* [PATCH userspace] libsepol/cil: fix signed overflow caused by using (1 << 31) - 1
@ 2020-10-03 13:19 Nicolas Iooss
2020-10-14 18:01 ` Petr Lautrbach
0 siblings, 1 reply; 3+ messages in thread
From: Nicolas Iooss @ 2020-10-03 13:19 UTC (permalink / raw)
To: selinux
When compiling SELinux userspace tools with -ftrapv (this option
generates traps for signed overflow on addition, subtraction,
multiplication operations, instead of silently wrapping around),
semodule crashes when running the tests from
scripts/ci/fedora-test-runner.sh in a Fedora 32 virtual machine:
[root@localhost selinux-testsuite]# make test
make -C policy load
make[1]: Entering directory '/root/selinux-testsuite/policy'
# Test for "expand-check = 0" in /etc/selinux/semanage.conf
# General policy build
make[2]: Entering directory '/root/selinux-testsuite/policy/test_policy'
Compiling targeted test_policy module
Creating targeted test_policy.pp policy package
rm tmp/test_policy.mod.fc
make[2]: Leaving directory '/root/selinux-testsuite/policy/test_policy'
# General policy load
domain_fd_use --> off
/usr/sbin/semodule -i test_policy/test_policy.pp test_mlsconstrain.cil test_overlay_defaultrange.cil test_add_levels.cil test_glblub.cil
make[1]: *** [Makefile:174: load] Aborted (core dumped)
Using "coredumpctl gdb" leads to the following strack trace:
(gdb) bt
#0 0x00007f608fe4fa25 in raise () from /lib64/libc.so.6
#1 0x00007f608fe38895 in abort () from /lib64/libc.so.6
#2 0x00007f6090028aca in __addvsi3.cold () from /lib64/libsepol.so.1
#3 0x00007f6090096f59 in __avrule_xperm_setrangebits (low=30, high=30, xperms=0x8b9eea0)
at ../cil/src/cil_binary.c:1551
#4 0x00007f60900970dd in __cil_permx_bitmap_to_sepol_xperms_list (xperms=0xb650a30, xperms_list=0x7ffce2653b18)
at ../cil/src/cil_binary.c:1596
#5 0x00007f6090097286 in __cil_avrulex_ioctl_to_policydb (k=0xb8ec200 "@\023\214\022\006", datum=0xb650a30,
args=0x239a640) at ../cil/src/cil_binary.c:1649
#6 0x00007f609003f1e5 in hashtab_map (h=0x41f8710, apply=0x7f60900971da <__cil_avrulex_ioctl_to_policydb>,
args=0x239a640) at hashtab.c:234
#7 0x00007f609009ea19 in cil_binary_create_allocated_pdb (db=0x2394f10, policydb=0x239a640)
at ../cil/src/cil_binary.c:4969
#8 0x00007f609009d19d in cil_binary_create (db=0x2394f10, policydb=0x7ffce2653d30) at ../cil/src/cil_binary.c:4329
#9 0x00007f609008ec23 in cil_build_policydb_create_pdb (db=0x2394f10, sepol_db=0x7ffce2653d30)
at ../cil/src/cil.c:631
#10 0x00007f608fff4bf3 in semanage_direct_commit () from /lib64/libsemanage.so.1
#11 0x00007f608fff9fae in semanage_commit () from /lib64/libsemanage.so.1
#12 0x0000000000403e2b in main (argc=7, argv=0x7ffce2655058) at semodule.c:753
(gdb) f 3
#3 0x00007f6090096f59 in __avrule_xperm_setrangebits (low=30, high=30, xperms=0x8b9eea0)
