong magic number (using old sources)

[Stephen Smalley]

On Fri, 2007-08-10 at 12:10 +0200, selinux770@tortenboxer.de wrote:
> Hi everyone,
> 
> i try to integrate SELinux into my Nokia 770 Internet Tablet. For this
> I'm using some old sources which fit best to the architecture (no
> compile errors or missing components). My current state is, that
> everything seems to work fine. "sestatus" tells me selinux is enabled.

You should be able to use the latest selinux userland even if using an
older kernel; newer userlands can still generate older kernel policy
formats.

> But my problem is to compile a policy without error messages. It tells
> me, that loading fails because of a wrong magic number and I don't
> know where this error comes from.
> http://www.nsa.gov/selinux/list-archive/0206/2155.cfm tells me that it
> "Looks like your kernel doesn't have the same policy version as the
> database." I recompiled the kernel after making and make install the
> libraries... so I don't understand my error. A full log of the error
> is provided at the end of my mail.

Looks like the policy image is corrupted not just inconsistent with
kernel.

> What can be responsible for a wrong magic number? The python wrapper classes? The libraries? The policy source files i try to compile?
> 
> Thanks in advance for any help.
> 
> I'm using the following versions from the debian servers (original source packages, debian changes not included):
>  Apr 10  2006 checkpolicy_1.30.orig.tar.gz
>  Mar 23  2006 libselinux_1.30.orig.tar.gz
>  Apr 10  2006 libsemanage_1.6.orig.tar.gz
>  Mar 22  2006 libsepol_1.12.orig.tar.gz
>  Apr 10  2006 policycoreutils_1.30.orig.tar.gz
> 
> Don't fit these versions?

Those versions are consistent with one another.
Kernel version?  Policy version?

> 
> The error log:
> /usr/share/selinux/policy/beta1.0# make load
> Makefile:154: warning: overriding commands for target
> `/etc/selinux/./policy/policy.20'
> Makefile:149: warning: ignoring old commands for target
> `/etc/selinux/./policy/policy.20'
> ( cd domains/program/ ; for n in *.te ; do echo "define(\`$n')"; done
> ) > tmp/program_used_flags.te.tmp
> ( cd domains/misc/ ; for n in *.te ; do echo "define(\`$n')"; done )
> >> tmp/program_used_flags.te.tmp
> mv tmp/program_used_flags.te.tmp tmp/program_used_flags.te
> Building policy.conf ...
> m4  -Imacros -s flask/security_classes [... shortened by me ...]
>  > policy.conf.tmp
> Compiling policy ...
> /usr/bin/checkpolicy  -o /etc/selinux/./policy/policy.20 policy.conf
> /usr/bin/checkpolicy:  loading policy configuration from policy.conf
> /usr/bin/checkpolicy:  policy configuration loaded
> /usr/bin/checkpolicy:  writing binary representation (version 20) to
> /etc/selinux/./policy/policy.20
> Loading Policy ...
> /usr/sbin/load_policy /etc/selinux/./policy/policy.20
> /usr/sbin/load_policy:  Warning!  Policy file argument
> (/etc/selinux/./policy/policy.20) is no longer supported, installed
> policy is always loaded.  Continuing...
> libsepol.policydb_read: policydb magic number 0x8c007cff does not
> match expected magic number 0xf97cff8c or 0xf97cff8d
> libsepol.policydb_from_image: policy image is invalid
> libsepol.policydb_read: policydb magic number 0x8c8c7cff does not
> match expected magic number 0xf97cff8c or 0xf97cff8d
> libsepol.policydb_from_image: policy image is invalid
> touch tmp/load
> Building file contexts files...
> Validating file contexts files ...
> /usr/sbin/setfiles -q -c /etc/selinux/./policy/policy.20
> file_contexts/file_contexts
> libsepol.policydb_read: policydb magic number 0x8c007cff does not
> match expected magic number 0xf97cff8c or 0xf97cff8d
> libsepol.sepol_set_policydb_from_file: can't read binary policy: Success
> Error reading policy /etc/selinux/./policy/policy.20: Success
> make: *** [tmp/valid_fc] Error 1
> 
-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: wrong magic number (using old sources)

[Stephen Smalley]

On Fri, 2007-08-10 at 07:45 -0400, Stephen Smalley wrote:
> On Fri, 2007-08-10 at 12:10 +0200, selinux770@tortenboxer.de wrote:
> > Hi everyone,
> > 
> > i try to integrate SELinux into my Nokia 770 Internet Tablet. For this
> > I'm using some old sources which fit best to the architecture (no
> > compile errors or missing components). My current state is, that
> > everything seems to work fine. "sestatus" tells me selinux is enabled.
> 
> You should be able to use the latest selinux userland even if using an
> older kernel; newer userlands can still generate older kernel policy
> formats.
> 
> > But my problem is to compile a policy without error messages. It tells
> > me, that loading fails because of a wrong magic number and I don't
> > know where this error comes from.
> > http://www.nsa.gov/selinux/list-archive/0206/2155.cfm tells me that it
> > "Looks like your kernel doesn't have the same policy version as the
> > database." I recompiled the kernel after making and make install the
> > libraries... so I don't understand my error. A full log of the error
> > is provided at the end of my mail.
> 
> Looks like the policy image is corrupted not just inconsistent with
> kernel.
> 
> > What can be responsible for a wrong magic number? The python wrapper classes? The libraries? The policy source files i try to compile?
> > 
> > Thanks in advance for any help.
> > 
> > I'm using the following versions from the debian servers (original source packages, debian changes not included):
> >  Apr 10  2006 checkpolicy_1.30.orig.tar.gz
> >  Mar 23  2006 libselinux_1.30.orig.tar.gz
> >  Apr 10  2006 libsemanage_1.6.orig.tar.gz
> >  Mar 22  2006 libsepol_1.12.orig.tar.gz
> >  Apr 10  2006 policycoreutils_1.30.orig.tar.gz
> > 
> > Don't fit these versions?
> 
> Those versions are consistent with one another.

Actually, the dates are curious - the originals were all released Mar 15
2006.  Makes me wonder if those aren't pristine tarballs.  md5sum of the
originals was:
c67ae4e66b48f9d309467185eaf0b4b1  checkpolicy-1.30.tgz
0b7d269c9b7d847059e4b11a710ab404  libselinux-1.30.tgz
fb06d32b305322c8810dfe1924705e74  libsemanage-1.6.tgz
937885f1fcbfe597a0f02aa9af044710  libsepol-1.12.tgz
02a05b3d24483e492bace1a219425567  policycoreutils-1.30.tgz

Anyway, I'd try using the latest instead.

> Kernel version?  Policy version?
> 
> > 
> > The error log:
> > /usr/share/selinux/policy/beta1.0# make load
> > Makefile:154: warning: overriding commands for target
> > `/etc/selinux/./policy/policy.20'
> > Makefile:149: warning: ignoring old commands for target
> > `/etc/selinux/./policy/policy.20'
> > ( cd domains/program/ ; for n in *.te ; do echo "define(\`$n')"; done
> > ) > tmp/program_used_flags.te.tmp
> > ( cd domains/misc/ ; for n in *.te ; do echo "define(\`$n')"; done )
> > >> tmp/program_used_flags.te.tmp
> > mv tmp/program_used_flags.te.tmp tmp/program_used_flags.te
> > Building policy.conf ...
> > m4  -Imacros -s flask/security_classes [... shortened by me ...]
> >  > policy.conf.tmp
> > Compiling policy ...
> > /usr/bin/checkpolicy  -o /etc/selinux/./policy/policy.20 policy.conf
> > /usr/bin/checkpolicy:  loading policy configuration from policy.conf
> > /usr/bin/checkpolicy:  policy configuration loaded
> > /usr/bin/checkpolicy:  writing binary representation (version 20) to
> > /etc/selinux/./policy/policy.20
> > Loading Policy ...
> > /usr/sbin/load_policy /etc/selinux/./policy/policy.20
> > /usr/sbin/load_policy:  Warning!  Policy file argument
> > (/etc/selinux/./policy/policy.20) is no longer supported, installed
> > policy is always loaded.  Continuing...
> > libsepol.policydb_read: policydb magic number 0x8c007cff does not
> > match expected magic number 0xf97cff8c or 0xf97cff8d
> > libsepol.policydb_from_image: policy image is invalid
> > libsepol.policydb_read: policydb magic number 0x8c8c7cff does not
> > match expected magic number 0xf97cff8c or 0xf97cff8d
> > libsepol.policydb_from_image: policy image is invalid
> > touch tmp/load
> > Building file contexts files...
> > Validating file contexts files ...
> > /usr/sbin/setfiles -q -c /etc/selinux/./policy/policy.20
> > file_contexts/file_contexts
> > libsepol.policydb_read: policydb magic number 0x8c007cff does not
> > match expected magic number 0xf97cff8c or 0xf97cff8d
> > libsepol.sepol_set_policydb_from_file: can't read binary policy: Success
> > Error reading policy /etc/selinux/./policy/policy.20: Success
> > make: *** [tmp/valid_fc] Error 1
> > 
-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: wrong magic number (using old sources)

[selinux770]

> You should be able to use the latest selinux userland even if using an
> older kernel; newer userlands can still generate older kernel policy
> formats.

The current stable userlands don't compile in my environment.
First, libselinux-1.34.7 throws a compiler error which seems to be caused by a gcc bug:
cc  -shared -o libselinux.so.1 avc.lo avc_internal.lo avc_sidtab.lo booleans.lo canonicalize_context.lo checkAccess.lo check_context.lo compute_av.lo compute_cr eate.lo compute_member.lo compute_relabel.lo compute_user.lo context.lo disable. lo enabled.lo fgetfilecon.lo freecon.lo freeconary.lo fsetfilecon.lo get_context _list.lo get_default_type.lo getenforce.lo getfilecon.lo getpeercon.lo init.lo i s_customizable_type.lo lgetfilecon.lo load_policy.lo lsetfilecon.lo matchmediaco n.lo matchpathcon.lo policyvers.lo procattr.lo query_user_context.lo rpm.lo seli nux_check_securetty_context.lo selinux_config.lo setenforce.lo setfilecon.lo set rans_client.lo seusers.lo -ldl -lsepol -L/usr/lib -Wl,-soname,libselinux.so.1,-z ,defs,-z,relro
matchpathcon.lo: In function `set_matchpathcon_flags':matchpathcon.c:(.text+0x27 0): undefined reference to `__tls_get_addr'
matchpathcon.lo: In function `process_line':matchpathcon.c:(.text+0x1cf0): undef ined reference to `__tls_get_addr'
matchpathcon.lo: In function `matchpathcon_init_prefix':matchpathcon.c:(.text+0x 1fdc): undefined reference to `__tls_get_addr'
matchpathcon.lo: In function `matchpathcon':matchpathcon.c:(.text+0x2eb0): undef ined reference to `__tls_get_addr'
matchpathcon.lo: In function `selinux_file_context_verify':matchpathcon.c:(.text +0x3400): undefined reference to `__tls_get_addr'
matchpathcon.lo:matchpathcon.c:(.text+0x3468): more undefined references to `__t ls_get_addr' follow
collect2: ld returned 1 exit status
make[1]: *** [libselinux.so.1] Error 1

It could be solved by removing -z,defs from the src/Makefile. I don't know the consequences but it works.

Second, the policycoreutils-1.34-6 won't compile because of a missing header file, which is not existent in my environment:
cc -g -Werror -Wall -W -I/usr/include -D_FILE_OFFSET_BITS=64   -c -o restorecond.o restorecond.c
restorecond.c:44:25: sys/inotify.h: No such file or directory
restorecond.c: In function `watch_list_free':
restorecond.c:144: warning: implicit declaration of function `inotify_rm_watch'
restorecond.c: In function `read_config':
restorecond.c:283: warning: implicit declaration of function `inotify_add_watch'
restorecond.c:283: error: `IN_MOVED_FROM' undeclared (first use in this function)
restorecond.c:283: error: (Each undeclared identifier is reported only once
restorecond.c:283: error: for each function it appears in.)
restorecond.c:283: error: `IN_MODIFY' undeclared (first use in this function)
restorecond.c: In function `watch':
restorecond.c:291: error: invalid application of `sizeof' to incomplete type `inotify_event'
restorecond.c:293: error: invalid application of `sizeof' to incomplete type `inotify_event'
restorecond.c:309: error: dereferencing pointer to incomplete type
restorecond.c:309: error: dereferencing pointer to incomplete type
restorecond.c:310: error: dereferencing pointer to incomplete type
restorecond.c:310: error: dereferencing pointer to incomplete type
restorecond.c:311: error: dereferencing pointer to incomplete type
restorecond.c:314: error: dereferencing pointer to incomplete type
restorecond.c:316: error: dereferencing pointer to incomplete type
restorecond.c:317: error: dereferencing pointer to incomplete type
restorecond.c:317: error: dereferencing pointer to incomplete type
restorecond.c:329: error: invalid application of `sizeof' to incomplete type `inotify_event'
restorecond.c:329: error: dereferencing pointer to incomplete type
restorecond.c: In function `watch_list_add':
restorecond.c:412: error: `IN_CREATE' undeclared (first use in this function)
restorecond.c:412: error: `IN_MOVED_TO' undeclared (first use in this function)
restorecond.c: In function `main':
restorecond.c:456: warning: implicit declaration of function `inotify_init'
restorecond.c:484: warning: implicit declaration of function `matchpathcon_fini'
make[1]: *** [restorecond.o] Error 1

That's why I'm using the old sources. They work.

> Those versions are consistent with one another.
> Kernel version?  Policy version?
kernel version is 2.6.16-omap1
How do I find out the policy version?


