[PATCH 2/2] libselinux/fuzz: handle inputs with trailing data

[PATCH 2/2] libselinux/fuzz: handle inputs with trailing data

[Christian Göttsche]

From: Christian Göttsche <cgzones@googlemail.com>

Handle the case where either separated trailing input is empty or non-
existent by initializing the size to 0 and only call related code on
non-zero size.

Fixes: 8997f543 ("libselinux: add selabel_file(5) fuzzer")
Reported-by: oss-fuzz (issue 388319478)
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
---
 .../fuzz/selabel_file_compiled-fuzzer.c       | 67 ++++++++++++-------
 1 file changed, 41 insertions(+), 26 deletions(-)

diff --git a/libselinux/fuzz/selabel_file_compiled-fuzzer.c b/libselinux/fuzz/selabel_file_compiled-fuzzer.c
index 09fbddd1..51fffcda 100644
--- a/libselinux/fuzz/selabel_file_compiled-fuzzer.c
+++ b/libselinux/fuzz/selabel_file_compiled-fuzzer.c
@@ -95,7 +95,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
 	uint8_t control;
 	uint8_t *fcontext_data1 = NULL, *fcontext_data2 = NULL, *fcontext_data3 = NULL;
 	char *key = NULL;
-	size_t fcontext_data1_len, fcontext_data2_len, fcontext_data3_len, key_len;
+	size_t fcontext_data1_len, fcontext_data2_len = 0, fcontext_data3_len = 0, key_len;
 	bool partial, find_all;
 	mode_t mode;
 	int rc;
@@ -141,11 +141,14 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
 	sep = memmem(data, size, separator, 4);
 	if (sep) {
 		fcontext_data2_len = sep - data;
-		fcontext_data2 = malloc(fcontext_data2_len);
-		if (!fcontext_data2)
-			goto cleanup;
+		if (fcontext_data2_len) {
+			fcontext_data2 = malloc(fcontext_data2_len);
+			if (!fcontext_data2)
+				goto cleanup;
+
+			memcpy(fcontext_data2, data, fcontext_data2_len);
+		}
 
-		memcpy(fcontext_data2, data, fcontext_data2_len);
 		data += fcontext_data2_len + 4;
 		size -= fcontext_data2_len + 4;
 	}
@@ -153,11 +156,14 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
 	sep = memmem(data, size, separator, 4);
 	if (sep) {
 		fcontext_data3_len = sep - data;
-		fcontext_data3 = malloc(fcontext_data3_len);
-		if (!fcontext_data3)
-			goto cleanup;
+		if (fcontext_data3_len) {
+			fcontext_data3 = malloc(fcontext_data3_len);
+			if (!fcontext_data3)
+				goto cleanup;
+
+			memcpy(fcontext_data3, data, fcontext_data3_len);
+		}
 
-		memcpy(fcontext_data3, data, fcontext_data3_len);
 		data += fcontext_data3_len + 4;
 		size -= fcontext_data3_len + 4;
 	}
@@ -202,29 +208,38 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
 	}
 
 	fclose(fp);
+	fp = NULL;
 
-	fp = convert_data(fcontext_data2, fcontext_data2_len);
-	if (!fp)
-		goto cleanup;
+	if (fcontext_data2_len) {
+		fp = convert_data(fcontext_data2, fcontext_data2_len);
+		if (!fp)
+			goto cleanup;
 
-	errno = 0;
-	rc = load_mmap(fp, fcontext_data2_len, &rec, MEMFD_FILE_NAME, 1);
-	if (rc) {
-		assert(errno != 0);
-		goto cleanup;
+		errno = 0;
+		rc = load_mmap(fp, fcontext_data2_len, &rec, MEMFD_FILE_NAME, 1);
+		if (rc) {
+			assert(errno != 0);
+			goto cleanup;
+		}
+
+		fclose(fp);
+		fp = NULL;
 	}
 
-	fclose(fp);
+	if (fcontext_data3_len) {
+		fp = convert_data(fcontext_data3, fcontext_data3_len);
+		if (!fp)
+			goto cleanup;
 
-	fp = convert_data(fcontext_data3, fcontext_data3_len);
-	if (!fp)
-		goto cleanup;
+		errno = 0;
+		rc = load_mmap(fp, fcontext_data3_len, &rec, MEMFD_FILE_NAME, 2);
+		if (rc) {
+			assert(errno != 0);
+			goto cleanup;
+		}
 
-	errno = 0;
-	rc = load_mmap(fp, fcontext_data3_len, &rec, MEMFD_FILE_NAME, 2);
-	if (rc) {
-		assert(errno != 0);
-		goto cleanup;
+		fclose(fp);
+		fp = NULL;
 	}
 
 	sort_specs(&sdata);
-- 
2.47.1

[PATCH 1/2] libsepol/cil: free nlmsg hashtable on error

[Christian Göttsche]

From: Christian Göttsche <cgzones@googlemail.com>

Free the hashtable for nlmsg xperm rules similar to the ioctl hashtable.