at ../cil/src/cil_binary.c:1551
1551 xperms->perms[i] |= XPERM_SETBITS(h) - XPERM_SETBITS(low);
A signed integer overflow therefore occurs in XPERM_SETBITS(h):
#define XPERM_SETBITS(x) ((1 << (x & 0x1f)) - 1)
This macro is expanded with h=31, so "(1 << 31) - 1" is computed:
* (1 << 31) = -0x80000000 is the lowest signed 32-bit integer value
* (1 << 31) - 1 overflows the capacity of a signed 32-bit integer and
results in 0x7fffffff (which is unsigned)
Using unsigned integers (with "1U") fixes the crash, as
(1U << 31) = 0x80000000U has no overflowing issues.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
---
checkpolicy/policy_define.c | 2 +-
libsepol/cil/src/cil_binary.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c
index 395f62284e3c..bf6c3e68bef3 100644
--- a/checkpolicy/policy_define.c
+++ b/checkpolicy/policy_define.c
@@ -2147,7 +2147,7 @@ out:
/* index of the u32 containing the permission */
#define XPERM_IDX(x) (x >> 5)
/* set bits 0 through x-1 within the u32 */
-#define XPERM_SETBITS(x) ((1 << (x & 0x1f)) - 1)
+#define XPERM_SETBITS(x) ((1U << (x & 0x1f)) - 1)
/* low value for this u32 */
#define XPERM_LOW(x) (x << 5)
/* high value for this u32 */
diff --git a/libsepol/cil/src/cil_binary.c b/libsepol/cil/src/cil_binary.c
index 36720eda4549..e417c5c28b8b 100644
--- a/libsepol/cil/src/cil_binary.c
+++ b/libsepol/cil/src/cil_binary.c
@@ -1526,7 +1526,7 @@ int cil_avrule_to_policydb(policydb_t *pdb, const struct cil_db *db, struct cil_
/* index of the u32 containing the permission */
#define XPERM_IDX(x) (x >> 5)
/* set bits 0 through x-1 within the u32 */
-#define XPERM_SETBITS(x) ((1 << (x & 0x1f)) - 1)
+#define XPERM_SETBITS(x) ((1U << (x & 0x1f)) - 1)
/* low value for this u32 */
#define XPERM_LOW(x) (x << 5)
/* high value for this u32 */
--
2.28.0
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH userspace] libsepol/cil: fix signed overflow caused by using (1 << 31) - 1
2020-10-03 13:19 [PATCH userspace] libsepol/cil: fix signed overflow caused by using (1 << 31) - 1 Nicolas Iooss
@ 2020-10-14 18:01 ` Petr Lautrbach
2020-10-15 17:27 ` Petr Lautrbach
0 siblings, 1 reply; 3+ messages in thread
From: Petr Lautrbach @ 2020-10-14 18:01 UTC (permalink / raw)
To: selinux; +Cc: Nicolas Iooss
On Sat, Oct 03, 2020 at 03:19:08PM +0200, Nicolas Iooss wrote:
> When compiling SELinux userspace tools with -ftrapv (this option
> generates traps for signed overflow on addition, subtraction,
> multiplication operations, instead of silently wrapping around),
> semodule crashes when running the tests from
> scripts/ci/fedora-test-runner.sh in a Fedora 32 virtual machine:
>
> [root@localhost selinux-testsuite]# make test
> make -C policy load
> make[1]: Entering directory '/root/selinux-testsuite/policy'