-- 
Psssst! Schon vom neuen GMX MultiMessenger gehört?
Der kanns mit allen: http://www.gmx.net/de/go/multimessenger


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: wrong magic number (using old sources)

[Stephen Smalley]

On Fri, 2007-08-10 at 14:12 +0200, selinux770@tortenboxer.de wrote:
> > You should be able to use the latest selinux userland even if using an
> > older kernel; newer userlands can still generate older kernel policy
> > formats.
> 
> The current stable userlands don't compile in my environment.
> First, libselinux-1.34.7 throws a compiler error which seems to be caused by a gcc bug:
> cc  -shared -o libselinux.so.1 avc.lo avc_internal.lo avc_sidtab.lo booleans.lo canonicalize_context.lo checkAccess.lo check_context.lo compute_av.lo compute_cr eate.lo compute_member.lo compute_relabel.lo compute_user.lo context.lo disable. lo enabled.lo fgetfilecon.lo freecon.lo freeconary.lo fsetfilecon.lo get_context _list.lo get_default_type.lo getenforce.lo getfilecon.lo getpeercon.lo init.lo i s_customizable_type.lo lgetfilecon.lo load_policy.lo lsetfilecon.lo matchmediaco n.lo matchpathcon.lo policyvers.lo procattr.lo query_user_context.lo rpm.lo seli nux_check_securetty_context.lo selinux_config.lo setenforce.lo setfilecon.lo set rans_client.lo seusers.lo -ldl -lsepol -L/usr/lib -Wl,-soname,libselinux.so.1,-z ,defs,-z,relro
> matchpathcon.lo: In function `set_matchpathcon_flags':matchpathcon.c:(.text+0x27 0): undefined reference to `__tls_get_addr'
> matchpathcon.lo: In function `process_line':matchpathcon.c:(.text+0x1cf0): undef ined reference to `__tls_get_addr'
> matchpathcon.lo: In function `matchpathcon_init_prefix':matchpathcon.c:(.text+0x 1fdc): undefined reference to `__tls_get_addr'
> matchpathcon.lo: In function `matchpathcon':matchpathcon.c:(.text+0x2eb0): undef ined reference to `__tls_get_addr'
> matchpathcon.lo: In function `selinux_file_context_verify':matchpathcon.c:(.text +0x3400): undefined reference to `__tls_get_addr'
> matchpathcon.lo:matchpathcon.c:(.text+0x3468): more undefined references to `__t ls_get_addr' follow
> collect2: ld returned 1 exit status
> make[1]: *** [libselinux.so.1] Error 1
> 
> It could be solved by removing -z,defs from the src/Makefile. I don't know the consequences but it works.

No, it depends on thread local storage support in your glibc.  Manoj was
using a workaround patch for it at one time for Debian,
http://marc.info/?l=selinux&m=115807948020898&w=2

> Second, the policycoreutils-1.34-6 won't compile because of a missing header file, which is not existent in my environment:
> cc -g -Werror -Wall -W -I/usr/include -D_FILE_OFFSET_BITS=64   -c -o restorecond.o restorecond.c
> restorecond.c:44:25: sys/inotify.h: No such file or directory

restorecond depends on inotify.  But you don't need restorecond to have
a working system, so you can always remove it from the Makefile SUBDIRS
definition.

> That's why I'm using the old sources. They work.

Well, except that they evidently don't.

> > Those versions are consistent with one another.
> > Kernel version?  Policy version?
> kernel version is 2.6.16-omap1
> How do I find out the policy version?

Same way you found out what package version you were using of
checkpolicy and friends, I assume.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: wrong magic number (using old sources)

["Björn Vogel"]

> > It could be solved by removing -z,defs from the src/Makefile. I don't
> know the consequences but it works.
> 
> No, it depends on thread local storage support in your glibc.  Manoj was
> using a workaround patch for it at one time for Debian,
> http://marc.info/?l=selinux&m=115807948020898&w=2

> restorecond depends on inotify.  But you don't need restorecond to have
> a working system, so you can always remove it from the Makefile SUBDIRS
> definition.

I'll try that. Thanks.

> > That's why I'm using the old sources. They work.
> 
> Well, except that they evidently don't.

Ok, you're right. Actually I meant: They compile with less problems ;o)

> > > Those versions are consistent with one another.
> > > Kernel version?  Policy version?
> > kernel version is 2.6.16-omap1
> > How do I find out the policy version?
> 
> Same way you found out what package version you were using of
> checkpolicy and friends, I assume.

Then i think it's 
selinux-policy-default_1.26-7 or
selinux-policy-default_1.26

I'm not really sure about that, because the policy was not written by me. It's only for testing. If the version of the policy is relevant, this might by the most probable error. Which version has the policyto be (at least)  to work with the (old) packages I mentioned?

-- 
Ist Ihr Browser Vista-kompatibel? Jetzt die neuesten 
Browser-Versionen downloaden: http://www.gmx.net/de/go/browser

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: wrong magic number (using old sources)

[Stephen Smalley]

On Fri, 2007-08-10 at 15:07 +0200, "Björn Vogel" wrote:
> > > It could be solved by removing -z,defs from the src/Makefile. I don't
> > know the consequences but it works.
> > 
> > No, it depends on thread local storage support in your glibc.  Manoj was
> > using a workaround patch for it at one time for Debian,
> > http://marc.info/?l=selinux&m=115807948020898&w=2
> 
> > restorecond depends on inotify.  But you don't need restorecond to have
> > a working system, so you can always remove it from the Makefile SUBDIRS
> > definition.
> 
> I'll try that. Thanks.
> 
> > > That's why I'm using the old sources. They work.
> > 
> > Well, except that they evidently don't.
> 
> Ok, you're right. Actually I meant: They compile with less problems ;o)
> 
> > > > Those versions are consistent with one another.
> > > > Kernel version?  Policy version?
> > > kernel version is 2.6.16-omap1
> > > How do I find out the policy version?
> > 
> > Same way you found out what package version you were using of
> > checkpolicy and friends, I assume.
> 
> Then i think it's 
> selinux-policy-default_1.26-7 or
> selinux-policy-default_1.26
> 
> I'm not really sure about that, because the policy was not written by me. It's only for testing. If the version of the policy is relevant, this might by the most probable error. Which version has the policyto be (at least)  to work with the (old) packages I mentioned?

That should be fine; you'd only run into problems if using newer
reference policy versions with that older checkpolicy.

I'd suggest sending me a copy of your policy.conf and policy.20
off-list, and ideally giving me the precise URLs where I can find
the .tar.gz files that you used as your baseline.  Then I can try to
re-create the bug.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: wrong magic number (using old sources)

[selinux770]

> > Then i think it's 
> > selinux-policy-default_1.26-7 or
> > selinux-policy-default_1.26
> > 
> > I'm not really sure about that, because the policy was not written by
> me. It's only for testing. If the version of the policy is relevant, this
> might by the most probable error. Which version has the policyto be (at least)
>  to work with the (old) packages I mentioned?
> 
> That should be fine; you'd only run into problems if using newer
> reference policy versions with that older checkpolicy.
> 
> I'd suggest sending me a copy of your policy.conf and policy.20
> off-list, and ideally giving me the precise URLs where I can find
> the .tar.gz files that you used as your baseline.  Then I can try to
> re-create the bug.

Ok, I just tried to compile the up-to-date stable package from the nsa page. Compiling seems to work with the help you provided. Thanks again for that.

I will now try to bring the system up now with the new packages. This might take some days. I'll notify you about results.
-- 
Ist Ihr Browser Vista-kompatibel? Jetzt die neuesten 
Browser-Versionen downloaden: http://www.gmx.net/de/go/browser

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: wrong magic number (using old sources)

[selinux770]

Hello again,

unfortunately, the problem persists. I've compiled the current stable package and put the files on the target syste... the error is still "wrong magic number"...
I also recompiled the kernel... btw... is this necessary each time i change the SELinux libraries versions? I did that too many times the last week ;-)

I've got to confess it was just a quick shot, maybe i forgot something, but I don't think so. I'll retry it on monday once a again, but I'm not very confident.

Is there some non-SELinux related library that may be responsible for this error? How is the magic number generated? How is it checked? Is some calculation or transformation performed on this number by other libraries? Since I cross-compile all the packages it may be the case that some libraries differ on the compiling system and the using system. It would be helpful to have a list to check these packages/libraries against inconsistencies that may be responsible for that.... 

-------- Original-Nachricht --------
Datum: Fri, 10 Aug 2007 16:12:36 +0200
Von: selinux770@tortenboxer.de
An: selinux@tycho.nsa.gov
CC: Stephen Smalley <sds@tycho.nsa.gov>
Betreff: Re: wrong magic number (using old sources)

> > > Then i think it's 
> > > selinux-policy-default_1.26-7 or
> > > selinux-policy-default_1.26
> > > 
> > > I'm not really sure about that, because the policy was not written by
> > me. It's only for testing. If the version of the policy is relevant,
> this
> > might by the most probable error. Which version has the policyto be (at
> least)
> >  to work with the (old) packages I mentioned?
> > 
> > That should be fine; you'd only run into problems if using newer
> > reference policy versions with that older checkpolicy.
> > 
> > I'd suggest sending me a copy of your policy.conf and policy.20
> > off-list, and ideally giving me the precise URLs where I can find
> > the .tar.gz files that you used as your baseline.  Then I can try to
> > re-create the bug.
> 
> Ok, I just tried to compile the up-to-date stable package from the nsa
> page. Compiling seems to work with the help you provided. Thanks again for
> that.
> 
> I will now try to bring the system up now with the new packages. This
> might take some days. I'll notify you about results.
> -- 
> Ist Ihr Browser Vista-kompatibel? Jetzt die neuesten 
> Browser-Versionen downloaden: http://www.gmx.net/de/go/browser
> 
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov
> with
> the words "unsubscribe selinux" without quotes as the message.

-- 
Ist Ihr Browser Vista-kompatibel? Jetzt die neuesten 
Browser-Versionen downloaden: http://www.gmx.net/de/go/browser

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: wrong magic number (using old sources)

[Stephen Smalley]

On Sat, 2007-08-11 at 20:07 +0200, selinux770@tortenboxer.de wrote:
> Hello again,
> 
> unfortunately, the problem persists. I've compiled the current stable
> package and put the files on the target syste... the error is still
> "wrong magic number"...
> I also recompiled the kernel... btw... is this necessary each time i
> change the SELinux libraries versions? I did that too many times the
> last week ;-)

No, you don't have to do that.

> I've got to confess it was just a quick shot, maybe i forgot
> something, but I don't think so. I'll retry it on monday once a again,
> but I'm not very confident.
> 
> Is there some non-SELinux related library that may be responsible for
> this error? How is the magic number generated? How is it checked? Is
> some calculation or transformation performed on this number by other
> libraries? Since I cross-compile all the packages it may be the case
> that some libraries differ on the compiling system and the using
> system. It would be helpful to have a list to check these
> packages/libraries against inconsistencies that may be responsible for
> that.... 

libsepol/src/write.c:policydb_write() writes the policy image from
memory to disk.  If you look at it, you'll see that it puts the magic
number (just a fixed value, defined as POLICYDB_MAGIC) and the length of
a string identifier into a buffer (converting both to little endian
order), then puts them to the file via put_entry().

libsepol/src/policydb.c:policydb_read() reads the policy image from disk
into memory.  If you look at it, you'll see that it fetches the first
two words via next_entry(), converts them from little endian to cpu
order, and then checks the magic number to see whether it is a kernel
policy or a policy module, displaying the error message you are seeing
if it doesn't match either.

Are you cross-compiling from a system with different endianness?

As I've suggested before, you could send your policy.conf and policy.20
files to me separately and I could see whether I can reproduce here.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: wrong magic number (using old sources)

[selinux770]

> Are you cross-compiling from a system with different endianness?
Don't think so. I think both systems are little endian.

I played a little bit with the sources and i found a strange error:
Actuallay, the generated magic number is correct. I checked that with an hex editor and also within the next_entry() method in private.h
the buffer, the next_entry method returns is:
buffer[0]: 8c
buffer[1]: ff
buffer[2]: 7c
buffer[3]: f9
buffer[4]: 8
buffer[5]: 0
buffer[6]: 0
buffer[7]: 0

The method returns a void pointer, that is interpreted as an uint32_t (4 bytes) pointer (*buf). Printing the first two buffer entries now, i get:
*** before conversion: buf[0] : 7cff8c
***  after conversion: buf[0] : 8c007cff
*** before conversion: buf[1] : f9000008
***  after conversion: buf[1] : 8f90000

Whereas "before conversion" shows the hex interpretation of buf[i] before le32_to_cpu(buf[i]) is called, and "after conversion" shows the value afterwards. Something wents completely wrong. It seems like a 00 is added at the beginning of buf[0]. The magic number would be correct if we would drop this 00 and take the first byte of buf[1] instead. The strange thing is that, when i declare a 
   char *tmpbuf;
and set it to
   tmpbuf=(char *)buf;
the content is correct again:
***  buf as char: tmpbuf[0] : 8c
***  buf as char: tmpbuf[1] : ff
***  buf as char: tmpbuf[2] : 7c
***  buf as char: tmpbuf[3] : f9
***  buf as char: tmpbuf[4] : 8
***  buf as char: tmpbuf[5] : 0
***  buf as char: tmpbuf[6] : 0
***  buf as char: tmpbuf[7] : 0

I don't get the problem... why is
         buf[0]     = (00) 7c ff 8c and
(char *) buf[3...0] =  f9  7c ff 8c
?

This is obviously not an error within the selinux sources, but maybe you could help me anyway?!

Thanks in advance.

