[PATCH] libsepol: Fix off-by-one error in cats_ebitmap

All of lore.kernel.org
 help / color / mirror / Atom feed

* [PATCH] libsepol: Fix off-by-one error in cats_ebitmap_len
@ 2026-03-30  1:51 Thiébaud Weksteen
  2026-04-30 19:10 ` James Carter
  0 siblings, 1 reply; 5+ messages in thread
From: Thiébaud Weksteen @ 2026-03-30  1:51 UTC (permalink / raw)
  To: selinux
  Cc: James Carter, Stephen Smalley, Jeffrey Vander Stoep,
	Thiébaud Weksteen

In cats_ebitmap_len(), i-1 was incorrectly used instead of i for looking up
category names at the end of a range. This resulted in an under-allocation
of the buffer for the CIL representation of category ranges, which causes
cats_ebitmap_to_str() to fail its safety check and return (null).

This fix correctly uses i (the current bit index) to look up the name for
the category at the end of the range.

Proof of Concept (PoC) Policy:
  class p sid kernel class p { f }
  sensitivity s0; dominance { s0 }
  category c0; category c1_very_long_category_name;
  level s0:c0.c1_very_long_category_name;
  mlsconstrain p { f } l1 == l2;
  type t; allow t self:p { f };
  role r; role r types { t };
  user u roles r level s0 range s0 - s0:c0.c1_very_long_category_name;
  sid kernel u:r:t:s0 - s0:c0.c1_very_long_category_name

Reproduction steps:
  1. checkpolicy -M -o poc.bin poc.conf
  2. checkpolicy -M -b -C -o poc.cil poc.bin
  3. cat poc.cil | grep userrange
     Before: (userrange u ((s0) (s0 (null))))
     After: (userrange u ((s0) (s0 (c0 c1_very_long_category_name))))

Signed-off-by: Thiébaud Weksteen <tweek@google.com>
---
 libsepol/src/kernel_to_cil.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/libsepol/src/kernel_to_cil.c b/libsepol/src/kernel_to_cil.c
index 06cf4498..49040ae4 100644
--- a/libsepol/src/kernel_to_cil.c
+++ b/libsepol/src/kernel_to_cil.c
@@ -1018,9 +1018,9 @@ static size_t cats_ebitmap_len(struct ebitmap *cats, char **val_to_name)
 
 		len += strlen(val_to_name[start]);
 		if (range > 2) {
-			len += strlen(val_to_name[i-1]) + strlen("(range  ) ");
+			len += strlen(val_to_name[i]) + strlen("(range  ) ");
 		} else if (range == 2) {
-			len += strlen(val_to_name[i-1]) + 2;
+			len += strlen(val_to_name[i]) + 2;
 		} else if (range == 1) {
 			len += 1;
 		}
-- 
2.53.0.1018.g2bb0e51243-goog


^ permalink raw reply related	[flat|nested] 5+ messages in thread

* Re: [PATCH] libsepol: Fix off-by-one error in cats_ebitmap_len
  2026-03-30  1:51 [PATCH] libsepol: Fix off-by-one error in cats_ebitmap_len Thiébaud Weksteen
@ 2026-04-30 19:10 ` James Carter
  2026-05-04 10:25   ` Petr Lautrbach
  0 siblings, 1 reply; 5+ messages in thread
From: James Carter @ 2026-04-30 19:10 UTC (permalink / raw)
  To: Thiébaud Weksteen; +Cc: selinux, Stephen Smalley, Jeffrey Vander Stoep

On Sun, Mar 29, 2026 at 9:51 PM Thiébaud Weksteen <tweek@google.com> wrote:
>
> In cats_ebitmap_len(), i-1 was incorrectly used instead of i for looking up
> category names at the end of a range. This resulted in an under-allocation
> of the buffer for the CIL representation of category ranges, which causes
> cats_ebitmap_to_str() to fail its safety check and return (null).
>
> This fix correctly uses i (the current bit index) to look up the name for
> the category at the end of the range.
>
> Proof of Concept (PoC) Policy:
>   class p sid kernel class p { f }
>   sensitivity s0; dominance { s0 }
>   category c0; category c1_very_long_category_name;
>   level s0:c0.c1_very_long_category_name;
>   mlsconstrain p { f } l1 == l2;
>   type t; allow t self:p { f };
>   role r; role r types { t };
>   user u roles r level s0 range s0 - s0:c0.c1_very_long_category_name;
>   sid kernel u:r:t:s0 - s0:c0.c1_very_long_category_name
>
> Reproduction steps:
>   1. checkpolicy -M -o poc.bin poc.conf
>   2. checkpolicy -M -b -C -o poc.cil poc.bin
>   3. cat poc.cil | grep userrange
>      Before: (userrange u ((s0) (s0 (null))))
>      After: (userrange u ((s0) (s0 (c0 c1_very_long_category_name))))
>
> Signed-off-by: Thiébaud Weksteen <tweek@google.com>