> # Test for "expand-check = 0" in /etc/selinux/semanage.conf
> # General policy build
> make[2]: Entering directory '/root/selinux-testsuite/policy/test_policy'
> Compiling targeted test_policy module
> Creating targeted test_policy.pp policy package
> rm tmp/test_policy.mod.fc
> make[2]: Leaving directory '/root/selinux-testsuite/policy/test_policy'
> # General policy load
> domain_fd_use --> off
> /usr/sbin/semodule -i test_policy/test_policy.pp test_mlsconstrain.cil test_overlay_defaultrange.cil test_add_levels.cil test_glblub.cil
> make[1]: *** [Makefile:174: load] Aborted (core dumped)
>
> Using "coredumpctl gdb" leads to the following strack trace:
>
> (gdb) bt
> #0 0x00007f608fe4fa25 in raise () from /lib64/libc.so.6
> #1 0x00007f608fe38895 in abort () from /lib64/libc.so.6
> #2 0x00007f6090028aca in __addvsi3.cold () from /lib64/libsepol.so.1
> #3 0x00007f6090096f59 in __avrule_xperm_setrangebits (low=30, high=30, xperms=0x8b9eea0)
> at ../cil/src/cil_binary.c:1551
> #4 0x00007f60900970dd in __cil_permx_bitmap_to_sepol_xperms_list (xperms=0xb650a30, xperms_list=0x7ffce2653b18)
> at ../cil/src/cil_binary.c:1596
> #5 0x00007f6090097286 in __cil_avrulex_ioctl_to_policydb (k=0xb8ec200 "@\023\214\022\006", datum=0xb650a30,
> args=0x239a640) at ../cil/src/cil_binary.c:1649
> #6 0x00007f609003f1e5 in hashtab_map (h=0x41f8710, apply=0x7f60900971da <__cil_avrulex_ioctl_to_policydb>,
> args=0x239a640) at hashtab.c:234
> #7 0x00007f609009ea19 in cil_binary_create_allocated_pdb (db=0x2394f10, policydb=0x239a640)
> at ../cil/src/cil_binary.c:4969
> #8 0x00007f609009d19d in cil_binary_create (db=0x2394f10, policydb=0x7ffce2653d30) at ../cil/src/cil_binary.c:4329
> #9 0x00007f609008ec23 in cil_build_policydb_create_pdb (db=0x2394f10, sepol_db=0x7ffce2653d30)
> at ../cil/src/cil.c:631
> #10 0x00007f608fff4bf3 in semanage_direct_commit () from /lib64/libsemanage.so.1
> #11 0x00007f608fff9fae in semanage_commit () from /lib64/libsemanage.so.1
> #12 0x0000000000403e2b in main (argc=7, argv=0x7ffce2655058) at semodule.c:753
>
> (gdb) f 3
> #3 0x00007f6090096f59 in __avrule_xperm_setrangebits (low=30, high=30, xperms=0x8b9eea0)
> at ../cil/src/cil_binary.c:1551
> 1551 xperms->perms[i] |= XPERM_SETBITS(h) - XPERM_SETBITS(low);
>
> A signed integer overflow therefore occurs in XPERM_SETBITS(h):
>
> #define XPERM_SETBITS(x) ((1 << (x & 0x1f)) - 1)
>
> This macro is expanded with h=31, so "(1 << 31) - 1" is computed:
>
> * (1 << 31) = -0x80000000 is the lowest signed 32-bit integer value
> * (1 << 31) - 1 overflows the capacity of a signed 32-bit integer and
> results in 0x7fffffff (which is unsigned)
>
> Using unsigned integers (with "1U") fixes the crash, as
> (1U << 31) = 0x80000000U has no overflowing issues.