-- 
Psssst! Schon vom neuen GMX MultiMessenger gehört?
Der kanns mit allen: http://www.gmx.net/de/go/multimessenger


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: wrong magic number (using old sources)

[Stephen Smalley]

On Wed, 2007-08-15 at 17:44 +0200, selinux770@tortenboxer.de wrote:
> > Are you cross-compiling from a system with different endianness?
> Don't think so. I think both systems are little endian.
> 
> I played a little bit with the sources and i found a strange error:
> Actuallay, the generated magic number is correct. I checked that with an hex editor and also within the next_entry() method in private.h
> the buffer, the next_entry method returns is:
> buffer[0]: 8c
> buffer[1]: ff
> buffer[2]: 7c
> buffer[3]: f9
> buffer[4]: 8
> buffer[5]: 0
> buffer[6]: 0
> buffer[7]: 0
> 
> The method returns a void pointer, that is interpreted as an uint32_t (4 bytes) pointer (*buf). Printing the first two buffer entries now, i get:
> *** before conversion: buf[0] : 7cff8c
> ***  after conversion: buf[0] : 8c007cff
> *** before conversion: buf[1] : f9000008
> ***  after conversion: buf[1] : 8f90000
> 
> Whereas "before conversion" shows the hex interpretation of buf[i] before le32_to_cpu(buf[i]) is called, and "after conversion" shows the value afterwards. Something wents completely wrong. It seems like a 00 is added at the beginning of buf[0]. The magic number would be correct if we would drop this 00 and take the first byte of buf[1] instead. The strange thing is that, when i declare a 
>    char *tmpbuf;
> and set it to
>    tmpbuf=(char *)buf;
> the content is correct again:
> ***  buf as char: tmpbuf[0] : 8c
> ***  buf as char: tmpbuf[1] : ff
> ***  buf as char: tmpbuf[2] : 7c
> ***  buf as char: tmpbuf[3] : f9
> ***  buf as char: tmpbuf[4] : 8
> ***  buf as char: tmpbuf[5] : 0
> ***  buf as char: tmpbuf[6] : 0
> ***  buf as char: tmpbuf[7] : 0
> 
> I don't get the problem... why is
>          buf[0]     = (00) 7c ff 8c and
> (char *) buf[3...0] =  f9  7c ff 8c
> ?
> 
> This is obviously not an error within the selinux sources, but maybe you could help me anyway?!
> 
> Thanks in advance.

I suspect that what we are doing isn't safe/portable.

The corresponding kernel code was converted a while back to avoid
unaligned access problems, so possibly a similar transformation should
happen here.

See:
http://marc.info/?l=selinux&m=110252376515271&w=2

As a simple test of whether this is related, you might try the following
patch for libsepol (and then rebuild checkpolicy against the updated
libsepol) and see if it gets you past the magic number check.  If so,
then the next step would be to apply the same change to the entire
policydb_read code.

Index: libsepol/src/policydb.c
===================================================================
--- libsepol/src/policydb.c	(revision 2517)
+++ libsepol/src/policydb.c	(working copy)
@@ -2938,36 +2938,37 @@
 {
 
 	unsigned int i, j, r_policyvers;
-	uint32_t *buf, config;
+	uint32_t *buf, buf2[8], config;
 	size_t len, nprim, nel;
 	char *policydb_str, *target_str = NULL;
 	struct policydb_compat_info *info;
 	unsigned int policy_type, bufindex;
 	ebitmap_node_t *tnode;
+	int rc;
 
 	config = 0;
 
 	/* Read the magic number and string length. */
-	buf = next_entry(fp, sizeof(uint32_t) * 2);
-	if (!buf)
+	rc = next_entry2(buf2, fp, sizeof(uint32_t) * 2);
+	if (rc < 0)
 		return POLICYDB_ERROR;
 	for (i = 0; i < 2; i++)
-		buf[i] = le32_to_cpu(buf[i]);
+		buf2[i] = le32_to_cpu(buf2[i]);
 
-	if (buf[0] == POLICYDB_MAGIC) {
+	if (buf2[0] == POLICYDB_MAGIC) {
 		policy_type = POLICY_KERN;
 		target_str = POLICYDB_STRING;
-	} else if (buf[0] == POLICYDB_MOD_MAGIC) {
+	} else if (buf2[0] == POLICYDB_MOD_MAGIC) {
 		policy_type = POLICY_MOD;
 		target_str = POLICYDB_MOD_STRING;
 	} else {
 		ERR(fp->handle, "policydb magic number %#08x does not "
 		    "match expected magic number %#08x or %#08x",
-		    buf[0], POLICYDB_MAGIC, POLICYDB_MOD_MAGIC);
+		    buf2[0], POLICYDB_MAGIC, POLICYDB_MOD_MAGIC);
 		return POLICYDB_ERROR;
 	}
 
-	len = buf[1];
+	len = buf2[1];
 	if (len != strlen(target_str)) {
 		ERR(fp->handle, "policydb string length %zu does not match "
 		    "expected length %zu", len, strlen(target_str));
Index: libsepol/src/private.h
===================================================================
--- libsepol/src/private.h	(revision 2517)
+++ libsepol/src/private.h	(working copy)
@@ -64,6 +64,29 @@
 	return buffer;
 }
 
+static inline int next_entry2(void *buf, struct policy_file *fp, size_t bytes)
+{
+	size_t nread;
+
+	switch (fp->type) {
+	case PF_USE_STDIO:
+		nread = fread(buf, bytes, 1, fp->fp);
+		if (nread != 1)
+			return -1;
+		break;
+	case PF_USE_MEMORY:
+		if (bytes > fp->len)
+			return -1;
+		memcpy(buf, fp->data, bytes);
+		fp->data += bytes;
+		fp->len -= bytes;
+		break;
+	default:
+		return -1;
+	}
+	return 0;
+}
+
 static inline size_t put_entry(const void *ptr, size_t size, size_t n,
 			       struct policy_file *fp)
 {


-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: wrong magic number (using old sources)

[selinux770]

> I suspect that what we are doing isn't safe/portable.
> 
> The corresponding kernel code was converted a while back to avoid
> unaligned access problems, so possibly a similar transformation should
> happen here.
> 
> See:
> http://marc.info/?l=selinux&m=110252376515271&w=2
> 
> As a simple test of whether this is related, you might try the following
> patch for libsepol (and then rebuild checkpolicy against the updated
> libsepol) and see if it gets you past the magic number check.  If so,
> then the next step would be to apply the same change to the entire
> policydb_read code.

That's it. After applying the changes in source code i get past the magic number check. Now, my policyversion number is wrong but i would suggest, that this error is related to the problem you described. I included also a printf for buf2[] to check the values after conversion:
# make
( cd domains/program/ ; for n in *.te ; do echo "define(\`$n')"; done ) > tmp/program_used_flags.te.tmp
( cd domains/misc/ ; for n in *.te ; do echo "define(\`$n')"; done ) >> tmp/program_used_flags.te.tmp
mv tmp/program_used_flags.te.tmp tmp/program_used_flags.te
Building policy.conf ...
[...] > policy.conf.tmp
Building file contexts files...
/usr/bin/checkpolicy  -o policy.20 policy.conf
/usr/bin/checkpolicy:  loading policy configuration from policy.conf
/usr/bin/checkpolicy:  policy configuration loaded
/usr/bin/checkpolicy:  writing binary representation (version 21) to policy.20
Validating file contexts files ...
/usr/sbin/setfiles -q -c policy.20 file_contexts/file_contexts
 buf2[0]: f97cff8c
 buf2[1]: 8
 buf2[2]: bea60574
 buf2[3]: bea60560
 buf2[4]: 4004a304
 buf2[5]: 400469a4
 buf2[6]: 0
 buf2[7]: 400a26f0
libsepol.policydb_read: policydb version 352321536 does not match my version range 15-21
libsepol.sepol_set_policydb_from_file: can't read binary policy: Success
Error reading policy policy.20: Success
make: *** [policy.20] Error 1

I think it is only necessary to declare unint32_t buf2[] of size 2 and not 8, isn't it?
-- 
GMX FreeMail: 1 GB Postfach, 5 E-Mail-Adressen, 10 Free SMS.
Alle Infos und kostenlose Anmeldung: http://www.gmx.net/de/go/freemail

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: wrong magic number (using old sources)

[Stephen Smalley]

On Thu, 2007-08-16 at 10:05 +0200, selinux770@tortenboxer.de wrote:
> > I suspect that what we are doing isn't safe/portable.
> > 
> > The corresponding kernel code was converted a while back to avoid
> > unaligned access problems, so possibly a similar transformation should
> > happen here.
> > 
> > See:
> > http://marc.info/?l=selinux&m=110252376515271&w=2
> > 
> > As a simple test of whether this is related, you might try the following
> > patch for libsepol (and then rebuild checkpolicy against the updated
> > libsepol) and see if it gets you past the magic number check.  If so,
> > then the next step would be to apply the same change to the entire
> > policydb_read code.
> 
> That's it. After applying the changes in source code i get past the magic number check. Now, my policyversion number is wrong but i would suggest, that this error is related to the problem you described. I included also a printf for buf2[] to check the values after conversion:
> # make
> ( cd domains/program/ ; for n in *.te ; do echo "define(\`$n')"; done ) > tmp/program_used_flags.te.tmp
> ( cd domains/misc/ ; for n in *.te ; do echo "define(\`$n')"; done ) >> tmp/program_used_flags.te.tmp
> mv tmp/program_used_flags.te.tmp tmp/program_used_flags.te
> Building policy.conf ...
> [...] > policy.conf.tmp
> Building file contexts files...
> /usr/bin/checkpolicy  -o policy.20 policy.conf
> /usr/bin/checkpolicy:  loading policy configuration from policy.conf
> /usr/bin/checkpolicy:  policy configuration loaded
> /usr/bin/checkpolicy:  writing binary representation (version 21) to policy.20
> Validating file contexts files ...
> /usr/sbin/setfiles -q -c policy.20 file_contexts/file_contexts
>  buf2[0]: f97cff8c
>  buf2[1]: 8
>  buf2[2]: bea60574
>  buf2[3]: bea60560
>  buf2[4]: 4004a304
>  buf2[5]: 400469a4
>  buf2[6]: 0
>  buf2[7]: 400a26f0
> libsepol.policydb_read: policydb version 352321536 does not match my version range 15-21
> libsepol.sepol_set_policydb_from_file: can't read binary policy: Success
> Error reading policy policy.20: Success
> make: *** [policy.20] Error 1
> 
> I think it is only necessary to declare unint32_t buf2[] of size 2 and not 8, isn't it?

Ok, so libsepol needs to be fixed in the same way the kernel was to
eliminate unaligned accesses.  Might take a little bit to work through
all the code.  The size of the buffer has to be large enough for the
largest next_entry() request.

As a possible short term work around, you might try this patch instead.
It just converts the static buffer used within libsepol from unsigned
char to uint32_t so that the buffer will be aligned (at least for u32).
That avoids changing all the callers.

Index: libsepol/src/private.h
===================================================================
--- libsepol/src/private.h	(revision 2517)
+++ libsepol/src/private.h	(working copy)
@@ -5,6 +5,7 @@
 #include <byteswap.h>
 #include <endian.h>
 #include <sepol/policydb/policydb.h>
+#include <stdint.h>
 
 #if __BYTE_ORDER == __LITTLE_ENDIAN
 #define cpu_to_le16(x) (x)
@@ -39,7 +40,7 @@
 /* Reading from a policy "file". */
 static inline void *next_entry(struct policy_file *fp, size_t bytes)
 {
-	static unsigned char buffer[BUFSIZ];
+	static uint32_t buffer[20];
 	size_t nread;
 
 	if (bytes > sizeof buffer)

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: wrong magic number (using old sources)

[selinux770]

> Ok, so libsepol needs to be fixed in the same way the kernel was to
> eliminate unaligned accesses.  Might take a little bit to work through
> all the code.  The size of the buffer has to be large enough for the
> largest next_entry() request.
> 
> As a possible short term work around, you might try this patch instead.
> It just converts the static buffer used within libsepol from unsigned
> char to uint32_t so that the buffer will be aligned (at least for u32).
> That avoids changing all the callers.

This smal patch worked fine for me. The policy is created and loaded (correctly I think :-)).

Thanks a lot for you support.


 
> Index: libsepol/src/private.h
> ===================================================================
> --- libsepol/src/private.h	(revision 2517)
> +++ libsepol/src/private.h	(working copy)
> @@ -5,6 +5,7 @@
>  #include <byteswap.h>
>  #include <endian.h>
>  #include <sepol/policydb/policydb.h>
> +#include <stdint.h>
>  
>  #if __BYTE_ORDER == __LITTLE_ENDIAN
>  #define cpu_to_le16(x) (x)
> @@ -39,7 +40,7 @@
>  /* Reading from a policy "file". */
>  static inline void *next_entry(struct policy_file *fp, size_t bytes)
>  {
> -	static unsigned char buffer[BUFSIZ];
> +	static uint32_t buffer[20];
>  	size_t nread;
>  
>  	if (bytes > sizeof buffer)
> 
> -- 
> Stephen Smalley
> National Security Agency

-- 
GMX FreeMail: 1 GB Postfach, 5 E-Mail-Adressen, 10 Free SMS.
Alle Infos und kostenlose Anmeldung: http://www.gmx.net/de/go/freemail

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[patch] libsepol: eliminate unaligned accesses (Was: Re: wrong magic number (using old sources))

[Stephen Smalley]

Full patch follows, replaces the prior short term one.

