diff options
Diffstat (limited to 'recipes-security/selinux/libsepol')
3 files changed, 0 insertions, 183 deletions
diff --git a/recipes-security/selinux/libsepol/CVE-2021-36084.patch b/recipes-security/selinux/libsepol/CVE-2021-36084.patch deleted file mode 100644 index 1001563..0000000 --- a/recipes-security/selinux/libsepol/CVE-2021-36084.patch +++ /dev/null | |||
@@ -1,99 +0,0 @@ | |||
1 | From f34d3d30c8325e4847a6b696fe7a3936a8a361f3 Mon Sep 17 00:00:00 2001 | ||
2 | From: James Carter <jwcart2@gmail.com> | ||
3 | Date: Thu, 8 Apr 2021 13:32:01 -0400 | ||
4 | Subject: [PATCH] libsepol/cil: Destroy classperms list when resetting | ||
5 | classpermission | ||
6 | |||
7 | Nicolas Iooss reports: | ||
8 | A few months ago, OSS-Fuzz found a crash in the CIL compiler, which | ||
9 | got reported as | ||
10 | https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28648 (the title | ||
11 | is misleading, or is caused by another issue that conflicts with the | ||
12 | one I report in this message). Here is a minimized CIL policy which | ||
13 | reproduces the issue: | ||
14 | |||
15 | (class CLASS (PERM)) | ||
16 | (classorder (CLASS)) | ||
17 | (sid SID) | ||
18 | (sidorder (SID)) | ||
19 | (user USER) | ||
20 | (role ROLE) | ||
21 | (type TYPE) | ||
22 | (category CAT) | ||
23 | (categoryorder (CAT)) | ||
24 | (sensitivity SENS) | ||
25 | (sensitivityorder (SENS)) | ||
26 | (sensitivitycategory SENS (CAT)) | ||
27 | (allow TYPE self (CLASS (PERM))) | ||
28 | (roletype ROLE TYPE) | ||
29 | (userrole USER ROLE) | ||
30 | (userlevel USER (SENS)) | ||
31 | (userrange USER ((SENS)(SENS (CAT)))) | ||
32 | (sidcontext SID (USER ROLE TYPE ((SENS)(SENS)))) | ||
33 | |||
34 | (classpermission CLAPERM) | ||
35 | |||
36 | (optional OPT | ||
37 | (roletype nonexistingrole nonexistingtype) | ||
38 | (classpermissionset CLAPERM (CLASS (PERM))) | ||
39 | ) | ||
40 | |||
41 | The CIL policy fuzzer (which mimics secilc built with clang Address | ||
42 | Sanitizer) reports: | ||
43 | |||
44 | ==36541==ERROR: AddressSanitizer: heap-use-after-free on address | ||
45 | 0x603000004f98 at pc 0x56445134c842 bp 0x7ffe2a256590 sp | ||
46 | 0x7ffe2a256588 | ||
47 | READ of size 8 at 0x603000004f98 thread T0 | ||
48 | #0 0x56445134c841 in __cil_verify_classperms | ||
49 | /selinux/libsepol/src/../cil/src/cil_verify.c:1620:8 | ||
50 | #1 0x56445134a43e in __cil_verify_classpermission | ||
51 | /selinux/libsepol/src/../cil/src/cil_verify.c:1650:9 | ||
52 | #2 0x56445134a43e in __cil_pre_verify_helper | ||
53 | /selinux/libsepol/src/../cil/src/cil_verify.c:1715:8 | ||
54 | #3 0x5644513225ac in cil_tree_walk_core | ||
55 | /selinux/libsepol/src/../cil/src/cil_tree.c:272:9 | ||
56 | #4 0x564451322ab1 in cil_tree_walk | ||
57 | /selinux/libsepol/src/../cil/src/cil_tree.c:316:7 | ||
58 | #5 0x5644513226af in cil_tree_walk_core | ||
59 | /selinux/libsepol/src/../cil/src/cil_tree.c:284:9 | ||
60 | #6 0x564451322ab1 in cil_tree_walk | ||
61 | /selinux/libsepol/src/../cil/src/cil_tree.c:316:7 | ||
62 | #7 0x5644512b88fd in cil_pre_verify | ||
63 | /selinux/libsepol/src/../cil/src/cil_post.c:2510:7 | ||
64 | #8 0x5644512b88fd in cil_post_process | ||
65 | /selinux/libsepol/src/../cil/src/cil_post.c:2524:7 | ||
66 | #9 0x5644511856ff in cil_compile | ||
67 | /selinux/libsepol/src/../cil/src/cil.c:564:7 | ||
68 | |||
69 | The classperms list of a classpermission rule is created and filled | ||
70 | in when classpermissionset rules are processed, so it doesn't own any | ||
71 | part of the list and shouldn't retain any of it when it is reset. | ||
72 | |||
73 | Destroy the classperms list (without destroying the data in it) when | ||
74 | resetting a classpermission rule. | ||
75 | |||
76 | Reported-by: Nicolas Iooss <nicolas.iooss@m4x.org> | ||
77 | Signed-off-by: James Carter <jwcart2@gmail.com> | ||
78 | |||
79 | Upstream-Status: Backport | ||
80 | CVE: CVE-2021-36084 | ||
81 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
82 | |||
83 | --- | ||
84 | libsepol/cil/src/cil_reset_ast.c | 2 +- | ||
85 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
86 | |||
87 | Index: libsepol-3.0/cil/src/cil_reset_ast.c | ||
88 | =================================================================== | ||
89 | --- libsepol-3.0.orig/cil/src/cil_reset_ast.c | ||
90 | +++ libsepol-3.0/cil/src/cil_reset_ast.c | ||