Fixes: 1fd41f48 ("libsepol/cil: add support for xperms in conditional policies")
Reported-by: oss-fuzz (issue 388376332)
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
---
 libsepol/cil/src/cil_binary.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/libsepol/cil/src/cil_binary.c b/libsepol/cil/src/cil_binary.c
index 070bf525..e84188a0 100644
--- a/libsepol/cil/src/cil_binary.c
+++ b/libsepol/cil/src/cil_binary.c
@@ -2616,6 +2616,8 @@ int cil_booleanif_to_policydb(policydb_t *pdb, const struct cil_db *db, struct c
 	return SEPOL_OK;
 
 exit:
+	hashtab_map(avrulex_nlmsg_table, __cil_avrulex_xperm_destroy, NULL);
+	hashtab_destroy(avrulex_nlmsg_table);
 	hashtab_map(avrulex_ioctl_table, __cil_avrulex_xperm_destroy, NULL);
 	hashtab_destroy(avrulex_ioctl_table);
 	if (tmp_cond) {
-- 
2.47.1

Re: [PATCH 1/2] libsepol/cil: free nlmsg hashtable on error

[James Carter]

On Wed, Jan 8, 2025 at 11:32 AM Christian Göttsche
<cgoettsche@seltendoof.de> wrote:
>
> From: Christian Göttsche <cgzones@googlemail.com>
>
> Free the hashtable for nlmsg xperm rules similar to the ioctl hashtable.
>
> Fixes: 1fd41f48 ("libsepol/cil: add support for xperms in conditional policies")
> Reported-by: oss-fuzz (issue 388376332)
> Signed-off-by: Christian Göttsche <cgzones@googlemail.com>

For these two patches:
Acked-by: James Carter <jwcart2@gmail.com>

> ---
>  libsepol/cil/src/cil_binary.c | 2 ++
>  1 file changed, 2 insertions(+)
>
> diff --git a/libsepol/cil/src/cil_binary.c b/libsepol/cil/src/cil_binary.c
> index 070bf525..e84188a0 100644
> --- a/libsepol/cil/src/cil_binary.c
> +++ b/libsepol/cil/src/cil_binary.c
> @@ -2616,6 +2616,8 @@ int cil_booleanif_to_policydb(policydb_t *pdb, const struct cil_db *db, struct c
>         return SEPOL_OK;
>
>  exit:
> +       hashtab_map(avrulex_nlmsg_table, __cil_avrulex_xperm_destroy, NULL);
> +       hashtab_destroy(avrulex_nlmsg_table);
>         hashtab_map(avrulex_ioctl_table, __cil_avrulex_xperm_destroy, NULL);
>         hashtab_destroy(avrulex_ioctl_table);
>         if (tmp_cond) {
> --
> 2.47.1
>
>

Re: [PATCH 1/2] libsepol/cil: free nlmsg hashtable on error

[Petr Lautrbach]

James Carter <jwcart2@gmail.com> writes:

> On Wed, Jan 8, 2025 at 11:32 AM Christian Göttsche
> <cgoettsche@seltendoof.de> wrote:
>>
>> From: Christian Göttsche <cgzones@googlemail.com>
>>
>> Free the hashtable for nlmsg xperm rules similar to the ioctl hashtable.
>>
>> Fixes: 1fd41f48 ("libsepol/cil: add support for xperms in conditional policies")
>> Reported-by: oss-fuzz (issue 388376332)
>> Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
>
> For these two patches:
> Acked-by: James Carter <jwcart2@gmail.com>

Merged. Thanks!

>> ---
>>  libsepol/cil/src/cil_binary.c | 2 ++
>>  1 file changed, 2 insertions(+)
>>
>> diff --git a/libsepol/cil/src/cil_binary.c b/libsepol/cil/src/cil_binary.c
>> index 070bf525..e84188a0 100644
>> --- a/libsepol/cil/src/cil_binary.c
>> +++ b/libsepol/cil/src/cil_binary.c
>> @@ -2616,6 +2616,8 @@ int cil_booleanif_to_policydb(policydb_t *pdb, const struct cil_db *db, struct c
>>         return SEPOL_OK;
>>
>>  exit:
>> +       hashtab_map(avrulex_nlmsg_table, __cil_avrulex_xperm_destroy, NULL);
>> +       hashtab_destroy(avrulex_nlmsg_table);
>>         hashtab_map(avrulex_ioctl_table, __cil_avrulex_xperm_destroy, NULL);
>>         hashtab_destroy(avrulex_ioctl_table);
>>         if (tmp_cond) {
>> --
>> 2.47.1
>>
>>