Rewrite libsepol next_entry function and all callers to copy entry data
from the binary policy into properly aligned buffers, eliminating
unaligned accesses, just as I did for the kernel back in 2004,
http://marc.info/?l=selinux&m=110252376515271&w=2

Signed-off-by:  Stephen Smalley <sds@tycho.nsa.gov>

---

 libsepol/src/avtab.c       |   32 +--
 libsepol/src/conditional.c |   44 ++--
 libsepol/src/ebitmap.c     |   23 +-
 libsepol/src/module.c      |  111 +++++-----
 libsepol/src/policydb.c    |  472 +++++++++++++++++++++++----------------------
 libsepol/src/private.h     |   20 -
 6 files changed, 365 insertions(+), 337 deletions(-)

Index: trunk/libsepol/src/conditional.c
===================================================================
--- trunk/libsepol/src/conditional.c	(revision 2520)
+++ trunk/libsepol/src/conditional.c	(working copy)
@@ -569,15 +569,16 @@
 {
 	char *key = 0;
 	cond_bool_datum_t *booldatum;
-	uint32_t *buf, len;
+	uint32_t buf[3], len;
+	int rc;
 
 	booldatum = malloc(sizeof(cond_bool_datum_t));
 	if (!booldatum)
 		return -1;
 	memset(booldatum, 0, sizeof(cond_bool_datum_t));
 
-	buf = next_entry(fp, sizeof(uint32_t) * 3);
-	if (!buf)
+	rc = next_entry(buf, fp, sizeof(uint32_t) * 3);
+	if (rc < 0)
 		goto err;
 
 	booldatum->s.value = le32_to_cpu(buf[0]);
@@ -588,13 +589,12 @@
 
 	len = le32_to_cpu(buf[2]);
 
-	buf = next_entry(fp, len);
-	if (!buf)
-		goto err;
 	key = malloc(len + 1);
 	if (!key)
 		goto err;
-	memcpy(key, buf, len);
+	rc = next_entry(key, fp, len);
+	if (rc < 0)
+		goto err;
 	key[len] = 0;
 	if (hashtab_insert(h, key, booldatum))
 		goto err;
@@ -703,14 +703,14 @@
 {
 	unsigned int i;
 	int rc;
-	uint32_t *buf, len;
+	uint32_t buf[1], len;
 	struct cond_insertf_data data;
 
 	*ret_list = NULL;
 
 	len = 0;
-	buf = next_entry(fp, sizeof(uint32_t));
-	if (!buf)
+	rc = next_entry(buf, fp, sizeof(uint32_t));
+	if (rc < 0)
 		return -1;
 
 	len = le32_to_cpu(buf[0]);
@@ -752,27 +752,27 @@
 
 static int cond_read_node(policydb_t * p, cond_node_t * node, void *fp)
 {
-	uint32_t *buf;
-	int len, i;
+	uint32_t buf[2];
+	int len, i, rc;
 	cond_expr_t *expr = NULL, *last = NULL;
 
-	buf = next_entry(fp, sizeof(uint32_t));
-	if (!buf)
+	rc = next_entry(buf, fp, sizeof(uint32_t));
+	if (rc < 0)
 		goto err;
 
 	node->cur_state = le32_to_cpu(buf[0]);
 
 	len = 0;
-	buf = next_entry(fp, sizeof(uint32_t));
-	if (!buf)
+	rc = next_entry(buf, fp, sizeof(uint32_t));
+	if (rc < 0)
 		goto err;
 
 	/* expr */
 	len = le32_to_cpu(buf[0]);
 
 	for (i = 0; i < len; i++) {
-		buf = next_entry(fp, sizeof(uint32_t) * 2);
-		if (!buf)
+		rc = next_entry(buf, fp, sizeof(uint32_t) * 2);
+		if (rc < 0)
 			goto err;
 
 		expr = malloc(sizeof(cond_expr_t));
@@ -820,11 +820,11 @@
 int cond_read_list(policydb_t * p, cond_list_t ** list, void *fp)
 {
 	cond_node_t *node, *last = NULL;
-	uint32_t *buf;
-	int i, len;
+	uint32_t buf[1];
+	int i, len, rc;
 
-	buf = next_entry(fp, sizeof(uint32_t));
-	if (!buf)
+	rc = next_entry(buf, fp, sizeof(uint32_t));
+	if (rc < 0)
 		return -1;
 
 	len = le32_to_cpu(buf[0]);
Index: trunk/libsepol/src/policydb.c
===================================================================
--- trunk/libsepol/src/policydb.c	(revision 2520)
+++ trunk/libsepol/src/policydb.c	(working copy)
@@ -1316,11 +1316,13 @@
 
 static int role_set_read(role_set_t * r, struct policy_file *fp)
 {
-	uint32_t *buf;
+	uint32_t buf[1];
+	int rc;
+
 	if (ebitmap_read(&r->roles, fp))
 		return -1;
-	buf = next_entry(fp, sizeof(uint32_t));
-	if (!buf)
+	rc = next_entry(buf, fp, sizeof(uint32_t));
+	if (rc < 0)
 		return -1;
 	r->flags = le32_to_cpu(buf[0]);
 
@@ -1329,15 +1331,16 @@
 
 static int type_set_read(type_set_t * t, struct policy_file *fp)
 {
-	uint32_t *buf;
+	uint32_t buf[1];
+	int rc;
 
 	if (ebitmap_read(&t->types, fp))
 		return -1;
 	if (ebitmap_read(&t->negset, fp))
 		return -1;
 
-	buf = next_entry(fp, sizeof(uint32_t));
-	if (!buf)
+	rc = next_entry(buf, fp, sizeof(uint32_t));
+	if (rc < 0)
 		return -1;
 	t->flags = le32_to_cpu(buf[0]);
 
@@ -1350,16 +1353,21 @@
  */
 static int mls_read_range_helper(mls_range_t * r, struct policy_file *fp)
 {
-	uint32_t *buf;
-	int items, rc = -EINVAL;
+	uint32_t buf[2], items;
+	int rc;
 
-	buf = next_entry(fp, sizeof(uint32_t));
-	if (!buf)
+	rc = next_entry(buf, fp, sizeof(uint32_t));
+	if (rc < 0)
 		goto out;
 
 	items = le32_to_cpu(buf[0]);
-	buf = next_entry(fp, sizeof(uint32_t) * items);
-	if (!buf) {
+	if (items > ARRAY_SIZE(buf)) {
+		ERR(fp->handle, "range overflow");
+		rc = -EINVAL;
+		goto out;
+	}
+	rc = next_entry(buf, fp, sizeof(uint32_t) * items);
+	if (rc < 0) {
 		ERR(fp->handle, "truncated range");
 		goto out;
 	}
@@ -1403,14 +1411,15 @@
 static int mls_read_semantic_level_helper(mls_semantic_level_t * l,
 					  struct policy_file *fp)
 {
-	uint32_t *buf, ncat;
+	uint32_t buf[2], ncat;
 	unsigned int i;
 	mls_semantic_cat_t *cat;
+	int rc;
 
 	mls_semantic_level_init(l);
 
-	buf = next_entry(fp, sizeof(uint32_t) * 2);
-	if (!buf) {
+	rc = next_entry(buf, fp, sizeof(uint32_t) * 2);
+	if (rc < 0) {
 		ERR(fp->handle, "truncated level");
 		goto bad;
 	}
@@ -1428,8 +1437,8 @@
 		cat->next = l->cat;
 		l->cat = cat;
 
-		buf = next_entry(fp, sizeof(uint32_t) * 2);
-		if (!buf) {
+		rc = next_entry(buf, fp, sizeof(uint32_t) * 2);
+		if (rc < 0) {
 			ERR(fp->handle, "error reading level categories");
 			goto bad;
 		}
@@ -1513,10 +1522,11 @@
 static int context_read_and_validate(context_struct_t * c,
 				     policydb_t * p, struct policy_file *fp)
 {
-	uint32_t *buf;
+	uint32_t buf[3];
+	int rc;
 
-	buf = next_entry(fp, sizeof(uint32_t) * 3);
-	if (!buf) {
+	rc = next_entry(buf, fp, sizeof(uint32_t) * 3);
+	if (rc < 0) {
 		ERR(fp->handle, "context truncated");
 		return -1;
 	}
@@ -1554,27 +1564,27 @@
 {
 	char *key = 0;
 	perm_datum_t *perdatum;
-	uint32_t *buf;
+	uint32_t buf[2];
 	size_t len;
+	int rc;
 
 	perdatum = calloc(1, sizeof(perm_datum_t));
 	if (!perdatum)
 		return -1;
 
-	buf = next_entry(fp, sizeof(uint32_t) * 2);
-	if (!buf)
+	rc = next_entry(buf, fp, sizeof(uint32_t) * 2);
+	if (rc < 0)
 		goto bad;
 
 	len = le32_to_cpu(buf[0]);
 	perdatum->s.value = le32_to_cpu(buf[1]);
 
-	buf = next_entry(fp, len);
-	if (!buf)
-		goto bad;
 	key = malloc(len + 1);
 	if (!key)
 		goto bad;
-	memcpy(key, buf, len);
+	rc = next_entry(key, fp, len);
+	if (rc < 0)
+		goto bad;
 	key[len] = 0;
 
 	if (hashtab_insert(h, key, perdatum))
@@ -1591,16 +1601,17 @@
 {
 	char *key = 0;
 	common_datum_t *comdatum;
-	uint32_t *buf;
+	uint32_t buf[4];
 	size_t len, nel;
 	unsigned int i;
+	int rc;
 
 	comdatum = calloc(1, sizeof(common_datum_t));
 	if (!comdatum)
 		return -1;
 
-	buf = next_entry(fp, sizeof(uint32_t) * 4);
-	if (!buf)
+	rc = next_entry(buf, fp, sizeof(uint32_t) * 4);
+	if (rc < 0)
 		goto bad;
 
 	len = le32_to_cpu(buf[0]);
@@ -1611,13 +1622,12 @@
 	comdatum->permissions.nprim = le32_to_cpu(buf[2]);
 	nel = le32_to_cpu(buf[3]);
 
-	buf = next_entry(fp, len);
-	if (!buf)
-		goto bad;
 	key = malloc(len + 1);
 	if (!key)
 		goto bad;
-	memcpy(key, buf, len);
+	rc = next_entry(key, fp, len);
+	if (rc < 0)
+		goto bad;
 	key[len] = 0;
 
 	for (i = 0; i < nel; i++) {
@@ -1641,10 +1651,10 @@
 {
 	constraint_node_t *c, *lc;
 	constraint_expr_t *e, *le;
-	uint32_t *buf;
+	uint32_t buf[3];
 	size_t nexpr;
 	unsigned int i, j;
-	int depth;
+	int rc, depth;
 
 	lc = NULL;
 	for (i = 0; i < ncons; i++) {
@@ -1657,8 +1667,8 @@
 		else
 			*nodep = c;
 
-		buf = next_entry(fp, (sizeof(uint32_t) * 2));
-		if (!buf)
+		rc = next_entry(buf, fp, (sizeof(uint32_t) * 2));
+		if (rc < 0)
 			return -1;
 		c->permissions = le32_to_cpu(buf[0]);
 		nexpr = le32_to_cpu(buf[1]);
@@ -1678,8 +1688,8 @@
 				c->expr = e;
 			}
 
-			buf = next_entry(fp, (sizeof(uint32_t) * 3));
-			if (!buf)
+			rc = next_entry(buf, fp, (sizeof(uint32_t) * 3));
+			if (rc < 0)
 				return -1;
 			e->expr_type = le32_to_cpu(buf[0]);
 			e->attr = le32_to_cpu(buf[1]);
@@ -1730,16 +1740,17 @@
 {
 	char *key = 0;
 	class_datum_t *cladatum;
-	uint32_t *buf;
+	uint32_t buf[6];
 	size_t len, len2, ncons, nel;
 	unsigned int i;
+	int rc;
 
 	cladatum = (class_datum_t *) calloc(1, sizeof(class_datum_t));
 	if (!cladatum)
 		return -1;
 
-	buf = next_entry(fp, sizeof(uint32_t) * 6);
-	if (!buf)
+	rc = next_entry(buf, fp, sizeof(uint32_t) * 6);
+	if (rc < 0)
 		goto bad;
 
 	len = le32_to_cpu(buf[0]);
@@ -1753,23 +1764,21 @@
 
 	ncons = le32_to_cpu(buf[5]);
 
-	buf = next_entry(fp, len);
-	if (!buf)
-		goto bad;
 	key = malloc(len + 1);
 	if (!key)
 		goto bad;
-	memcpy(key, buf, len);
+	rc = next_entry(key, fp, len);
+	if (rc < 0)
+		goto bad;
 	key[len] = 0;
 
 	if (len2) {
 		cladatum->comkey = malloc(len2 + 1);
 		if (!cladatum->comkey)
 			goto bad;
-		buf = next_entry(fp, len2);
-		if (!buf)
+		rc = next_entry(cladatum->comkey, fp, len2);
+		if (rc < 0)
 			goto bad;
-		memcpy(cladatum->comkey, buf, len2);
 		cladatum->comkey[len2] = 0;
 
 		cladatum->comdatum = hashtab_search(p->p_commons.table,
@@ -1792,8 +1801,8 @@
 	    || (p->policy_type == POLICY_BASE
 		&& p->policyvers >= MOD_POLICYDB_VERSION_VALIDATETRANS)) {
 		/* grab the validatetrans rules */
-		buf = next_entry(fp, sizeof(uint32_t));
-		if (!buf)
+		rc = next_entry(buf, fp, sizeof(uint32_t));
+		if (rc < 0)
 			goto bad;
 		ncons = le32_to_cpu(buf[0]);
 		if (read_cons_helper(p, &cladatum->validatetrans, ncons, 1, fp))
@@ -1816,27 +1825,27 @@
 {
 	char *key = 0;
 	role_datum_t *role;
-	uint32_t *buf;
+	uint32_t buf[2];
 	size_t len;
+	int rc;
 
 	role = calloc(1, sizeof(role_datum_t));
 	if (!role)
 		return -1;
 