>
> Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Acked-by: Petr Lautrbach <plautrba@redhat.com>
> ---
> checkpolicy/policy_define.c | 2 +-
> libsepol/cil/src/cil_binary.c | 2 +-
> 2 files changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c
> index 395f62284e3c..bf6c3e68bef3 100644
> --- a/checkpolicy/policy_define.c
> +++ b/checkpolicy/policy_define.c
> @@ -2147,7 +2147,7 @@ out:
> /* index of the u32 containing the permission */
> #define XPERM_IDX(x) (x >> 5)
> /* set bits 0 through x-1 within the u32 */
> -#define XPERM_SETBITS(x) ((1 << (x & 0x1f)) - 1)
> +#define XPERM_SETBITS(x) ((1U << (x & 0x1f)) - 1)
> /* low value for this u32 */
> #define XPERM_LOW(x) (x << 5)
> /* high value for this u32 */
> diff --git a/libsepol/cil/src/cil_binary.c b/libsepol/cil/src/cil_binary.c
> index 36720eda4549..e417c5c28b8b 100644
> --- a/libsepol/cil/src/cil_binary.c
> +++ b/libsepol/cil/src/cil_binary.c
> @@ -1526,7 +1526,7 @@ int cil_avrule_to_policydb(policydb_t *pdb, const struct cil_db *db, struct cil_
> /* index of the u32 containing the permission */
> #define XPERM_IDX(x) (x >> 5)
> /* set bits 0 through x-1 within the u32 */
> -#define XPERM_SETBITS(x) ((1 << (x & 0x1f)) - 1)
> +#define XPERM_SETBITS(x) ((1U << (x & 0x1f)) - 1)
> /* low value for this u32 */
> #define XPERM_LOW(x) (x << 5)
> /* high value for this u32 */
> --
> 2.28.0
>
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH userspace] libsepol/cil: fix signed overflow caused by using (1 << 31) - 1
2020-10-14 18:01 ` Petr Lautrbach
@ 2020-10-15 17:27 ` Petr Lautrbach
0 siblings, 0 replies; 3+ messages in thread
From: Petr Lautrbach @ 2020-10-15 17:27 UTC (permalink / raw)
To: selinux; +Cc: Nicolas Iooss
[-- Attachment #1: Type: text/plain, Size: 5308 bytes --]
On Wed, Oct 14, 2020 at 08:01:06PM +0200, Petr Lautrbach wrote:
> On Sat, Oct 03, 2020 at 03:19:08PM +0200, Nicolas Iooss wrote:
> > When compiling SELinux userspace tools with -ftrapv (this option
> > generates traps for signed overflow on addition, subtraction,
> > multiplication operations, instead of silently wrapping around),
> > semodule crashes when running the tests from
> > scripts/ci/fedora-test-runner.sh in a Fedora 32 virtual machine:
> >
> > [root@localhost selinux-testsuite]# make test
> > make -C policy load
> > make[1]: Entering directory '/root/selinux-testsuite/policy'
> > # Test for "expand-check = 0" in /etc/selinux/semanage.conf
> > # General policy build
> > make[2]: Entering directory '/root/selinux-testsuite/policy/test_policy'
> > Compiling targeted test_policy module
> > Creating targeted test_policy.pp policy package
> > rm tmp/test_policy.mod.fc
> > make[2]: Leaving directory '/root/selinux-testsuite/policy/test_policy'
> > # General policy load
> > domain_fd_use --> off
> > /usr/sbin/semodule -i test_policy/test_policy.pp test_mlsconstrain.cil test_overlay_defaultrange.cil test_add_levels.cil test_glblub.cil
> > make[1]: *** [Makefile:174: load] Aborted (core dumped)
> >
> > Using "coredumpctl gdb" leads to the following strack trace:
> >
> > (gdb) bt
> > #0 0x00007f608fe4fa25 in raise () from /lib64/libc.so.6
> > #1 0x00007f608fe38895 in abort () from /lib64/libc.so.6
> > #2 0x00007f6090028aca in __addvsi3.cold () from /lib64/libsepol.so.1
> > #3 0x00007f6090096f59 in __avrule_xperm_setrangebits (low=30, high=30, xperms=0x8b9eea0)
> > at ../cil/src/cil_binary.c:1551
> > #4 0x00007f60900970dd in __cil_permx_bitmap_to_sepol_xperms_list (xperms=0xb650a30, xperms_list=0x7ffce2653b18)
> > at ../cil/src/cil_binary.c:1596
