From: Petr Lautrbach <plautrba@redhat.com>
To: SElinux list <selinux@vger.kernel.org>,
Nicolas Iooss <nicolas.iooss@m4x.org>,
James Carter <jwcart2@gmail.com>
Subject: Re: [PATCH 0/2] libsepol: Validate policydb values when reading binary
Date: Fri, 19 Feb 2021 16:48:53 +0100 [thread overview]
Message-ID: <87a6s0oy6y.fsf@redhat.com> (raw)
In-Reply-To: <CAJfZ7=kqX0xrHWkCcWMjB7m7VOFiScdcSff+ZWBDHNxy_iGMuw@mail.gmail.com>
Nicolas Iooss <nicolas.iooss@m4x.org> writes:
> On Fri, Feb 5, 2021 at 3:08 PM James Carter <jwcart2@gmail.com> wrote:
>>
>> Nicolas Iooss reports that fuzzing /usr/libexec/hll/pp with the
>> American Fuzzy Lop revealed that inconsistent policy modules could be
>> created that caused NULL dereferences and other problems.
>>
>> This patch validates the policydb when reading in the binary policy. See
>> the description of the second patch for more details.
>>
>> The validation requires a negligible amount of time to complete.
>>
>> James Carter (2):
>> libsepol: Create function ebitmap_highest_set_bit()
>> libsepol: Validate policydb values when reading binary policy
>>
>> libsepol/include/sepol/policydb/ebitmap.h | 1 +
>> libsepol/src/ebitmap.c | 20 +
>> libsepol/src/policydb.c | 35 +-
>> libsepol/src/policydb_validate.c | 764 ++++++++++++++++++++++
>> libsepol/src/policydb_validate.h | 7 +
>> 5 files changed, 815 insertions(+), 12 deletions(-)
>> create mode 100644 libsepol/src/policydb_validate.c
>> create mode 100644 libsepol/src/policydb_validate.h
>>
>> --
>> 2.26.2
>>
>
> Hello,
> Thanks for these patches! I tested them and the fuzzer I am using
> (which consists in running AFL on "pp") no longer crashed :) So I
> confirm they fixed the issues I was experiencing, and the code looks
> good.
>
> Acked-by: Nicolas Iooss <nicolas.iooss@m4x.org>
>
> Nicolas
Merged using --whitespace=fix
Thanks!
^&^ git am --whitespace=fix 2-2-libsepol-Validate-policydb-values-when-reading-binary-policy.patch
Applying: libsepol: Validate policydb values when reading binary policy
.git/rebase-apply/patch:331: trailing whitespace.
return -1;
.git/rebase-apply/patch:590: trailing whitespace.
return 0;
.git/rebase-apply/patch:747: trailing whitespace.
return -1;
.git/rebase-apply/patch:763: trailing whitespace.
return -1;
.git/rebase-apply/patch:886: trailing whitespace.
return -1;
prev parent reply other threads:[~2021-02-19 15:50 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-02-05 14:07 [PATCH 0/2] libsepol: Validate policydb values when reading binary James Carter
2021-02-05 14:07 ` [PATCH 1/2] libsepol: Create function ebitmap_highest_set_bit() James Carter
2021-02-05 14:08 ` [PATCH 2/2] libsepol: Validate policydb values when reading binary policy James Carter
2021-02-18 7:31 ` [PATCH 0/2] libsepol: Validate policydb values when reading binary Nicolas Iooss
2021-02-19 15:48 ` Petr Lautrbach [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87a6s0oy6y.fsf@redhat.com \
--to=plautrba@redhat.com \
--cc=jwcart2@gmail.com \
--cc=nicolas.iooss@m4x.org \
--cc=selinux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.