91 | @@ -52,7 +52,7 @@ static void cil_reset_classpermission(st | ||
92 | return; | ||
93 | } | ||
94 | |||
95 | - cil_reset_classperms_list(cp->classperms); | ||
96 | + cil_list_destroy(&cp->classperms, CIL_FALSE); | ||
97 | } | ||
98 | |||
99 | static void cil_reset_classperms_set(struct cil_classperms_set *cp_set) | ||
diff --git a/recipes-security/selinux/libsepol/CVE-2021-36085.patch b/recipes-security/selinux/libsepol/CVE-2021-36085.patch deleted file mode 100644 index 4bd05eb..0000000 --- a/recipes-security/selinux/libsepol/CVE-2021-36085.patch +++ /dev/null | |||
@@ -1,38 +0,0 @@ | |||
1 | From 2d35fcc7e9e976a2346b1de20e54f8663e8a6cba Mon Sep 17 00:00:00 2001 | ||
2 | From: James Carter <jwcart2@gmail.com> | ||
3 | Date: Thu, 8 Apr 2021 13:32:04 -0400 | ||
4 | Subject: [PATCH] libsepol/cil: Destroy classperm list when resetting map perms | ||
5 | |||
6 | Map perms share the same struct as regular perms, but only the | ||
7 | map perms use the classperms field. This field is a pointer to a | ||
8 | list of classperms that is created and added to when resolving | ||
9 | classmapping rules, so the map permission doesn't own any of the | ||
10 | data in the list and this list should be destroyed when the AST is | ||
11 | reset. | ||
12 | |||
13 | When resetting a perm, destroy the classperms list without destroying | ||
14 | the data in the list. | ||
15 | |||
16 | Signed-off-by: James Carter <jwcart2@gmail.com> | ||
17 | |||
18 | Upstream-Status: Backport | ||
19 | CVE: CVE-2021-36085 | ||
20 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
21 | |||
22 | --- | ||
23 | libsepol/cil/src/cil_reset_ast.c | 2 +- | ||
24 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
25 | |||
26 | Index: libsepol-3.0/cil/src/cil_reset_ast.c | ||
27 | =================================================================== | ||
28 | --- libsepol-3.0.orig/cil/src/cil_reset_ast.c | ||
29 | +++ libsepol-3.0/cil/src/cil_reset_ast.c | ||
30 | @@ -34,7 +34,7 @@ static void cil_reset_class(struct cil_c | ||
31 | |||
32 | static void cil_reset_perm(struct cil_perm *perm) | ||
33 | { | ||
34 | - cil_reset_classperms_list(perm->classperms); | ||
35 | + cil_list_destroy(&perm->classperms, CIL_FALSE); | ||
36 | } | ||
37 | |||
38 | static inline void cil_reset_classperms(struct cil_classperms *cp) | ||
diff --git a/recipes-security/selinux/libsepol/CVE-2021-36086.patch b/recipes-security/selinux/libsepol/CVE-2021-36086.patch deleted file mode 100644 index 7a2d616..0000000 --- a/recipes-security/selinux/libsepol/CVE-2021-36086.patch +++ /dev/null | |||
@@ -1,46 +0,0 @@ | |||
1 | From 49f9aa2a460fc95f04c99b44f4dd0d22e2f0e5ee Mon Sep 17 00:00:00 2001 | ||
2 | From: James Carter <jwcart2@gmail.com> | ||
3 | Date: Thu, 8 Apr 2021 13:32:06 -0400 | ||
4 | Subject: [PATCH] libsepol/cil: cil_reset_classperms_set() should not reset | ||
5 | classpermission | ||
6 | |||
7 | In struct cil_classperms_set, the set field is a pointer to a | ||
8 | struct cil_classpermission which is looked up in the symbol table. | ||
9 | Since the cil_classperms_set does not create the cil_classpermission, | ||
10 | it should not reset it. | ||
11 | |||
12 | Set the set field to NULL instead of resetting the classpermission | ||
13 | that it points to. | ||
14 | |||
15 | Signed-off-by: James Carter <jwcart2@gmail.com> | ||
16 | |||
17 | Upstream-Status: Backport | ||
18 | [https://github.com/SELinuxProject/selinux/commit/c49a8ea09501ad66e799ea41b8154b6770fec2c8] | ||
19 | |||
20 | CVE: CVE-2021-36086 | ||
21 | |||
22 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
23 | --- | ||
24 | cil/src/cil_reset_ast.c | 6 +++++- | ||
25 | 1 file changed, 5 insertions(+), 1 deletion(-) | ||
26 | |||
27 | diff --git a/cil/src/cil_reset_ast.c b/cil/src/cil_reset_ast.c | ||
28 | index 89f91e5..1d9ca70 100644 | ||
29 | --- a/cil/src/cil_reset_ast.c | ||
30 | +++ b/cil/src/cil_reset_ast.c | ||
31 | @@ -59,7 +59,11 @@ static void cil_reset_classpermission(struct cil_classpermission *cp) | ||
32 | |||
33 | static void cil_reset_classperms_set(struct cil_classperms_set *cp_set) | ||
34 | { | ||
35 | - cil_reset_classpermission(cp_set->set); | ||
36 | + if (cp_set == NULL) { | ||
37 | + return; | ||
38 | + } | ||
39 | + | ||
40 | + cp_set->set = NULL; | ||
41 | } | ||
42 | |||
43 | static inline void cil_reset_classperms_list(struct cil_list *cp_list) | ||
44 | -- | ||
45 | 2.17.1 | ||
46 | |||