3 files changed, 0 insertions, 183 deletions
diff --git a/recipes-security/selinux/libsepol/CVE-2021-36084.patch b/recipes-security/selinux/libsepol/CVE-2021-36084.patch
deleted file mode 100644
index 1001563..0000000
--- a/recipes-security/selinux/libsepol/CVE-2021-36084.patch
+++ /dev/null
@@ -1,99 +0,0 @@
-From f34d3d30c8325e4847a6b696fe7a3936a8a361f3 Mon Sep 17 00:00:00 2001
-From: James Carter <jwcart2@gmail.com>
-Date: Thu, 8 Apr 2021 13:32:01 -0400
-Subject: [PATCH] libsepol/cil: Destroy classperms list when resetting
- classpermission
-Nicolas Iooss reports:
-  A few months ago, OSS-Fuzz found a crash in the CIL compiler, which
-  got reported as
-  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28648 (the title
-  is misleading, or is caused by another issue that conflicts with the
-  one I report in this message). Here is a minimized CIL policy which
-  reproduces the issue:
-  (class CLASS (PERM))
-  (classorder (CLASS))
-  (sid SID)
-  (sidorder (SID))
-  (user USER)
-  (role ROLE)
-  (type TYPE)
-  (category CAT)
-  (categoryorder (CAT))
-  (sensitivity SENS)
-  (sensitivityorder (SENS))
-  (sensitivitycategory SENS (CAT))
-  (allow TYPE self (CLASS (PERM)))
-  (roletype ROLE TYPE)
-  (userrole USER ROLE)
-  (userlevel USER (SENS))
-  (userrange USER ((SENS)(SENS (CAT))))
-  (sidcontext SID (USER ROLE TYPE ((SENS)(SENS))))
-  (classpermission CLAPERM)
-  (optional OPT
-      (roletype nonexistingrole nonexistingtype)
-      (classpermissionset CLAPERM (CLASS (PERM)))
-  )
-  The CIL policy fuzzer (which mimics secilc built with clang Address
-  Sanitizer) reports:
-  ==36541==ERROR: AddressSanitizer: heap-use-after-free on address
-  0x603000004f98 at pc 0x56445134c842 bp 0x7ffe2a256590 sp
-  0x7ffe2a256588
-  READ of size 8 at 0x603000004f98 thread T0
-      #0 0x56445134c841 in __cil_verify_classperms
-  /selinux/libsepol/src/../cil/src/cil_verify.c:1620:8
-      #1 0x56445134a43e in __cil_verify_classpermission
-  /selinux/libsepol/src/../cil/src/cil_verify.c:1650:9
-      #2 0x56445134a43e in __cil_pre_verify_helper
-  /selinux/libsepol/src/../cil/src/cil_verify.c:1715:8
-      #3 0x5644513225ac in cil_tree_walk_core
-  /selinux/libsepol/src/../cil/src/cil_tree.c:272:9
-      #4 0x564451322ab1 in cil_tree_walk
-  /selinux/libsepol/src/../cil/src/cil_tree.c:316:7
-      #5 0x5644513226af in cil_tree_walk_core
-  /selinux/libsepol/src/../cil/src/cil_tree.c:284:9
-      #6 0x564451322ab1 in cil_tree_walk
-  /selinux/libsepol/src/../cil/src/cil_tree.c:316:7
-      #7 0x5644512b88fd in cil_pre_verify
-  /selinux/libsepol/src/../cil/src/cil_post.c:2510:7
-      #8 0x5644512b88fd in cil_post_process
-  /selinux/libsepol/src/../cil/src/cil_post.c:2524:7
-      #9 0x5644511856ff in cil_compile
-  /selinux/libsepol/src/../cil/src/cil.c:564:7
-The classperms list of a classpermission rule is created and filled
-in when classpermissionset rules are processed, so it doesn't own any
-part of the list and shouldn't retain any of it when it is reset.
-Destroy the classperms list (without destroying the data in it)  when
-resetting a classpermission rule.