Signed-off-by: James Carter <jwcart2@gmail.com>

> ---
>  libsepol/src/kernel_to_cil.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/libsepol/src/kernel_to_cil.c b/libsepol/src/kernel_to_cil.c
> index 06cf4498..49040ae4 100644
> --- a/libsepol/src/kernel_to_cil.c
> +++ b/libsepol/src/kernel_to_cil.c
> @@ -1018,9 +1018,9 @@ static size_t cats_ebitmap_len(struct ebitmap *cats, char **val_to_name)
>
>                 len += strlen(val_to_name[start]);
>                 if (range > 2) {
> -                       len += strlen(val_to_name[i-1]) + strlen("(range  ) ");
> +                       len += strlen(val_to_name[i]) + strlen("(range  ) ");
>                 } else if (range == 2) {
> -                       len += strlen(val_to_name[i-1]) + 2;
> +                       len += strlen(val_to_name[i]) + 2;
>                 } else if (range == 1) {
>                         len += 1;
>                 }
> --
> 2.53.0.1018.g2bb0e51243-goog
>

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH] libsepol: Fix off-by-one error in cats_ebitmap_len
  2026-04-30 19:10 ` James Carter
@ 2026-05-04 10:25   ` Petr Lautrbach
  2026-05-04 13:47     ` James Carter
  0 siblings, 1 reply; 5+ messages in thread
From: Petr Lautrbach @ 2026-05-04 10:25 UTC (permalink / raw)
  To: James Carter, Thiébaud Weksteen
  Cc: selinux, Stephen Smalley, Jeffrey Vander Stoep

James Carter <jwcart2@gmail.com> writes:

> On Sun, Mar 29, 2026 at 9:51 PM Thiébaud Weksteen <tweek@google.com> wrote:
>>
>> In cats_ebitmap_len(), i-1 was incorrectly used instead of i for looking up
>> category names at the end of a range. This resulted in an under-allocation
>> of the buffer for the CIL representation of category ranges, which causes
>> cats_ebitmap_to_str() to fail its safety check and return (null).
>>
>> This fix correctly uses i (the current bit index) to look up the name for
>> the category at the end of the range.
>>
>> Proof of Concept (PoC) Policy:
>>   class p sid kernel class p { f }
>>   sensitivity s0; dominance { s0 }
>>   category c0; category c1_very_long_category_name;
>>   level s0:c0.c1_very_long_category_name;
>>   mlsconstrain p { f } l1 == l2;
>>   type t; allow t self:p { f };
>>   role r; role r types { t };
>>   user u roles r level s0 range s0 - s0:c0.c1_very_long_category_name;
>>   sid kernel u:r:t:s0 - s0:c0.c1_very_long_category_name
>>
>> Reproduction steps:
>>   1. checkpolicy -M -o poc.bin poc.conf
>>   2. checkpolicy -M -b -C -o poc.cil poc.bin
>>   3. cat poc.cil | grep userrange
>>      Before: (userrange u ((s0) (s0 (null))))
>>      After: (userrange u ((s0) (s0 (c0 c1_very_long_category_name))))
>>
>> Signed-off-by: Thiébaud Weksteen <tweek@google.com>
>
> Signed-off-by: James Carter <jwcart2@gmail.com>

Was this supposes to be Acked-by? 

