From: "Thiébaud Weksteen" <tweek@google.com>
To: selinux@vger.kernel.org
Cc: "James Carter" <jwcart2@gmail.com>,
"Stephen Smalley" <stephen.smalley.work@gmail.com>,
"Jeffrey Vander Stoep" <jeffv@google.com>,
"Thiébaud Weksteen" <tweek@google.com>
Subject: [PATCH] libsepol: Fix off-by-one error in cats_ebitmap_len
Date: Mon, 30 Mar 2026 12:51:48 +1100 [thread overview]
Message-ID: <20260330015148.1482594-1-tweek@google.com> (raw)
In cats_ebitmap_len(), i-1 was incorrectly used instead of i for looking up
category names at the end of a range. This resulted in an under-allocation
of the buffer for the CIL representation of category ranges, which causes
cats_ebitmap_to_str() to fail its safety check and return (null).
This fix correctly uses i (the current bit index) to look up the name for
the category at the end of the range.
Proof of Concept (PoC) Policy:
class p sid kernel class p { f }
sensitivity s0; dominance { s0 }
category c0; category c1_very_long_category_name;
level s0:c0.c1_very_long_category_name;
mlsconstrain p { f } l1 == l2;
type t; allow t self:p { f };
role r; role r types { t };
user u roles r level s0 range s0 - s0:c0.c1_very_long_category_name;
sid kernel u:r:t:s0 - s0:c0.c1_very_long_category_name
Reproduction steps:
1. checkpolicy -M -o poc.bin poc.conf
2. checkpolicy -M -b -C -o poc.cil poc.bin
3. cat poc.cil | grep userrange
Before: (userrange u ((s0) (s0 (null))))
After: (userrange u ((s0) (s0 (c0 c1_very_long_category_name))))
Signed-off-by: Thiébaud Weksteen <tweek@google.com>
---
libsepol/src/kernel_to_cil.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/libsepol/src/kernel_to_cil.c b/libsepol/src/kernel_to_cil.c
index 06cf4498..49040ae4 100644
--- a/libsepol/src/kernel_to_cil.c
+++ b/libsepol/src/kernel_to_cil.c
@@ -1018,9 +1018,9 @@ static size_t cats_ebitmap_len(struct ebitmap *cats, char **val_to_name)
len += strlen(val_to_name[start]);
if (range > 2) {
- len += strlen(val_to_name[i-1]) + strlen("(range ) ");
+ len += strlen(val_to_name[i]) + strlen("(range ) ");
} else if (range == 2) {
- len += strlen(val_to_name[i-1]) + 2;
+ len += strlen(val_to_name[i]) + 2;
} else if (range == 1) {
len += 1;
}
--
2.53.0.1018.g2bb0e51243-goog
next reply other threads:[~2026-03-30 1:51 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-30 1:51 Thiébaud Weksteen [this message]
2026-04-30 19:10 ` [PATCH] libsepol: Fix off-by-one error in cats_ebitmap_len James Carter
2026-05-04 10:25 ` Petr Lautrbach
2026-05-04 13:47 ` James Carter
2026-05-12 18:06 ` James Carter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260330015148.1482594-1-tweek@google.com \
--to=tweek@google.com \
--cc=jeffv@google.com \
--cc=jwcart2@gmail.com \
--cc=selinux@vger.kernel.org \
--cc=stephen.smalley.work@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.