-Reported-by: Nicolas Iooss <nicolas.iooss@m4x.org>
-Signed-off-by: James Carter <jwcart2@gmail.com>
-Upstream-Status: Backport
-CVE: CVE-2021-36084
-Signed-off-by: Armin Kuster <akuster@mvista.com>
---
- libsepol/cil/src/cil_reset_ast.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-Index: libsepol-3.0/cil/src/cil_reset_ast.c
-===================================================================
--- libsepol-3.0.orig/cil/src/cil_reset_ast.c
-+++ libsepol-3.0/cil/src/cil_reset_ast.c
-@@ -52,7 +52,7 @@ static void cil_reset_classpermission(st
-                return;
-        }
- 
-       cil_reset_classperms_list(cp->classperms);
-+       cil_list_destroy(&cp->classperms, CIL_FALSE);
- }
- 
- static void cil_reset_classperms_set(struct cil_classperms_set *cp_set)
diff --git a/recipes-security/selinux/libsepol/CVE-2021-36085.patch b/recipes-security/selinux/libsepol/CVE-2021-36085.patch
deleted file mode 100644
index 4bd05eb..0000000
--- a/recipes-security/selinux/libsepol/CVE-2021-36085.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-From 2d35fcc7e9e976a2346b1de20e54f8663e8a6cba Mon Sep 17 00:00:00 2001
-From: James Carter <jwcart2@gmail.com>
-Date: Thu, 8 Apr 2021 13:32:04 -0400
-Subject: [PATCH] libsepol/cil: Destroy classperm list when resetting map perms
-Map perms share the same struct as regular perms, but only the
-map perms use the classperms field. This field is a pointer to a
-list of classperms that is created and added to when resolving
-classmapping rules, so the map permission doesn't own any of the
-data in the list and this list should be destroyed when the AST is
-reset.
-When resetting a perm, destroy the classperms list without destroying
-the data in the list.
-Signed-off-by: James Carter <jwcart2@gmail.com>
-Upstream-Status: Backport
-CVE: CVE-2021-36085
-Signed-off-by: Armin Kuster <akuster@mvista.com>
---
- libsepol/cil/src/cil_reset_ast.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-Index: libsepol-3.0/cil/src/cil_reset_ast.c
-===================================================================
--- libsepol-3.0.orig/cil/src/cil_reset_ast.c
-+++ libsepol-3.0/cil/src/cil_reset_ast.c
-@@ -34,7 +34,7 @@ static void cil_reset_class(struct cil_c
- 
- static void cil_reset_perm(struct cil_perm *perm)
- {
-       cil_reset_classperms_list(perm->classperms);
-+       cil_list_destroy(&perm->classperms, CIL_FALSE);
- }
- 
- static inline void cil_reset_classperms(struct cil_classperms *cp)
diff --git a/recipes-security/selinux/libsepol/CVE-2021-36086.patch b/recipes-security/selinux/libsepol/CVE-2021-36086.patch
deleted file mode 100644
index 7a2d616..0000000
--- a/recipes-security/selinux/libsepol/CVE-2021-36086.patch
+++ /dev/null
@@ -1,46 +0,0 @@
-From 49f9aa2a460fc95f04c99b44f4dd0d22e2f0e5ee Mon Sep 17 00:00:00 2001
-From: James Carter <jwcart2@gmail.com>
-Date: Thu, 8 Apr 2021 13:32:06 -0400
-Subject: [PATCH] libsepol/cil: cil_reset_classperms_set() should not reset
- classpermission
-In struct cil_classperms_set, the set field is a pointer to a
-struct cil_classpermission which is looked up in the symbol table.
-Since the cil_classperms_set does not create the cil_classpermission,
-it should not reset it.
-Set the set field to NULL instead of resetting the classpermission
-that it points to.
-Signed-off-by: James Carter <jwcart2@gmail.com>
-Upstream-Status: Backport
-[https://github.com/SELinuxProject/selinux/commit/c49a8ea09501ad66e799ea41b8154b6770fec2c8]
-CVE: CVE-2021-36086
-Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
---
- cil/src/cil_reset_ast.c | 6 +++++-
- 1 file changed, 5 insertions(+), 1 deletion(-)