-	buf = next_entry(fp, sizeof(uint32_t) * 2);
-	if (!buf)
+	rc = next_entry(buf, fp, sizeof(uint32_t) * 2);
+	if (rc < 0)
 		goto bad;
 
 	len = le32_to_cpu(buf[0]);
 	role->s.value = le32_to_cpu(buf[1]);
 
-	buf = next_entry(fp, len);
-	if (!buf)
-		goto bad;
 	key = malloc(len + 1);
 	if (!key)
 		goto bad;
-	memcpy(key, buf, len);
+	rc = next_entry(key, fp, len);
+	if (rc < 0)
+		goto bad;
 	key[len] = 0;
 
 	if (ebitmap_read(&role->dominates, fp))
@@ -1877,19 +1886,20 @@
 {
 	char *key = 0;
 	type_datum_t *typdatum;
-	uint32_t *buf;
+	uint32_t buf[4];
 	size_t len;
+	int rc;
 
 	typdatum = calloc(1, sizeof(type_datum_t));
 	if (!typdatum)
 		return -1;
 
 	if (p->policy_type == POLICY_KERN) {
-		buf = next_entry(fp, sizeof(uint32_t) * 3);
+		rc = next_entry(buf, fp, sizeof(uint32_t) * 3);
 	} else {
-		buf = next_entry(fp, sizeof(uint32_t) * 4);
+		rc = next_entry(buf, fp, sizeof(uint32_t) * 4);
 	}
-	if (!buf)
+	if (rc < 0)
 		goto bad;
 
 	len = le32_to_cpu(buf[0]);
@@ -1901,13 +1911,12 @@
 			goto bad;
 	}
 
-	buf = next_entry(fp, len);
-	if (!buf)
-		goto bad;
 	key = malloc(len + 1);
 	if (!key)
 		goto bad;
-	memcpy(key, buf, len);
+	rc = next_entry(key, fp, len);
+	if (rc < 0)
+		goto bad;
 	key[len] = 0;
 
 	if (hashtab_insert(h, key, typdatum))
@@ -1923,11 +1932,12 @@
 int role_trans_read(role_trans_t ** t, struct policy_file *fp)
 {
 	unsigned int i;
-	uint32_t *buf, nel;
+	uint32_t buf[3], nel;
 	role_trans_t *tr, *ltr;
+	int rc;
 
-	buf = next_entry(fp, sizeof(uint32_t));
-	if (!buf)
+	rc = next_entry(buf, fp, sizeof(uint32_t));
+	if (rc < 0)
 		return -1;
 	nel = le32_to_cpu(buf[0]);
 	ltr = NULL;
@@ -1941,8 +1951,8 @@
 		} else {
 			*t = tr;
 		}
-		buf = next_entry(fp, sizeof(uint32_t) * 3);
-		if (!buf)
+		rc = next_entry(buf, fp, sizeof(uint32_t) * 3);
+		if (rc < 0)
 			return -1;
 		tr->role = le32_to_cpu(buf[0]);
 		tr->type = le32_to_cpu(buf[1]);
@@ -1955,11 +1965,12 @@
 int role_allow_read(role_allow_t ** r, struct policy_file *fp)
 {
 	unsigned int i;
-	uint32_t *buf, nel;
+	uint32_t buf[2], nel;
 	role_allow_t *ra, *lra;
+	int rc;
 
-	buf = next_entry(fp, sizeof(uint32_t));
-	if (!buf)
+	rc = next_entry(buf, fp, sizeof(uint32_t));
+	if (rc < 0)
 		return -1;
 	nel = le32_to_cpu(buf[0]);
 	lra = NULL;
@@ -1973,8 +1984,8 @@
 		} else {
 			*r = ra;
 		}
-		buf = next_entry(fp, sizeof(uint32_t) * 2);
-		if (!buf)
+		rc = next_entry(buf, fp, sizeof(uint32_t) * 2);
+		if (rc < 0)
 			return -1;
 		ra->role = le32_to_cpu(buf[0]);
 		ra->new_role = le32_to_cpu(buf[1]);
@@ -1989,10 +2000,12 @@
 	unsigned int i, j;
 	size_t nel, len;
 	ocontext_t *l, *c;
-	uint32_t *buf;
+	uint32_t buf[8];
+	int rc;
+
 	for (i = 0; i < info->ocon_num; i++) {
-		buf = next_entry(fp, sizeof(uint32_t));
-		if (!buf)
+		rc = next_entry(buf, fp, sizeof(uint32_t));
+		if (rc < 0)
 			return -1;
 		nel = le32_to_cpu(buf[0]);
 		l = NULL;
@@ -2009,8 +2022,8 @@
 			l = c;
 			switch (i) {
 			case OCON_ISID:
-				buf = next_entry(fp, sizeof(uint32_t));
-				if (!buf)
+				rc = next_entry(buf, fp, sizeof(uint32_t));
+				if (rc < 0)
 					return -1;
 				c->sid[0] = le32_to_cpu(buf[0]);
 				if (context_read_and_validate
@@ -2019,18 +2032,16 @@
 				break;
 			case OCON_FS:
 			case OCON_NETIF:
-				buf = next_entry(fp, sizeof(uint32_t));
-				if (!buf)
+				rc = next_entry(buf, fp, sizeof(uint32_t));
+				if (rc < 0)
 					return -1;
 				len = le32_to_cpu(buf[0]);
-				buf = next_entry(fp, len);
-				if (!buf)
-					return -1;
 				c->u.name = malloc(len + 1);
-				if (!c->u.name) {
+				if (!c->u.name)
 					return -1;
-				}
-				memcpy(c->u.name, buf, len);
+				rc = next_entry(c->u.name, fp, len);
+				if (rc < 0)
+					return -1;
 				c->u.name[len] = 0;
 				if (context_read_and_validate
 				    (&c->context[0], p, fp))
@@ -2040,8 +2051,8 @@
 					return -1;
 				break;
 			case OCON_PORT:
-				buf = next_entry(fp, sizeof(uint32_t) * 3);
-				if (!buf)
+				rc = next_entry(buf, fp, sizeof(uint32_t) * 3);
+				if (rc < 0)
 					return -1;
 				c->u.port.protocol = le32_to_cpu(buf[0]);
 				c->u.port.low_port = le32_to_cpu(buf[1]);
@@ -2051,8 +2062,8 @@
 					return -1;
 				break;
 			case OCON_NODE:
-				buf = next_entry(fp, sizeof(uint32_t) * 2);
-				if (!buf)
+				rc = next_entry(buf, fp, sizeof(uint32_t) * 2);
+				if (rc < 0)
 					return -1;
 				c->u.node.addr = le32_to_cpu(buf[0]);
 				c->u.node.mask = le32_to_cpu(buf[1]);
@@ -2061,19 +2072,17 @@
 					return -1;
 				break;
 			case OCON_FSUSE:
-				buf = next_entry(fp, sizeof(uint32_t) * 2);
-				if (!buf)
+				rc = next_entry(buf, fp, sizeof(uint32_t) * 2);
+				if (rc < 0)
 					return -1;
 				c->v.behavior = le32_to_cpu(buf[0]);
 				len = le32_to_cpu(buf[1]);
-				buf = next_entry(fp, len);
-				if (!buf)
-					return -1;
 				c->u.name = malloc(len + 1);
-				if (!c->u.name) {
+				if (!c->u.name)
 					return -1;
-				}
-				memcpy(c->u.name, buf, len);
+				rc = next_entry(c->u.name, fp, len);
+				if (rc < 0)
+					return -1;
 				c->u.name[len] = 0;
 				if (context_read_and_validate
 				    (&c->context[0], p, fp))
@@ -2082,10 +2091,9 @@
 			case OCON_NODE6:{
 					int k;
 
-					buf =
-					    next_entry(fp,
-						       sizeof(uint32_t) * 8);
-					if (!buf)
+					rc = next_entry(buf, fp,
+							sizeof(uint32_t) * 8);
+					if (rc < 0)
 						return -1;
 					for (k = 0; k < 4; k++)
 						c->u.node6.addr[k] =
@@ -2109,36 +2117,37 @@
 
 static int genfs_read(policydb_t * p, struct policy_file *fp)
 {
-	uint32_t *buf;
+	uint32_t buf[1];
 	size_t nel, nel2, len, len2;
 	genfs_t *genfs_p, *newgenfs, *genfs;
 	unsigned int i, j;
 	ocontext_t *l, *c, *newc = NULL;
+	int rc;
 
-	buf = next_entry(fp, sizeof(uint32_t));
-	if (!buf)
+	rc = next_entry(buf, fp, sizeof(uint32_t));
+	if (rc < 0)
 		goto bad;
 	nel = le32_to_cpu(buf[0]);
 	genfs_p = NULL;
 	for (i = 0; i < nel; i++) {
-		buf = next_entry(fp, sizeof(uint32_t));
-		if (!buf)
+		rc = next_entry(buf, fp, sizeof(uint32_t));
+		if (rc < 0)
 			goto bad;
 		len = le32_to_cpu(buf[0]);
 		newgenfs = calloc(1, sizeof(genfs_t));
 		if (!newgenfs)
 			goto bad;
-		buf = next_entry(fp, len);
-		if (!buf) {
+		newgenfs->fstype = malloc(len + 1);
+		if (!newgenfs->fstype) {
 			free(newgenfs);
 			goto bad;
 		}
-		newgenfs->fstype = malloc(len + 1);
-		if (!newgenfs->fstype) {
+		rc = next_entry(newgenfs->fstype, fp, len);
+		if (rc < 0) {
+			free(newgenfs->fstype);
 			free(newgenfs);
 			goto bad;
 		}
-		memcpy(newgenfs->fstype, buf, len);
 		newgenfs->fstype[len] = 0;
 		for (genfs_p = NULL, genfs = p->genfs; genfs;
 		     genfs_p = genfs, genfs = genfs->next) {
@@ -2157,8 +2166,8 @@
 			genfs_p->next = newgenfs;
 		else
 			p->genfs = newgenfs;
-		buf = next_entry(fp, sizeof(uint32_t));
-		if (!buf)
+		rc = next_entry(buf, fp, sizeof(uint32_t));
+		if (rc < 0)
 			goto bad;
 		nel2 = le32_to_cpu(buf[0]);
 		for (j = 0; j < nel2; j++) {
@@ -2166,21 +2175,20 @@
 			if (!newc) {
 				goto bad;
 			}
-			buf = next_entry(fp, sizeof(uint32_t));
-			if (!buf)
+			rc = next_entry(buf, fp, sizeof(uint32_t));
+			if (rc < 0)
 				goto bad;
 			len = le32_to_cpu(buf[0]);
-			buf = next_entry(fp, len);
-			if (!buf)
-				goto bad;
 			newc->u.name = malloc(len + 1);
 			if (!newc->u.name) {
 				goto bad;
 			}
-			memcpy(newc->u.name, buf, len);
+			rc = next_entry(newc->u.name, fp, len);
+			if (rc < 0)
+				goto bad;
 			newc->u.name[len] = 0;
-			buf = next_entry(fp, sizeof(uint32_t));
-			if (!buf)
+			rc = next_entry(buf, fp, sizeof(uint32_t));
+			if (rc < 0)
 				goto bad;
 			newc->v.sclass = le32_to_cpu(buf[0]);
 			if (context_read_and_validate(&newc->context[0], p, fp))
@@ -2226,12 +2234,13 @@
  */
 static int mls_read_level(mls_level_t * lp, struct policy_file *fp)
 {
-	uint32_t *buf;
+	uint32_t buf[1];
+	int rc;
 
 	mls_level_init(lp);
 
-	buf = next_entry(fp, sizeof(uint32_t));
-	if (!buf) {
+	rc = next_entry(buf, fp, sizeof(uint32_t));
+	if (rc < 0) {
 		ERR(fp->handle, "truncated level");
 		goto bad;
 	}
@@ -2251,27 +2260,27 @@
 {
 	char *key = 0;
 	user_datum_t *usrdatum;
-	uint32_t *buf;
+	uint32_t buf[2];
 	size_t len;
+	int rc;
 
 	usrdatum = calloc(1, sizeof(user_datum_t));
 	if (!usrdatum)
 		return -1;
 
-	buf = next_entry(fp, sizeof(uint32_t) * 2);
-	if (!buf)
+	rc = next_entry(buf, fp, sizeof(uint32_t) * 2);
+	if (rc < 0)
 		goto bad;
 
 	len = le32_to_cpu(buf[0]);
 	usrdatum->s.value = le32_to_cpu(buf[1]);
 
-	buf = next_entry(fp, len);
-	if (!buf)
-		goto bad;
 	key = malloc(len + 1);
 	if (!key)
 		goto bad;
-	memcpy(key, buf, len);
+	rc = next_entry(key, fp, len);
+	if (rc < 0)
+		goto bad;
 	key[len] = 0;
 
 	if (p->policy_type == POLICY_KERN) {
@@ -2332,27 +2341,27 @@
 {
 	char *key = 0;
 	level_datum_t *levdatum;
-	uint32_t *buf, len;
+	uint32_t buf[2], len;
+	int rc;
 
 	levdatum = malloc(sizeof(level_datum_t));
 	if (!levdatum)
 		return -1;
 	level_datum_init(levdatum);
 
-	buf = next_entry(fp, (sizeof(uint32_t) * 2));
-	if (!buf)
+	rc = next_entry(buf, fp, (sizeof(uint32_t) * 2));
+	if (rc < 0)
 		goto bad;
 
 	len = le32_to_cpu(buf[0]);
 	levdatum->isalias = le32_to_cpu(buf[1]);
 