> > #5 0x00007f6090097286 in __cil_avrulex_ioctl_to_policydb (k=0xb8ec200 "@\023\214\022\006", datum=0xb650a30,
> > args=0x239a640) at ../cil/src/cil_binary.c:1649
> > #6 0x00007f609003f1e5 in hashtab_map (h=0x41f8710, apply=0x7f60900971da <__cil_avrulex_ioctl_to_policydb>,
> > args=0x239a640) at hashtab.c:234
> > #7 0x00007f609009ea19 in cil_binary_create_allocated_pdb (db=0x2394f10, policydb=0x239a640)
> > at ../cil/src/cil_binary.c:4969
> > #8 0x00007f609009d19d in cil_binary_create (db=0x2394f10, policydb=0x7ffce2653d30) at ../cil/src/cil_binary.c:4329
> > #9 0x00007f609008ec23 in cil_build_policydb_create_pdb (db=0x2394f10, sepol_db=0x7ffce2653d30)
> > at ../cil/src/cil.c:631
> > #10 0x00007f608fff4bf3 in semanage_direct_commit () from /lib64/libsemanage.so.1
> > #11 0x00007f608fff9fae in semanage_commit () from /lib64/libsemanage.so.1
> > #12 0x0000000000403e2b in main (argc=7, argv=0x7ffce2655058) at semodule.c:753
> >
> > (gdb) f 3
> > #3 0x00007f6090096f59 in __avrule_xperm_setrangebits (low=30, high=30, xperms=0x8b9eea0)
> > at ../cil/src/cil_binary.c:1551
> > 1551 xperms->perms[i] |= XPERM_SETBITS(h) - XPERM_SETBITS(low);
> >
> > A signed integer overflow therefore occurs in XPERM_SETBITS(h):
> >
> > #define XPERM_SETBITS(x) ((1 << (x & 0x1f)) - 1)
> >
> > This macro is expanded with h=31, so "(1 << 31) - 1" is computed:
> >
> > * (1 << 31) = -0x80000000 is the lowest signed 32-bit integer value
> > * (1 << 31) - 1 overflows the capacity of a signed 32-bit integer and
> > results in 0x7fffffff (which is unsigned)
> >
> > Using unsigned integers (with "1U") fixes the crash, as
> > (1U << 31) = 0x80000000U has no overflowing issues.
> >
> > Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
>
> Acked-by: Petr Lautrbach <plautrba@redhat.com>
Merged, thanks!
> > ---
> > checkpolicy/policy_define.c | 2 +-
> > libsepol/cil/src/cil_binary.c | 2 +-
> > 2 files changed, 2 insertions(+), 2 deletions(-)
> >
> > diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c
> > index 395f62284e3c..bf6c3e68bef3 100644
> > --- a/checkpolicy/policy_define.c
> > +++ b/checkpolicy/policy_define.c
> > @@ -2147,7 +2147,7 @@ out:
> > /* index of the u32 containing the permission */
> > #define XPERM_IDX(x) (x >> 5)
> > /* set bits 0 through x-1 within the u32 */
> > -#define XPERM_SETBITS(x) ((1 << (x & 0x1f)) - 1)
> > +#define XPERM_SETBITS(x) ((1U << (x & 0x1f)) - 1)
> > /* low value for this u32 */
> > #define XPERM_LOW(x) (x << 5)
> > /* high value for this u32 */
> > diff --git a/libsepol/cil/src/cil_binary.c b/libsepol/cil/src/cil_binary.c
> > index 36720eda4549..e417c5c28b8b 100644
> > --- a/libsepol/cil/src/cil_binary.c
> > +++ b/libsepol/cil/src/cil_binary.c
> > @@ -1526,7 +1526,7 @@ int cil_avrule_to_policydb(policydb_t *pdb, const struct cil_db *db, struct cil_
> > /* index of the u32 containing the permission */
> > #define XPERM_IDX(x) (x >> 5)
> > /* set bits 0 through x-1 within the u32 */
> > -#define XPERM_SETBITS(x) ((1 << (x & 0x1f)) - 1)
> > +#define XPERM_SETBITS(x) ((1U << (x & 0x1f)) - 1)
> > /* low value for this u32 */
> > #define XPERM_LOW(x) (x << 5)
> > /* high value for this u32 */
> > --
> > 2.28.0
> >
>
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2020-10-15 17:27 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2020-10-03 13:19 [PATCH userspace] libsepol/cil: fix signed overflow caused by using (1 << 31) - 1 Nicolas Iooss
2020-10-14 18:01 ` Petr Lautrbach
2020-10-15 17:27 ` Petr Lautrbach
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.