>> ---
>>  libsepol/src/kernel_to_cil.c | 4 ++--
>>  1 file changed, 2 insertions(+), 2 deletions(-)
>>
>> diff --git a/libsepol/src/kernel_to_cil.c b/libsepol/src/kernel_to_cil.c
>> index 06cf4498..49040ae4 100644
>> --- a/libsepol/src/kernel_to_cil.c
>> +++ b/libsepol/src/kernel_to_cil.c
>> @@ -1018,9 +1018,9 @@ static size_t cats_ebitmap_len(struct ebitmap *cats, char **val_to_name)
>>
>>                 len += strlen(val_to_name[start]);
>>                 if (range > 2) {
>> -                       len += strlen(val_to_name[i-1]) + strlen("(range  ) ");
>> +                       len += strlen(val_to_name[i]) + strlen("(range  ) ");
>>                 } else if (range == 2) {
>> -                       len += strlen(val_to_name[i-1]) + 2;
>> +                       len += strlen(val_to_name[i]) + 2;
>>                 } else if (range == 1) {
>>                         len += 1;
>>                 }
>> --
>> 2.53.0.1018.g2bb0e51243-goog
>>


^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH] libsepol: Fix off-by-one error in cats_ebitmap_len
  2026-05-04 10:25   ` Petr Lautrbach
@ 2026-05-04 13:47     ` James Carter
  2026-05-12 18:06       ` James Carter
  0 siblings, 1 reply; 5+ messages in thread
From: James Carter @ 2026-05-04 13:47 UTC (permalink / raw)
  To: Petr Lautrbach
  Cc: Thiébaud Weksteen, selinux, Stephen Smalley,
	Jeffrey Vander Stoep

On Mon, May 4, 2026 at 6:25 AM Petr Lautrbach <lautrbach@redhat.com> wrote:
>
> James Carter <jwcart2@gmail.com> writes:
>
> > On Sun, Mar 29, 2026 at 9:51 PM Thiébaud Weksteen <tweek@google.com> wrote:
> >>
> >> In cats_ebitmap_len(), i-1 was incorrectly used instead of i for looking up
> >> category names at the end of a range. This resulted in an under-allocation
> >> of the buffer for the CIL representation of category ranges, which causes
> >> cats_ebitmap_to_str() to fail its safety check and return (null).
> >>
> >> This fix correctly uses i (the current bit index) to look up the name for
> >> the category at the end of the range.
> >>
> >> Proof of Concept (PoC) Policy:
> >>   class p sid kernel class p { f }
> >>   sensitivity s0; dominance { s0 }
> >>   category c0; category c1_very_long_category_name;
> >>   level s0:c0.c1_very_long_category_name;
> >>   mlsconstrain p { f } l1 == l2;
> >>   type t; allow t self:p { f };
> >>   role r; role r types { t };
> >>   user u roles r level s0 range s0 - s0:c0.c1_very_long_category_name;
> >>   sid kernel u:r:t:s0 - s0:c0.c1_very_long_category_name
> >>
> >> Reproduction steps:
> >>   1. checkpolicy -M -o poc.bin poc.conf
> >>   2. checkpolicy -M -b -C -o poc.cil poc.bin
> >>   3. cat poc.cil | grep userrange
> >>      Before: (userrange u ((s0) (s0 (null))))
> >>      After: (userrange u ((s0) (s0 (c0 c1_very_long_category_name))))
> >>
> >> Signed-off-by: Thiébaud Weksteen <tweek@google.com>
> >
> > Signed-off-by: James Carter <jwcart2@gmail.com>
>
> Was this supposes to be Acked-by?
>

Yes, sorry about that.

Acked-by: James Carter <jwcart2@gmail.com>

> >> ---
> >>  libsepol/src/kernel_to_cil.c | 4 ++--
> >>  1 file changed, 2 insertions(+), 2 deletions(-)
> >>
> >> diff --git a/libsepol/src/kernel_to_cil.c b/libsepol/src/kernel_to_cil.c
> >> index 06cf4498..49040ae4 100644
> >> --- a/libsepol/src/kernel_to_cil.c
> >> +++ b/libsepol/src/kernel_to_cil.c
> >> @@ -1018,9 +1018,9 @@ static size_t cats_ebitmap_len(struct ebitmap *cats, char **val_to_name)
> >>
> >>                 len += strlen(val_to_name[start]);
> >>                 if (range > 2) {
> >> -                       len += strlen(val_to_name[i-1]) + strlen("(range  ) ");
> >> +                       len += strlen(val_to_name[i]) + strlen("(range  ) ");
> >>                 } else if (range == 2) {
> >> -                       len += strlen(val_to_name[i-1]) + 2;
> >> +                       len += strlen(val_to_name[i]) + 2;
> >>                 } else if (range == 1) {
> >>                         len += 1;
> >>                 }
> >> --
> >> 2.53.0.1018.g2bb0e51243-goog
> >>
>