-	buf = next_entry(fp, len);
-	if (!buf)
-		goto bad;
 	key = malloc(len + 1);
 	if (!key)
 		goto bad;
-	memcpy(key, buf, len);
+	rc = next_entry(key, fp, len);
+	if (rc < 0)
+		goto bad;
 	key[len] = 0;
 
 	levdatum->level = malloc(sizeof(mls_level_t));
@@ -2375,28 +2384,28 @@
 {
 	char *key = 0;
 	cat_datum_t *catdatum;
-	uint32_t *buf, len;
+	uint32_t buf[3], len;
+	int rc;
 
 	catdatum = malloc(sizeof(cat_datum_t));
 	if (!catdatum)
 		return -1;
 	cat_datum_init(catdatum);
 
-	buf = next_entry(fp, (sizeof(uint32_t) * 3));
-	if (!buf)
+	rc = next_entry(buf, fp, (sizeof(uint32_t) * 3));
+	if (rc < 0)
 		goto bad;
 
 	len = le32_to_cpu(buf[0]);
 	catdatum->s.value = le32_to_cpu(buf[1]);
 	catdatum->isalias = le32_to_cpu(buf[2]);
 
-	buf = next_entry(fp, len);
-	if (!buf)
-		goto bad;
 	key = malloc(len + 1);
 	if (!key)
 		goto bad;
-	memcpy(key, buf, len);
+	rc = next_entry(key, fp, len);
+	if (rc < 0)
+		goto bad;
 	key[len] = 0;
 
 	if (hashtab_insert(h, key, catdatum))
@@ -2420,9 +2429,10 @@
 			     __attribute__ ((unused)), struct policy_file *fp)
 {
 	unsigned int i;
-	uint32_t *buf, len;
+	uint32_t buf[2], len;
 	class_perm_node_t *cur, *tail = NULL;
 	avrule_t *avrule;
+	int rc;
 
 	avrule = (avrule_t *) malloc(sizeof(avrule_t));
 	if (!avrule)
@@ -2430,8 +2440,8 @@
 
 	avrule_init(avrule);
 
-	buf = next_entry(fp, sizeof(uint32_t) * 2);
-	if (!buf)
+	rc = next_entry(buf, fp, sizeof(uint32_t) * 2);
+	if (rc < 0)
 		goto bad;
 
 	(avrule)->specified = le32_to_cpu(buf[0]);
@@ -2443,8 +2453,8 @@
 	if (type_set_read(&avrule->ttypes, fp))
 		goto bad;
 
-	buf = next_entry(fp, sizeof(uint32_t));
-	if (!buf)
+	rc = next_entry(buf, fp, sizeof(uint32_t));
+	if (rc < 0)
 		goto bad;
 	len = le32_to_cpu(buf[0]);
 
@@ -2454,8 +2464,8 @@
 			goto bad;
 		class_perm_node_init(cur);
 
-		buf = next_entry(fp, sizeof(uint32_t) * 2);
-		if (!buf) {
+		rc = next_entry(buf, fp, sizeof(uint32_t) * 2);
+		if (rc < 0) {
 			free(cur);
 			goto bad;
 		}
@@ -2482,15 +2492,16 @@
 
 static int range_read(policydb_t * p, struct policy_file *fp)
 {
-	uint32_t *buf, nel;
+	uint32_t buf[2], nel;
 	range_trans_t *rt, *lrt;
 	range_trans_rule_t *rtr, *lrtr = NULL;
 	unsigned int i;
 	int new_rangetr = (p->policy_type == POLICY_KERN &&
 			   p->policyvers >= POLICYDB_VERSION_RANGETRANS);
+	int rc;
 
-	buf = next_entry(fp, sizeof(uint32_t));
-	if (!buf)
+	rc = next_entry(buf, fp, sizeof(uint32_t));
+	if (rc < 0)
 		return -1;
 	nel = le32_to_cpu(buf[0]);
 	lrt = NULL;
@@ -2502,14 +2513,14 @@
 			lrt->next = rt;
 		else
 			p->range_tr = rt;
-		buf = next_entry(fp, (sizeof(uint32_t) * 2));
-		if (!buf)
+		rc = next_entry(buf, fp, (sizeof(uint32_t) * 2));
+		if (rc < 0)
 			return -1;
 		rt->source_type = le32_to_cpu(buf[0]);
 		rt->target_type = le32_to_cpu(buf[1]);
 		if (new_rangetr) {
-			buf = next_entry(fp, (sizeof(uint32_t)));
-			if (!buf)
+			rc = next_entry(buf, fp, (sizeof(uint32_t)));
+			if (rc < 0)
 				return -1;
 			rt->target_class = le32_to_cpu(buf[0]);
 		} else
@@ -2578,12 +2589,13 @@
 {
 	unsigned int i;
 	avrule_t *cur, *tail;
-	uint32_t *buf, len;
+	uint32_t buf[1], len;
+	int rc;
 
 	*avrules = tail = NULL;
 
-	buf = next_entry(fp, sizeof(uint32_t));
-	if (!buf) {
+	rc = next_entry(buf, fp, sizeof(uint32_t));
+	if (rc < 0) {
 		return -1;
 	}
 	len = le32_to_cpu(buf[0]);
@@ -2607,12 +2619,13 @@
 
 static int role_trans_rule_read(role_trans_rule_t ** r, struct policy_file *fp)
 {
-	uint32_t *buf, nel;
+	uint32_t buf[1], nel;
 	unsigned int i;
 	role_trans_rule_t *tr, *ltr;
+	int rc;
 
-	buf = next_entry(fp, sizeof(uint32_t));
-	if (!buf)
+	rc = next_entry(buf, fp, sizeof(uint32_t));
+	if (rc < 0)
 		return -1;
 	nel = le32_to_cpu(buf[0]);
 	ltr = NULL;
@@ -2635,8 +2648,8 @@
 		if (type_set_read(&tr->types, fp))
 			return -1;
 
-		buf = next_entry(fp, sizeof(uint32_t));
-		if (!buf)
+		rc = next_entry(buf, fp, sizeof(uint32_t));
+		if (rc < 0)
 			return -1;
 		tr->new_role = le32_to_cpu(buf[0]);
 		ltr = tr;
@@ -2648,11 +2661,12 @@
 static int role_allow_rule_read(role_allow_rule_t ** r, struct policy_file *fp)
 {
 	unsigned int i;
-	uint32_t *buf, nel;
+	uint32_t buf[1], nel;
 	role_allow_rule_t *ra, *lra;
+	int rc;
 
-	buf = next_entry(fp, sizeof(uint32_t));
-	if (!buf)
+	rc = next_entry(buf, fp, sizeof(uint32_t));
+	if (rc < 0)
 		return -1;
 	nel = le32_to_cpu(buf[0]);
 	lra = NULL;
@@ -2683,12 +2697,13 @@
 static int range_trans_rule_read(range_trans_rule_t ** r,
 				 struct policy_file *fp)
 {
-	uint32_t *buf, nel;
+	uint32_t buf[2], nel;
 	unsigned int i;
 	range_trans_rule_t *rt, *lrt = NULL;
+	int rc;
 
-	buf = next_entry(fp, sizeof(uint32_t));
-	if (!buf)
+	rc = next_entry(buf, fp, sizeof(uint32_t));
+	if (rc < 0)
 		return -1;
 	nel = le32_to_cpu(buf[0]);
 	for (i = 0; i < nel; i++) {
@@ -2725,15 +2740,17 @@
 			    unsigned int num_scope_syms, struct policy_file *fp)
 {
 	unsigned int i;
-	uint32_t *buf;
+	uint32_t buf[1];
+	int rc;
+
 	for (i = 0; i < num_scope_syms; i++) {
 		if (ebitmap_read(scope_index->scope + i, fp) == -1) {
 			return -1;
 		}
 	}
-	if ((buf = next_entry(fp, sizeof(uint32_t))) == NULL) {
+	rc = next_entry(buf, fp, sizeof(uint32_t));
+	if (rc < 0)
 		return -1;
-	}
 	scope_index->class_perms_len = le32_to_cpu(buf[0]);
 	if (scope_index->class_perms_len == 0) {
 		scope_index->class_perms_map = NULL;
@@ -2755,11 +2772,13 @@
 static int avrule_decl_read(policydb_t * p, avrule_decl_t * decl,
 			    unsigned int num_scope_syms, struct policy_file *fp)
 {
-	uint32_t *buf, nprim, nel;
+	uint32_t buf[2], nprim, nel;
 	unsigned int i, j;
-	if ((buf = next_entry(fp, sizeof(uint32_t) * 2)) == NULL) {
+	int rc;
+
+	rc = next_entry(buf, fp, sizeof(uint32_t) * 2);
+	if (rc < 0)
 		return -1;
-	}
 	decl->decl_id = le32_to_cpu(buf[0]);
 	decl->enabled = le32_to_cpu(buf[1]);
 	if (cond_read_list(p, &decl->cond_list, fp) == -1 ||
@@ -2778,9 +2797,9 @@
 	}
 
 	for (i = 0; i < num_scope_syms; i++) {
-		if ((buf = next_entry(fp, sizeof(uint32_t) * 2)) == NULL) {
+		rc = next_entry(buf, fp, sizeof(uint32_t) * 2);
+		if (rc < 0) 
 			return -1;
-		}
 		nprim = le32_to_cpu(buf[0]);
 		nel = le32_to_cpu(buf[1]);
 		for (j = 0; j < nel; j++) {
@@ -2799,11 +2818,12 @@
 			     struct policy_file *fp)
 {
 	avrule_block_t *last_block = NULL, *curblock;
-	uint32_t *buf, num_blocks, nel;
+	uint32_t buf[2], num_blocks, nel;
+	int rc;
 
-	if ((buf = next_entry(fp, sizeof(uint32_t))) == NULL) {
+	rc = next_entry(buf, fp, sizeof(uint32_t));
+	if (rc < 0)
 		return -1;
-	}
 	num_blocks = le32_to_cpu(buf[0]);
 	nel = num_blocks;
 	while (num_blocks > 0) {
@@ -2812,8 +2832,8 @@
 		if ((curblock = calloc(1, sizeof(*curblock))) == NULL) {
 			return -1;
 		}
-
-		if ((buf = next_entry(fp, sizeof(uint32_t))) == NULL) {
+		rc = next_entry(buf, fp, sizeof(uint32_t));
+		if (rc < 0) {
 			free(curblock);
 			return -1;
 		}
@@ -2869,23 +2889,23 @@
 static int scope_read(policydb_t * p, int symnum, struct policy_file *fp)
 {
 	scope_datum_t *scope = NULL;
-	uint32_t *buf;
+	uint32_t buf[2];
 	char *key = NULL;
 	size_t key_len;
 	unsigned int i;
 	hashtab_t h = p->scope[symnum].table;
+	int rc;
 
-	if ((buf = next_entry(fp, sizeof(uint32_t))) == NULL) {
+	rc = next_entry(buf, fp, sizeof(uint32_t));
+	if (rc < 0)
 		goto cleanup;
-	}
 	key_len = le32_to_cpu(buf[0]);
-	if ((buf = next_entry(fp, key_len)) == NULL) {
+	key = malloc(key_len + 1);
+	if (!key)
 		goto cleanup;
-	}
-	if ((key = malloc(key_len + 1)) == NULL) {
+	rc = next_entry(key, fp, key_len);
+	if (rc < 0)
 		goto cleanup;
-	}
-	memcpy(key, buf, key_len);
 	key[key_len] = '\0';
 
 	/* ensure that there already exists a symbol with this key */
@@ -2896,9 +2916,9 @@
 	if ((scope = calloc(1, sizeof(*scope))) == NULL) {
 		goto cleanup;
 	}
-	if ((buf = next_entry(fp, sizeof(uint32_t) * 2)) == NULL) {
+	rc = next_entry(buf, fp, sizeof(uint32_t) * 2);
+	if (rc < 0)
 		goto cleanup;
-	}
 	scope->scope = le32_to_cpu(buf[0]);
 	scope->decl_ids_len = le32_to_cpu(buf[1]);
 	assert(scope->decl_ids_len > 0);
@@ -2906,12 +2926,11 @@
 	     malloc(scope->decl_ids_len * sizeof(uint32_t))) == NULL) {
 		goto cleanup;
 	}
-	if ((buf =
-	     next_entry(fp, sizeof(uint32_t) * scope->decl_ids_len)) == NULL) {
+	rc = next_entry(scope->decl_ids, fp, sizeof(uint32_t) * scope->decl_ids_len);
+	if (rc < 0)
 		goto cleanup;
-	}
 	for (i = 0; i < scope->decl_ids_len; i++) {
-		scope->decl_ids[i] = le32_to_cpu(buf[i]);
+		scope->decl_ids[i] = le32_to_cpu(scope->decl_ids[i]);
 	}
 
 	if (strcmp(key, "object_r") == 0 && h == p->p_roles_scope.table) {
@@ -2938,18 +2957,19 @@
 {
 
 	unsigned int i, j, r_policyvers;
-	uint32_t *buf, config;
+	uint32_t buf[5], config;
 	size_t len, nprim, nel;
 	char *policydb_str, *target_str = NULL;
 	struct policydb_compat_info *info;
 	unsigned int policy_type, bufindex;
 	ebitmap_node_t *tnode;
+	int rc;
 
 	config = 0;
 
 	/* Read the magic number and string length. */
-	buf = next_entry(fp, sizeof(uint32_t) * 2);
-	if (!buf)
+	rc = next_entry(buf, fp, sizeof(uint32_t) * 2);
+	if (rc < 0)
 		return POLICYDB_ERROR;
 	for (i = 0; i < 2; i++)
 		buf[i] = le32_to_cpu(buf[i]);
@@ -2974,18 +2994,18 @@
 		return POLICYDB_ERROR;
 	}
 