-diff --git a/cil/src/cil_reset_ast.c b/cil/src/cil_reset_ast.c
-index 89f91e5..1d9ca70 100644
--- a/cil/src/cil_reset_ast.c
-+++ b/cil/src/cil_reset_ast.c
-@@ -59,7 +59,11 @@ static void cil_reset_classpermission(struct cil_classpermission *cp)
- 
- static void cil_reset_classperms_set(struct cil_classperms_set *cp_set)
- {
-       cil_reset_classpermission(cp_set->set);
-+       if (cp_set == NULL) {
-+               return;
-+       }
-+
-+       cp_set->set = NULL;
- }
- 
- static inline void cil_reset_classperms_list(struct cil_list *cp_list)
-- 
-2.17.1

diff --git a/recipes-security/selinux/libsepol/CVE-2021-36084.patch b/recipes-security/selinux/libsepol/CVE-2021-36084.patch deleted file mode 100644 index 1001563..0000000 --- a/recipes-security/selinux/libsepol/CVE-2021-36084.patch +++ /dev/null
@@ -1,99 +0,0 @@
1	From f34d3d30c8325e4847a6b696fe7a3936a8a361f3 Mon Sep 17 00:00:00 2001
2	From: James Carter <jwcart2@gmail.com>
3	Date: Thu, 8 Apr 2021 13:32:01 -0400
4	Subject: [PATCH] libsepol/cil: Destroy classperms list when resetting
5	classpermission
6
7	Nicolas Iooss reports:
8	A few months ago, OSS-Fuzz found a crash in the CIL compiler, which
9	got reported as
10	https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28648 (the title
11	is misleading, or is caused by another issue that conflicts with the
12	one I report in this message). Here is a minimized CIL policy which
13	reproduces the issue:
14
15	(class CLASS (PERM))
16	(classorder (CLASS))
17	(sid SID)
18	(sidorder (SID))
19	(user USER)
20	(role ROLE)
21	(type TYPE)
22	(category CAT)
23	(categoryorder (CAT))
24	(sensitivity SENS)
25	(sensitivityorder (SENS))
26	(sensitivitycategory SENS (CAT))
27	(allow TYPE self (CLASS (PERM)))
28	(roletype ROLE TYPE)
29	(userrole USER ROLE)
30	(userlevel USER (SENS))
31	(userrange USER ((SENS)(SENS (CAT))))
32	(sidcontext SID (USER ROLE TYPE ((SENS)(SENS))))
33
34	(classpermission CLAPERM)
35
36	(optional OPT
37	(roletype nonexistingrole nonexistingtype)
38	(classpermissionset CLAPERM (CLASS (PERM)))
39	)
40
41	The CIL policy fuzzer (which mimics secilc built with clang Address
42	Sanitizer) reports:
43
44	==36541==ERROR: AddressSanitizer: heap-use-after-free on address
45	0x603000004f98 at pc 0x56445134c842 bp 0x7ffe2a256590 sp
46	0x7ffe2a256588
47	READ of size 8 at 0x603000004f98 thread T0
48	#0 0x56445134c841 in __cil_verify_classperms
49	/selinux/libsepol/src/../cil/src/cil_verify.c:1620:8
50	#1 0x56445134a43e in __cil_verify_classpermission
51	/selinux/libsepol/src/../cil/src/cil_verify.c:1650:9
52	#2 0x56445134a43e in __cil_pre_verify_helper
53	/selinux/libsepol/src/../cil/src/cil_verify.c:1715:8
54	#3 0x5644513225ac in cil_tree_walk_core
55	/selinux/libsepol/src/../cil/src/cil_tree.c:272:9
56	#4 0x564451322ab1 in cil_tree_walk
57	/selinux/libsepol/src/../cil/src/cil_tree.c:316:7
58	#5 0x5644513226af in cil_tree_walk_core
59	/selinux/libsepol/src/../cil/src/cil_tree.c:284:9
60	#6 0x564451322ab1 in cil_tree_walk
61	/selinux/libsepol/src/../cil/src/cil_tree.c:316:7
62	#7 0x5644512b88fd in cil_pre_verify
63	/selinux/libsepol/src/../cil/src/cil_post.c:2510:7
64	#8 0x5644512b88fd in cil_post_process
65	/selinux/libsepol/src/../cil/src/cil_post.c:2524:7
66	#9 0x5644511856ff in cil_compile
67	/selinux/libsepol/src/../cil/src/cil.c:564:7
68
69	The classperms list of a classpermission rule is created and filled
70	in when classpermissionset rules are processed, so it doesn't own any
71	part of the list and shouldn't retain any of it when it is reset.
72
73	Destroy the classperms list (without destroying the data in it) when
74	resetting a classpermission rule.
