From: Petr Lautrbach <lautrbach@redhat.com>
To: "James Carter" <jwcart2@gmail.com>,
"Thiébaud Weksteen" <tweek@google.com>
Cc: selinux@vger.kernel.org,
Stephen Smalley <stephen.smalley.work@gmail.com>,
Jeffrey Vander Stoep <jeffv@google.com>
Subject: Re: [PATCH] libsepol: Fix off-by-one error in cats_ebitmap_len
Date: Mon, 04 May 2026 12:25:54 +0200 [thread overview]
Message-ID: <87pl3b8o99.fsf@redhat.com> (raw)
In-Reply-To: <CAP+JOzS0p2d=43EiumHpe9ESQTjaYuk4tAhyD8Er44p7HUAjgg@mail.gmail.com>
James Carter <jwcart2@gmail.com> writes:
> On Sun, Mar 29, 2026 at 9:51 PM Thiébaud Weksteen <tweek@google.com> wrote:
>>
>> In cats_ebitmap_len(), i-1 was incorrectly used instead of i for looking up
>> category names at the end of a range. This resulted in an under-allocation
>> of the buffer for the CIL representation of category ranges, which causes
>> cats_ebitmap_to_str() to fail its safety check and return (null).
>>
>> This fix correctly uses i (the current bit index) to look up the name for
>> the category at the end of the range.
>>
>> Proof of Concept (PoC) Policy:
>> class p sid kernel class p { f }
>> sensitivity s0; dominance { s0 }
>> category c0; category c1_very_long_category_name;
>> level s0:c0.c1_very_long_category_name;
>> mlsconstrain p { f } l1 == l2;
>> type t; allow t self:p { f };
>> role r; role r types { t };
>> user u roles r level s0 range s0 - s0:c0.c1_very_long_category_name;
>> sid kernel u:r:t:s0 - s0:c0.c1_very_long_category_name
>>
>> Reproduction steps:
>> 1. checkpolicy -M -o poc.bin poc.conf
>> 2. checkpolicy -M -b -C -o poc.cil poc.bin
>> 3. cat poc.cil | grep userrange
>> Before: (userrange u ((s0) (s0 (null))))
>> After: (userrange u ((s0) (s0 (c0 c1_very_long_category_name))))
>>
>> Signed-off-by: Thiébaud Weksteen <tweek@google.com>
>
> Signed-off-by: James Carter <jwcart2@gmail.com>
Was this supposes to be Acked-by?
>> ---
>> libsepol/src/kernel_to_cil.c | 4 ++--
>> 1 file changed, 2 insertions(+), 2 deletions(-)
>>
>> diff --git a/libsepol/src/kernel_to_cil.c b/libsepol/src/kernel_to_cil.c
>> index 06cf4498..49040ae4 100644
>> --- a/libsepol/src/kernel_to_cil.c
>> +++ b/libsepol/src/kernel_to_cil.c
>> @@ -1018,9 +1018,9 @@ static size_t cats_ebitmap_len(struct ebitmap *cats, char **val_to_name)
>>
>> len += strlen(val_to_name[start]);
>> if (range > 2) {
>> - len += strlen(val_to_name[i-1]) + strlen("(range ) ");
>> + len += strlen(val_to_name[i]) + strlen("(range ) ");
>> } else if (range == 2) {
>> - len += strlen(val_to_name[i-1]) + 2;
>> + len += strlen(val_to_name[i]) + 2;
>> } else if (range == 1) {
>> len += 1;
>> }
>> --
>> 2.53.0.1018.g2bb0e51243-goog
>>
next prev parent reply other threads:[~2026-05-04 10:26 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-30 1:51 [PATCH] libsepol: Fix off-by-one error in cats_ebitmap_len Thiébaud Weksteen
2026-04-30 19:10 ` James Carter
2026-05-04 10:25 ` Petr Lautrbach [this message]
2026-05-04 13:47 ` James Carter
2026-05-12 18:06 ` James Carter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87pl3b8o99.fsf@redhat.com \
--to=lautrbach@redhat.com \
--cc=jeffv@google.com \
--cc=jwcart2@gmail.com \
--cc=selinux@vger.kernel.org \
--cc=stephen.smalley.work@gmail.com \
--cc=tweek@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.