-	buf = next_entry(fp, len);
-	if (!buf) {
-		ERR(fp->handle, "truncated policydb string identifier");
-		return POLICYDB_ERROR;
-	}
 	policydb_str = malloc(len + 1);
 	if (!policydb_str) {
 		ERR(fp->handle, "unable to allocate memory for policydb "
 		    "string of length %zu", len);
 		return POLICYDB_ERROR;
 	}
-	memcpy(policydb_str, buf, len);
+	rc = next_entry(policydb_str, fp, len);
+	if (rc < 0) {
+		ERR(fp->handle, "truncated policydb string identifier");
+		free(policydb_str);
+		return POLICYDB_ERROR;
+	}
 	policydb_str[len] = 0;
 	if (strcmp(policydb_str, target_str)) {
 		ERR(fp->handle, "policydb string %s does not match "
@@ -3003,8 +3023,8 @@
 	else
 		nel = 5;
 
-	buf = next_entry(fp, sizeof(uint32_t) * nel);
-	if (!buf)
+	rc = next_entry(buf, fp, sizeof(uint32_t) * nel);
+	if (rc < 0)
 		return POLICYDB_ERROR;
 	for (i = 0; i < nel; i++)
 		buf[i] = le32_to_cpu(buf[i]);
@@ -3077,35 +3097,33 @@
 
 	if (p->policy_type == POLICY_MOD) {
 		/* Get the module name and version */
-		if ((buf = next_entry(fp, sizeof(uint32_t))) == NULL) {
+		if ((rc = next_entry(buf, fp, sizeof(uint32_t))) < 0) {
 			goto bad;
 		}
 		len = le32_to_cpu(buf[0]);
-		if ((buf = next_entry(fp, len)) == NULL) {
+		if ((p->name = malloc(len + 1)) == NULL) {
 			goto bad;
 		}
-		if ((p->name = malloc(len + 1)) == NULL) {
+		if ((rc = next_entry(p->name, fp, len)) < 0) {
 			goto bad;
 		}
-		memcpy(p->name, buf, len);
 		p->name[len] = '\0';
-		if ((buf = next_entry(fp, sizeof(uint32_t))) == NULL) {
+		if ((rc = next_entry(buf, fp, sizeof(uint32_t))) < 0) {
 			goto bad;
 		}
 		len = le32_to_cpu(buf[0]);
-		if ((buf = next_entry(fp, len)) == NULL) {
+		if ((p->version = malloc(len + 1)) == NULL) {
 			goto bad;
 		}
-		if ((p->version = malloc(len + 1)) == NULL) {
+		if ((rc = next_entry(p->version, fp, len)) < 0) {
 			goto bad;
 		}
-		memcpy(p->version, buf, len);
 		p->version[len] = '\0';
 	}
 
 	for (i = 0; i < info->sym_num; i++) {
-		buf = next_entry(fp, sizeof(uint32_t) * 2);
-		if (!buf)
+		rc = next_entry(buf, fp, sizeof(uint32_t) * 2);
+		if (rc < 0)
 			goto bad;
 		nprim = le32_to_cpu(buf[0]);
 		nel = le32_to_cpu(buf[1]);
@@ -3135,7 +3153,7 @@
 			goto bad;
 		}
 		for (i = 0; i < info->sym_num; i++) {
-			if ((buf = next_entry(fp, sizeof(uint32_t))) == NULL) {
+			if ((rc = next_entry(buf, fp, sizeof(uint32_t))) < 0) {
 				goto bad;
 			}
 			nel = le32_to_cpu(buf[0]);
Index: trunk/libsepol/src/private.h
===================================================================
--- trunk/libsepol/src/private.h	(revision 2520)
+++ trunk/libsepol/src/private.h	(working copy)
@@ -27,6 +27,8 @@
 #undef min
 #define min(a,b) (((a) < (b)) ? (a) : (b))
 
+#define ARRAY_SIZE(x) (sizeof(x)/sizeof((x)[0]))
+
 /* Policy compatibility information. */
 struct policydb_compat_info {
 	unsigned int type;
@@ -39,31 +41,27 @@
 							   unsigned int type);
 
 /* Reading from a policy "file". */
-static inline void *next_entry(struct policy_file *fp, size_t bytes)
+static inline int next_entry(void *buf, struct policy_file *fp, size_t bytes)
 {
-	static unsigned char buffer[BUFSIZ];
 	size_t nread;
 
-	if (bytes > sizeof buffer)
-		return NULL;
-
 	switch (fp->type) {
 	case PF_USE_STDIO:
-		nread = fread(buffer, bytes, 1, fp->fp);
+		nread = fread(buf, bytes, 1, fp->fp);
 		if (nread != 1)
-			return NULL;
+			return -1;
 		break;
 	case PF_USE_MEMORY:
 		if (bytes > fp->len)
-			return NULL;
-		memcpy(buffer, fp->data, bytes);
+			return -1;
+		memcpy(buf, fp->data, bytes);
 		fp->data += bytes;
 		fp->len -= bytes;
 		break;
 	default:
-		return NULL;
+		return -1;
 	}
-	return buffer;
+	return 0;
 }
 
 static inline size_t put_entry(const void *ptr, size_t size, size_t n,
Index: trunk/libsepol/src/ebitmap.c
===================================================================
--- trunk/libsepol/src/ebitmap.c	(revision 2520)
+++ trunk/libsepol/src/ebitmap.c	(working copy)
@@ -265,16 +265,16 @@
 
 int ebitmap_read(ebitmap_t * e, void *fp)
 {
-	int rc = -EINVAL;
+	int rc;
 	ebitmap_node_t *n, *l;
-	uint32_t *buf, mapsize, count, i;
+	uint32_t buf[3], mapsize, count, i;
 	uint64_t map;
 
 	ebitmap_init(e);
 
-	buf = next_entry(fp, sizeof(uint32_t) * 3);
-	if (!buf)
-		goto out;
+	rc = next_entry(buf, fp, sizeof(uint32_t) * 3);
+	if (rc < 0)
+		goto bad;
 
 	mapsize = le32_to_cpu(buf[0]);
 	e->highbit = le32_to_cpu(buf[1]);
@@ -284,7 +284,7 @@
 		printf
 		    ("security: ebitmap: map size %d does not match my size %zu (high bit was %d)\n",
 		     mapsize, MAPSIZE, e->highbit);
-		goto out;
+		goto bad;
 	}
 	if (!e->highbit) {
 		e->node = NULL;
@@ -298,8 +298,8 @@
 	}
 	l = NULL;
 	for (i = 0; i < count; i++) {
-		buf = next_entry(fp, sizeof(uint32_t));
-		if (!buf) {
+		rc = next_entry(buf, fp, sizeof(uint32_t));
+		if (rc < 0) {
 			printf("security: ebitmap: truncated map\n");
 			goto bad;
 		}
@@ -325,12 +325,11 @@
 			     n->startbit, (e->highbit - MAPSIZE));
 			goto bad_free;
 		}
-		buf = next_entry(fp, sizeof(uint64_t));
-		if (!buf) {
+		rc = next_entry(&map, fp, sizeof(uint64_t));
+		if (rc < 0) {
 			printf("security: ebitmap: truncated map\n");
 			goto bad_free;
 		}
-		memcpy(&map, buf, sizeof(uint64_t));
 		n->map = le64_to_cpu(map);
 
 		if (!n->map) {
@@ -360,6 +359,8 @@
       bad_free:
 	free(n);
       bad:
+	if (!rc)
+		rc = -EINVAL;
 	ebitmap_destroy(e);
 	goto out;
 }
Index: trunk/libsepol/src/module.c
===================================================================
--- trunk/libsepol/src/module.c	(revision 2520)
+++ trunk/libsepol/src/module.c	(working copy)
@@ -326,7 +326,7 @@
 static int read_helper(char *buf, struct policy_file *file, uint32_t bytes)
 {
 	uint32_t offset, nel, read_len;
-	void *tmp;
+	int rc;
 
 	offset = 0;
 	nel = bytes;
@@ -336,10 +336,9 @@
 			read_len = nel;
 		else
 			read_len = _read_helper_bufsize;
-		tmp = next_entry(file, read_len);
-		if (!tmp)
+		rc = next_entry(&buf[offset], file, read_len);
+		if (rc < 0)
 			return -1;
-		memcpy(&buf[offset], tmp, read_len);
 		offset += read_len;
 		nel -= read_len;
 	}
@@ -354,11 +353,13 @@
 				       struct policy_file *file,
 				       size_t ** offsets, uint32_t * sections)
 {
-	uint32_t *buf, nsec;
+	uint32_t buf[3], nsec;
 	unsigned i;
+	size_t *off;
+	int rc;
 
-	buf = next_entry(file, sizeof(uint32_t) * 3);
-	if (!buf) {
+	rc = next_entry(buf, file, sizeof(uint32_t) * 3);
+	if (rc < 0) {
 		ERR(file->handle, "module package header truncated");
 		return -1;
 	}
@@ -378,29 +379,31 @@
 		return -1;
 	}
 
-	*offsets = (size_t *) malloc((nsec + 1) * sizeof(size_t));
-	if (!*offsets) {
+	off = (size_t *) malloc((nsec + 1) * sizeof(size_t));
+	if (!off) {
 		ERR(file->handle, "out of memory");
 		return -1;
 	}
 
-	buf = next_entry(file, sizeof(uint32_t) * nsec);
-	if (!buf) {
+	rc = next_entry(off, file, sizeof(uint32_t) * nsec);
+	if (rc < 0) {
 		ERR(file->handle, "module package offset array truncated");
 		return -1;
 	}
 
 	for (i = 0; i < nsec; i++) {
-		(*offsets)[i] = le32_to_cpu(buf[i]);
-		if (i && (*offsets)[i] < (*offsets)[i - 1]) {
+		off[i] = le32_to_cpu(off[i]);
+		if (i && off[i] < off[i - 1]) {
 			ERR(file->handle, "offsets are not increasing (at %u, "
-			    "offset %zu -> %zu", i, (*offsets)[i - 1],
-			    (*offsets)[i]);
+			    "offset %zu -> %zu", i, off[i - 1],
+			    off[i]);
 			return -1;
 		}
 	}
 
-	(*offsets)[nsec] = policy_file_length(file);
+	
+	off[nsec] = policy_file_length(file);
+	*offsets = off;
 	return 0;
 }
 
@@ -415,9 +418,9 @@
 			      struct sepol_policy_file *spf, int verbose)
 {
 	struct policy_file *file = &spf->pf;
-	uint32_t *buf, nsec;
+	uint32_t buf[5], nsec;
 	size_t *offsets, len;
-	int retval = -1;
+	int rc;
 	unsigned i, seen = 0;
 
 	if (module_package_read_offsets(mod, file, &offsets, &nsec))
@@ -442,8 +445,8 @@
 		}
 
 		/* read the magic number, so that we know which function to call */
-		buf = next_entry(file, sizeof(uint32_t));
-		if (!buf) {
+		rc = next_entry(buf, file, sizeof(uint32_t));
+		if (rc < 0) {
 			ERR(file->handle,
 			    "module package section %u truncated, lacks magic number",
 			    i);
@@ -565,8 +568,8 @@
 			if (policy_file_seek(file, offsets[i]))
 				goto cleanup;
 
-			retval = policydb_read(&mod->policy->p, file, verbose);
-			if (retval < 0) {
+			rc = policydb_read(&mod->policy->p, file, verbose);
+			if (rc < 0) {
 				ERR(file->handle,
 				    "invalid module in module package (at section %u)",
 				    i);
@@ -593,7 +596,7 @@
 
       cleanup:
 	free(offsets);
-	return retval;
+	return -1;
 }
 
 int sepol_module_package_info(struct sepol_policy_file *spf, int *type,
@@ -601,9 +604,11 @@
 {
 	struct policy_file *file = &spf->pf;
 	sepol_module_package_t *mod = NULL;
-	uint32_t *buf, len, nsec;
+	uint32_t buf[5], len, nsec;
 	size_t *offsets = NULL;
 	unsigned i, seen = 0;
+	char *id;
+	int rc;
 
 	if (sepol_module_package_create(&mod))
 		return -1;
@@ -630,8 +635,8 @@
 		}
 
 		/* read the magic number, so that we know which function to call */
-		buf = next_entry(file, sizeof(uint32_t) * 2);
-		if (!buf) {
+		rc = next_entry(buf, file, sizeof(uint32_t) * 2);
+		if (rc < 0) {
 			ERR(file->handle,
 			    "module package section %u truncated, lacks magic number",
 			    i);
@@ -695,16 +700,24 @@
 			}
 
 			/* skip id */
-			buf = next_entry(file, len);
-			if (!buf) {
+			id = malloc(len + 1);
+			if (!id) {
 				ERR(file->handle,
+				    "out of memory (at section %u)",
+				    i);
+				goto cleanup;				
+			}
+			rc = next_entry(id, file, len);
+			free(id);
+			if (rc < 0) {
+				ERR(file->handle,
 				    "cannot get module string (at section %u)",
 				    i);
 				goto cleanup;
 			}
-
-			buf = next_entry(file, sizeof(uint32_t) * 5);
-			if (!buf) {
+			
+			rc = next_entry(buf, file, sizeof(uint32_t) * 5);
+			if (rc < 0) {
 				ERR(file->handle,
 				    "cannot get module header (at section %u)",
 				    i);
@@ -726,49 +739,47 @@
 			}
 