75
76	Reported-by: Nicolas Iooss <nicolas.iooss@m4x.org>
77	Signed-off-by: James Carter <jwcart2@gmail.com>
78
79	Upstream-Status: Backport
80	CVE: CVE-2021-36084
81	Signed-off-by: Armin Kuster <akuster@mvista.com>
82
83	---
84	libsepol/cil/src/cil_reset_ast.c \| 2 +-
85	1 file changed, 1 insertion(+), 1 deletion(-)
86
87	Index: libsepol-3.0/cil/src/cil_reset_ast.c
88	===================================================================
89	--- libsepol-3.0.orig/cil/src/cil_reset_ast.c
90	+++ libsepol-3.0/cil/src/cil_reset_ast.c
91	@@ -52,7 +52,7 @@ static void cil_reset_classpermission(st
92	return;
93	}
94
95	- cil_reset_classperms_list(cp->classperms);
96	+ cil_list_destroy(&cp->classperms, CIL_FALSE);
97	}
98
99	static void cil_reset_classperms_set(struct cil_classperms_set *cp_set)


diff --git a/recipes-security/selinux/libsepol/CVE-2021-36085.patch b/recipes-security/selinux/libsepol/CVE-2021-36085.patch deleted file mode 100644 index 4bd05eb..0000000 --- a/recipes-security/selinux/libsepol/CVE-2021-36085.patch +++ /dev/null
@@ -1,38 +0,0 @@
1	From 2d35fcc7e9e976a2346b1de20e54f8663e8a6cba Mon Sep 17 00:00:00 2001
2	From: James Carter <jwcart2@gmail.com>
3	Date: Thu, 8 Apr 2021 13:32:04 -0400
4	Subject: [PATCH] libsepol/cil: Destroy classperm list when resetting map perms
5
6	Map perms share the same struct as regular perms, but only the
7	map perms use the classperms field. This field is a pointer to a
8	list of classperms that is created and added to when resolving
9	classmapping rules, so the map permission doesn't own any of the
10	data in the list and this list should be destroyed when the AST is
11	reset.
12
13	When resetting a perm, destroy the classperms list without destroying
14	the data in the list.
15
16	Signed-off-by: James Carter <jwcart2@gmail.com>
17
18	Upstream-Status: Backport
19	CVE: CVE-2021-36085
20	Signed-off-by: Armin Kuster <akuster@mvista.com>
21
22	---
23	libsepol/cil/src/cil_reset_ast.c \| 2 +-
24	1 file changed, 1 insertion(+), 1 deletion(-)
25
26	Index: libsepol-3.0/cil/src/cil_reset_ast.c
27	===================================================================
28	--- libsepol-3.0.orig/cil/src/cil_reset_ast.c
29	+++ libsepol-3.0/cil/src/cil_reset_ast.c
30	@@ -34,7 +34,7 @@ static void cil_reset_class(struct cil_c
31
32	static void cil_reset_perm(struct cil_perm *perm)
33	{
34	- cil_reset_classperms_list(perm->classperms);
35	+ cil_list_destroy(&perm->classperms, CIL_FALSE);
36	}
37
38	static inline void cil_reset_classperms(struct cil_classperms *cp)


diff --git a/recipes-security/selinux/libsepol/CVE-2021-36086.patch b/recipes-security/selinux/libsepol/CVE-2021-36086.patch deleted file mode 100644 index 7a2d616..0000000 --- a/recipes-security/selinux/libsepol/CVE-2021-36086.patch +++ /dev/null
@@ -1,46 +0,0 @@
1	From 49f9aa2a460fc95f04c99b44f4dd0d22e2f0e5ee Mon Sep 17 00:00:00 2001
2	From: James Carter <jwcart2@gmail.com>
3	Date: Thu, 8 Apr 2021 13:32:06 -0400
4	Subject: [PATCH] libsepol/cil: cil_reset_classperms_set() should not reset
5	classpermission
6
7	In struct cil_classperms_set, the set field is a pointer to a
8	struct cil_classpermission which is looked up in the symbol table.
9	Since the cil_classperms_set does not create the cil_classpermission,
10	it should not reset it.
11
12	Set the set field to NULL instead of resetting the classpermission
13	that it points to.
14
15	Signed-off-by: James Carter <jwcart2@gmail.com>
16
17	Upstream-Status: Backport
18	[https://github.com/SELinuxProject/selinux/commit/c49a8ea09501ad66e799ea41b8154b6770fec2c8]
19
20	CVE: CVE-2021-36086
21
22	Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
23	---
24	cil/src/cil_reset_ast.c \| 6 +++++-
25	1 file changed, 5 insertions(+), 1 deletion(-)
26
27	diff --git a/cil/src/cil_reset_ast.c b/cil/src/cil_reset_ast.c
28	index 89f91e5..1d9ca70 100644
29	--- a/cil/src/cil_reset_ast.c
30	+++ b/cil/src/cil_reset_ast.c
31	@@ -59,7 +59,11 @@ static void cil_reset_classpermission(struct cil_classpermission *cp)
32
33	static void cil_reset_classperms_set(struct cil_classperms_set *cp_set)
34	{
35	- cil_reset_classpermission(cp_set->set);
36	+ if (cp_set == NULL) {
37	+ return;
38	+ }
39	+
40	+ cp_set->set = NULL;
41	}
42
43	static inline void cil_reset_classperms_list(struct cil_list *cp_list)
44	--
45	2.17.1
46