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH] libsepol: Fix off-by-one error in cats_ebitmap_len
  2026-05-04 13:47     ` James Carter
@ 2026-05-12 18:06       ` James Carter
  0 siblings, 0 replies; 5+ messages in thread
From: James Carter @ 2026-05-12 18:06 UTC (permalink / raw)
  To: Petr Lautrbach
  Cc: Thiébaud Weksteen, selinux, Stephen Smalley,
	Jeffrey Vander Stoep

On Mon, May 4, 2026 at 9:47 AM James Carter <jwcart2@gmail.com> wrote:
>
> On Mon, May 4, 2026 at 6:25 AM Petr Lautrbach <lautrbach@redhat.com> wrote:
> >
> > James Carter <jwcart2@gmail.com> writes:
> >
> > > On Sun, Mar 29, 2026 at 9:51 PM Thiébaud Weksteen <tweek@google.com> wrote:
> > >>
> > >> In cats_ebitmap_len(), i-1 was incorrectly used instead of i for looking up
> > >> category names at the end of a range. This resulted in an under-allocation
> > >> of the buffer for the CIL representation of category ranges, which causes
> > >> cats_ebitmap_to_str() to fail its safety check and return (null).
> > >>
> > >> This fix correctly uses i (the current bit index) to look up the name for
> > >> the category at the end of the range.
> > >>
> > >> Proof of Concept (PoC) Policy:
> > >>   class p sid kernel class p { f }
> > >>   sensitivity s0; dominance { s0 }
> > >>   category c0; category c1_very_long_category_name;
> > >>   level s0:c0.c1_very_long_category_name;
> > >>   mlsconstrain p { f } l1 == l2;
> > >>   type t; allow t self:p { f };
> > >>   role r; role r types { t };
> > >>   user u roles r level s0 range s0 - s0:c0.c1_very_long_category_name;
> > >>   sid kernel u:r:t:s0 - s0:c0.c1_very_long_category_name
> > >>
> > >> Reproduction steps:
> > >>   1. checkpolicy -M -o poc.bin poc.conf
> > >>   2. checkpolicy -M -b -C -o poc.cil poc.bin
> > >>   3. cat poc.cil | grep userrange
> > >>      Before: (userrange u ((s0) (s0 (null))))
> > >>      After: (userrange u ((s0) (s0 (c0 c1_very_long_category_name))))
> > >>
> > >> Signed-off-by: Thiébaud Weksteen <tweek@google.com>
> > >
> > > Signed-off-by: James Carter <jwcart2@gmail.com>
> >
> > Was this supposes to be Acked-by?
> >
>
> Yes, sorry about that.
>
> Acked-by: James Carter <jwcart2@gmail.com>
>

Merged.
Thanks,
Jim

> > >> ---
> > >>  libsepol/src/kernel_to_cil.c | 4 ++--
> > >>  1 file changed, 2 insertions(+), 2 deletions(-)
> > >>
> > >> diff --git a/libsepol/src/kernel_to_cil.c b/libsepol/src/kernel_to_cil.c
> > >> index 06cf4498..49040ae4 100644
> > >> --- a/libsepol/src/kernel_to_cil.c
> > >> +++ b/libsepol/src/kernel_to_cil.c
> > >> @@ -1018,9 +1018,9 @@ static size_t cats_ebitmap_len(struct ebitmap *cats, char **val_to_name)
> > >>
> > >>                 len += strlen(val_to_name[start]);
> > >>                 if (range > 2) {
> > >> -                       len += strlen(val_to_name[i-1]) + strlen("(range  ) ");
> > >> +                       len += strlen(val_to_name[i]) + strlen("(range  ) ");
> > >>                 } else if (range == 2) {
> > >> -                       len += strlen(val_to_name[i-1]) + 2;
> > >> +                       len += strlen(val_to_name[i]) + 2;
> > >>                 } else if (range == 1) {
> > >>                         len += 1;
> > >>                 }
> > >> --
> > >> 2.53.0.1018.g2bb0e51243-goog
> > >>
> >

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2026-05-12 18:06 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-03-30  1:51 [PATCH] libsepol: Fix off-by-one error in cats_ebitmap_len Thiébaud Weksteen
2026-04-30 19:10 ` James Carter
2026-05-04 10:25   ` Petr Lautrbach
2026-05-04 13:47     ` James Carter
2026-05-12 18:06       ` James Carter

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.