 			/* read the name and version */
-			buf = next_entry(file, sizeof(uint32_t));
-			if (!buf) {
+			rc = next_entry(buf, file, sizeof(uint32_t));
+			if (rc < 0) {
 				ERR(file->handle,
 				    "cannot get module name len (at section %u)",
 				    i);
 				goto cleanup;
 			}
 			len = le32_to_cpu(buf[0]);
-			buf = next_entry(file, len);
-			if (!buf) {
-				ERR(file->handle,
-				    "cannot get module name string (at section %u)",
-				    i);
-				goto cleanup;
-			}
 			*name = malloc(len + 1);
 			if (!*name) {
 				ERR(file->handle, "out of memory");
 				goto cleanup;
 			}
-			memcpy(*name, buf, len);
-			(*name)[len] = '\0';
-			buf = next_entry(file, sizeof(uint32_t));
-			if (!buf) {
+			rc = next_entry(*name, file, len);
+			if (rc < 0) {
 				ERR(file->handle,
-				    "cannot get module version len (at section %u)",
+				    "cannot get module name string (at section %u)",
 				    i);
 				goto cleanup;
 			}
-			len = le32_to_cpu(buf[0]);
-			buf = next_entry(file, len);
-			if (!buf) {
+			(*name)[len] = '\0';
+			rc = next_entry(buf, file, sizeof(uint32_t));
+			if (rc < 0) {
 				ERR(file->handle,
-				    "cannot get module version string (at section %u)",
+				    "cannot get module version len (at section %u)",
 				    i);
 				goto cleanup;
 			}
+			len = le32_to_cpu(buf[0]);
 			*version = malloc(len + 1);
 			if (!*version) {
 				ERR(file->handle, "out of memory");
 				goto cleanup;
 			}
-			memcpy(*version, buf, len);
+			rc = next_entry(*version, file, len);
+			if (rc < 0) {
+				ERR(file->handle,
+				    "cannot get module version string (at section %u)",
+				    i);
+				goto cleanup;
+			}
 			(*version)[len] = '\0';
 			seen |= SEEN_MOD;
 			break;
Index: trunk/libsepol/src/avtab.c
===================================================================
--- trunk/libsepol/src/avtab.c	(revision 2520)
+++ trunk/libsepol/src/avtab.c	(working copy)
@@ -337,8 +337,8 @@
 		    int (*insertf) (avtab_t * a, avtab_key_t * k,
 				    avtab_datum_t * d, void *p), void *p)
 {
-	uint16_t *buf16, enabled;
-	uint32_t *buf32, items, items2, val;
+	uint16_t buf16[4], enabled;
+	uint32_t buf32[7], items, items2, val;
 	avtab_key_t key;
 	avtab_datum_t datum;
 	unsigned set;
@@ -349,20 +349,20 @@
 	memset(&datum, 0, sizeof(avtab_datum_t));
 
 	if (vers < POLICYDB_VERSION_AVTAB) {
-		buf32 = next_entry(fp, sizeof(uint32_t));
-		if (!buf32) {
+		rc = next_entry(buf32, fp, sizeof(uint32_t));
+		if (rc < 0) {
 			ERR(fp->handle, "truncated entry");
 			return -1;
 		}
 		items2 = le32_to_cpu(buf32[0]);
 
-		if (items2 < 5 || items2 > 8) {
+		if (items2 < 5 || items2 > ARRAY_SIZE(buf32)) {
 			ERR(fp->handle, "invalid item count");
 			return -1;
 		}
 
-		buf32 = next_entry(fp, sizeof(uint32_t) * items2);
-		if (!buf32) {
+		rc = next_entry(buf32, fp, sizeof(uint32_t) * items2);
+		if (rc < 0) {
 			ERR(fp->handle, "truncated entry");
 			return -1;
 		}
@@ -400,7 +400,7 @@
 			return -1;
 		}
 
-		for (i = 0; i < sizeof(spec_order) / sizeof(uint16_t); i++) {
+		for (i = 0; i < ARRAY_SIZE(spec_order); i++) {
 			if (val & spec_order[i]) {
 				key.specified = spec_order[i] | enabled;
 				datum.data = le32_to_cpu(buf32[items++]);
@@ -418,8 +418,8 @@
 		return 0;
 	}
 
-	buf16 = next_entry(fp, sizeof(uint16_t) * 4);
-	if (!buf16) {
+	rc = next_entry(buf16, fp, sizeof(uint16_t) * 4);
+	if (rc < 0) {
 		ERR(fp->handle, "truncated entry");
 		return -1;
 	}
@@ -430,7 +430,7 @@
 	key.specified = le16_to_cpu(buf16[items++]);
 
 	set = 0;
-	for (i = 0; i < sizeof(spec_order) / sizeof(uint16_t); i++) {
+	for (i = 0; i < ARRAY_SIZE(spec_order); i++) {
 		if (key.specified & spec_order[i])
 			set++;
 	}
@@ -439,8 +439,8 @@
 		return -1;
 	}
 
-	buf32 = next_entry(fp, sizeof(uint32_t));
-	if (!buf32) {
+	rc = next_entry(buf32, fp, sizeof(uint32_t));
+	if (rc < 0) {
 		ERR(fp->handle, "truncated entry");
 		return -1;
 	}
@@ -458,11 +458,11 @@
 {
 	unsigned int i;
 	int rc;
-	uint32_t *buf;
+	uint32_t buf[1];
 	uint32_t nel;
 
-	buf = next_entry(fp, sizeof(uint32_t));
-	if (!buf) {
+	rc = next_entry(buf, fp, sizeof(uint32_t));
+	if (rc < 0) {
 		ERR(fp->handle, "truncated table");
 		goto bad;
 	}

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [patch] libsepol: eliminate unaligned accesses (Was: Re: wrong magic number (using old sources))

[Eric Paris]

Not sure why I went over this patch, but looks pretty good 5 or so
comments inline.


*****policydb.c
> @@ -2683,12 +2697,13 @@
>  static int range_trans_rule_read(range_trans_rule_t ** r,
>                                  struct policy_file *fp)
>  {
> -       uint32_t *buf, nel;
> +       uint32_t buf[2], nel;

why buf[2] ?   looks like buf[1] would suffice.

>         unsigned int i;
>         range_trans_rule_t *rt, *lrt = NULL;
> +       int rc;
>
> -       buf = next_entry(fp, sizeof(uint32_t));
> -       if (!buf)
> +       rc = next_entry(buf, fp, sizeof(uint32_t));
> +       if (rc < 0)
>                 return -1;
>         nel = le32_to_cpu(buf[0]);
>         for (i = 0; i < nel; i++) {



> @@ -2799,11 +2818,12 @@
>                              struct policy_file *fp)
>  {
>         avrule_block_t *last_block = NULL, *curblock;
> -       uint32_t *buf, num_blocks, nel;
> +       uint32_t buf[2], num_blocks, nel;

Another why buf[2]

> +       int rc;
>
> -       if ((buf = next_entry(fp, sizeof(uint32_t))) == NULL) {
> +       rc = next_entry(buf, fp, sizeof(uint32_t));
> +       if (rc < 0)
>                 return -1;
> -       }
>         num_blocks = le32_to_cpu(buf[0]);
>         nel = num_blocks;
>         while (num_blocks > 0) {



******module.c
> @@ -415,9 +418,9 @@
>                               struct sepol_policy_file *spf, int verbose)
>  {
>         struct policy_file *file = &spf->pf;
> -       uint32_t *buf, nsec;
> +       uint32_t buf[5], nsec;

why buf[5]  isn't 1 enough here?

>         size_t *offsets, len;
> -       int retval = -1;
> +       int rc;
>         unsigned i, seen = 0;
>
>         if (module_package_read_offsets(mod, file, &offsets, &nsec))


> @@ -593,7 +596,7 @@
>
>        cleanup:
>         free(offsets);
> -       return retval;
> +       return -1;
why throw away rc?  just generally useless here?
>  }
>  int sepol_module_package_info(struct sepol_policy_file *spf, int *type,



> Index: trunk/libsepol/src/avtab.c
> ===================================================================
> --- trunk/libsepol/src/avtab.c  (revision 2520)
> +++ trunk/libsepol/src/avtab.c  (working copy)
> @@ -337,8 +337,8 @@
>                     int (*insertf) (avtab_t * a, avtab_key_t * k,
>                                     avtab_datum_t * d, void *p), void *p)
>  {
> -       uint16_t *buf16, enabled;
> -       uint32_t *buf32, items, items2, val;
> +       uint16_t buf16[4], enabled;
> +       uint32_t buf32[7], items, items2, val;

looks like buf32 was allowed to be up to 8 but now only 7.  Just know
something about how this will be used that you know 7 is enough?  I
didn't dig into it.

>         avtab_key_t key;
>         avtab_datum_t datum;
>         unsigned set;
> @@ -349,20 +349,20 @@
>         memset(&datum, 0, sizeof(avtab_datum_t));
>
>         if (vers < POLICYDB_VERSION_AVTAB) {
> -               buf32 = next_entry(fp, sizeof(uint32_t));
> -               if (!buf32) {
> +               rc = next_entry(buf32, fp, sizeof(uint32_t));
> +               if (rc < 0) {
>                         ERR(fp->handle, "truncated entry");
>                         return -1;
>                 }
>                 items2 = le32_to_cpu(buf32[0]);
>
> -               if (items2 < 5 || items2 > 8) {
> +               if (items2 < 5 || items2 > ARRAY_SIZE(buf32)) {
>                         ERR(fp->handle, "invalid item count");
>                         return -1;
>                 }
>
> -               buf32 = next_entry(fp, sizeof(uint32_t) * items2);
> -               if (!buf32) {
> +               rc = next_entry(buf32, fp, sizeof(uint32_t) * items2);
> +               if (rc < 0) {
>                         ERR(fp->handle, "truncated entry");
>                         return -1;
>                 }

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [patch] libsepol: eliminate unaligned accesses (Was: Re: wrong magic number (using old sources))

[Stephen Smalley]

On Tue, 2007-08-21 at 15:21 -0400, Eric Paris wrote:
> Not sure why I went over this patch, but looks pretty good 5 or so
> comments inline.
> 
> 
> *****policydb.c
> > @@ -2683,12 +2697,13 @@
> >  static int range_trans_rule_read(range_trans_rule_t ** r,
> >                                  struct policy_file *fp)
> >  {
> > -       uint32_t *buf, nel;
> > +       uint32_t buf[2], nel;
> 
> why buf[2] ?   looks like buf[1] would suffice.

True, fixed.  Cut-and-paste.

> >         unsigned int i;
> >         range_trans_rule_t *rt, *lrt = NULL;
> > +       int rc;
> >
> > -       buf = next_entry(fp, sizeof(uint32_t));
> > -       if (!buf)
> > +       rc = next_entry(buf, fp, sizeof(uint32_t));
> > +       if (rc < 0)
> >                 return -1;
> >         nel = le32_to_cpu(buf[0]);
> >         for (i = 0; i < nel; i++) {
> 
> 
> 
> > @@ -2799,11 +2818,12 @@
> >                              struct policy_file *fp)
> >  {
> >         avrule_block_t *last_block = NULL, *curblock;
> > -       uint32_t *buf, num_blocks, nel;
> > +       uint32_t buf[2], num_blocks, nel;
> 
> Another why buf[2]

Ditto.

> 
> > +       int rc;
> >
> > -       if ((buf = next_entry(fp, sizeof(uint32_t))) == NULL) {
> > +       rc = next_entry(buf, fp, sizeof(uint32_t));
> > +       if (rc < 0)
> >                 return -1;
> > -       }
> >         num_blocks = le32_to_cpu(buf[0]);
> >         nel = num_blocks;
> >         while (num_blocks > 0) {
> 
> 
> 
> ******module.c
> > @@ -415,9 +418,9 @@
> >                               struct sepol_policy_file *spf, int verbose)
> >  {
> >         struct policy_file *file = &spf->pf;
> > -       uint32_t *buf, nsec;
> > +       uint32_t buf[5], nsec;
> 
> why buf[5]  isn't 1 enough here?

Ditto.

> 
> >         size_t *offsets, len;
> > -       int retval = -1;
> > +       int rc;
> >         unsigned i, seen = 0;
> >
> >         if (module_package_read_offsets(mod, file, &offsets, &nsec))
> 
> 
> > @@ -593,7 +596,7 @@
> >
> >        cleanup:
> >         free(offsets);
> > -       return retval;
> > +       return -1;
> why throw away rc?  just generally useless here?

rc gets overwritten as we read each section of the package, and we want
to ensure that we don't ultimately return success when we failed.  And
it wasn't useful to preserve a distinct return value anyway.

> >  }
> >  int sepol_module_package_info(struct sepol_policy_file *spf, int *type,
> 
> 
> 
> > Index: trunk/libsepol/src/avtab.c
> > ===================================================================
> > --- trunk/libsepol/src/avtab.c  (revision 2520)
> > +++ trunk/libsepol/src/avtab.c  (working copy)
> > @@ -337,8 +337,8 @@
> >                     int (*insertf) (avtab_t * a, avtab_key_t * k,
> >                                     avtab_datum_t * d, void *p), void *p)
> >  {
> > -       uint16_t *buf16, enabled;
> > -       uint32_t *buf32, items, items2, val;
> > +       uint16_t buf16[4], enabled;
> > +       uint32_t buf32[7], items, items2, val;
> 
> looks like buf32 was allowed to be up to 8 but now only 7.  Just know
> something about how this will be used that you know 7 is enough?  I
> didn't dig into it.

The old code was wrong (and the new code is consistent with the kernel).

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [patch] libsepol: eliminate unaligned accesses (Was: Re: wrong magic number (using old sources))

[Stephen Smalley]

On Tue, 2007-08-21 at 13:05 -0400, Stephen Smalley wrote:
> Full patch follows, replaces the prior short term one.
> 
> Rewrite libsepol next_entry function and all callers to copy entry data
> from the binary policy into properly aligned buffers, eliminating
> unaligned accesses, just as I did for the kernel back in 2004,
> http://marc.info/?l=selinux&m=110252376515271&w=2
> 
> Signed-off-by:  Stephen Smalley <sds@tycho.nsa.gov>

I merged the updated version of this patch to trunk and stable (the
latter since it is a bug fix).

Note that this would ultimately have to get merged to policyrep as well,
although it no doubt conflicts with your patches removing the module
support from libsepol.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.