summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorArmin Kuster <akuster@mvista.com>2021-09-16 16:57:34 -0700
committerJoe MacDonald <joe@deserted.net>2021-09-16 20:22:02 -0400
commit3525f5c3f4c532b65a517db4e55233e7478ab2f0 (patch)
tree7679614ad570c3eba5fdbe301745a0f369106e76
parent8ababf1e5b18747ce0cd1dc12f51519d373e1bcd (diff)
downloadmeta-selinux-3525f5c3f4c532b65a517db4e55233e7478ab2f0.tar.gz
libsepol: Security fix CVE-2021-36084
Source: https://github.com/SELinuxProject/selinux MR: 111851 Type: Security Fix Disposition: Backport from https://github.com/SELinuxProject/selinux/commit/f34d3d30c8325e4847a6b696fe7a3936a8a361f3 ChangeID: 7fae27568e26ccbb18be3d2a1ce7332d42706f18 Description: Affects: libsepol < 3.2 Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Joe MacDonald <joe@deserted.net>
Diffstat
-rw-r--r--recipes-security/selinux/libsepol/CVE-2021-36084.patch99
-rw-r--r--recipes-security/selinux/libsepol_3.2.bb2
2 files changed, 101 insertions, 0 deletions
diff --git a/recipes-security/selinux/libsepol/CVE-2021-36084.patch b/recipes-security/selinux/libsepol/CVE-2021-36084.patch
new file mode 100644
index 0000000..1001563
--- /dev/null
+++ b/recipes-security/selinux/libsepol/CVE-2021-36084.patch
@@ -0,0 +1,99 @@
1From f34d3d30c8325e4847a6b696fe7a3936a8a361f3 Mon Sep 17 00:00:00 2001
2From: James Carter <jwcart2@gmail.com>
3Date: Thu, 8 Apr 2021 13:32:01 -0400
4Subject: [PATCH] libsepol/cil: Destroy classperms list when resetting
5 classpermission
6
7Nicolas Iooss reports:
8 A few months ago, OSS-Fuzz found a crash in the CIL compiler, which
9 got reported as
10 https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28648 (the title
11 is misleading, or is caused by another issue that conflicts with the
12 one I report in this message). Here is a minimized CIL policy which
13 reproduces the issue:
14
15 (class CLASS (PERM))
16 (classorder (CLASS))
17 (sid SID)
18 (sidorder (SID))
19 (user USER)
20 (role ROLE)
21 (type TYPE)
22 (category CAT)
23 (categoryorder (CAT))
24 (sensitivity SENS)
25 (sensitivityorder (SENS))
26 (sensitivitycategory SENS (CAT))
27 (allow TYPE self (CLASS (PERM)))
28 (roletype ROLE TYPE)
29 (userrole USER ROLE)
30 (userlevel USER (SENS))
31 (userrange USER ((SENS)(SENS (CAT))))
32 (sidcontext SID (USER ROLE TYPE ((SENS)(SENS))))
33
34 (classpermission CLAPERM)
35
36 (optional OPT
37 (roletype nonexistingrole nonexistingtype)
38 (classpermissionset CLAPERM (CLASS (PERM)))
39 )
40
41 The CIL policy fuzzer (which mimics secilc built with clang Address
42 Sanitizer) reports:
43
44 ==36541==ERROR: AddressSanitizer: heap-use-after-free on address
45 0x603000004f98 at pc 0x56445134c842 bp 0x7ffe2a256590 sp
46 0x7ffe2a256588
47 READ of size 8 at 0x603000004f98 thread T0
48 #0 0x56445134c841 in __cil_verify_classperms
49 /selinux/libsepol/src/../cil/src/cil_verify.c:1620:8
50 #1 0x56445134a43e in __cil_verify_classpermission
51 /selinux/libsepol/src/../cil/src/cil_verify.c:1650:9
52 #2 0x56445134a43e in __cil_pre_verify_helper
53 /selinux/libsepol/src/../cil/src/cil_verify.c:1715:8
54 #3 0x5644513225ac in cil_tree_walk_core
55 /selinux/libsepol/src/../cil/src/cil_tree.c:272:9
56 #4 0x564451322ab1 in cil_tree_walk
57 /selinux/libsepol/src/../cil/src/cil_tree.c:316:7
58 #5 0x5644513226af in cil_tree_walk_core
59 /selinux/libsepol/src/../cil/src/cil_tree.c:284:9
60 #6 0x564451322ab1 in cil_tree_walk
61 /selinux/libsepol/src/../cil/src/cil_tree.c:316:7
62 #7 0x5644512b88fd in cil_pre_verify
63 /selinux/libsepol/src/../cil/src/cil_post.c:2510:7
64 #8 0x5644512b88fd in cil_post_process
65 /selinux/libsepol/src/../cil/src/cil_post.c:2524:7
66 #9 0x5644511856ff in cil_compile
67 /selinux/libsepol/src/../cil/src/cil.c:564:7
68
69The classperms list of a classpermission rule is created and filled
70in when classpermissionset rules are processed, so it doesn't own any
71part of the list and shouldn't retain any of it when it is reset.
72
73Destroy the classperms list (without destroying the data in it) when
74resetting a classpermission rule.
75
76Reported-by: Nicolas Iooss <nicolas.iooss@m4x.org>
77Signed-off-by: James Carter <jwcart2@gmail.com>
78
79Upstream-Status: Backport
80CVE: CVE-2021-36084
81Signed-off-by: Armin Kuster <akuster@mvista.com>
82
83---
84 libsepol/cil/src/cil_reset_ast.c | 2 +-
85 1 file changed, 1 insertion(+), 1 deletion(-)
86
87Index: libsepol-3.0/cil/src/cil_reset_ast.c
88===================================================================
89--- libsepol-3.0.orig/cil/src/cil_reset_ast.c
90+++ libsepol-3.0/cil/src/cil_reset_ast.c
91@@ -52,7 +52,7 @@ static void cil_reset_classpermission(st
92 return;
93 }
94
95- cil_reset_classperms_list(cp->classperms);
96+ cil_list_destroy(&cp->classperms, CIL_FALSE);
97 }
98
99 static void cil_reset_classperms_set(struct cil_classperms_set *cp_set)
diff --git a/recipes-security/selinux/libsepol_3.2.bb b/recipes-security/selinux/libsepol_3.2.bb
index 48d5f49..6215d24 100644
--- a/recipes-security/selinux/libsepol_3.2.bb
+++ b/recipes-security/selinux/libsepol_3.2.bb
@@ -9,6 +9,8 @@ LIC_FILES_CHKSUM = "file://${S}/COPYING;md5=a6f89e2100d9b6cdffcea4f398e37343"
9 9
10require selinux_common.inc 10require selinux_common.inc
11 11
12SRC_URI += "file://CVE-2021-36084.patch"
13
12inherit lib_package 14inherit lib_package
13 15
14S = "${WORKDIR}/git/libsepol" 16S = "${WORKDIR}/git/libsepol"
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2025-07-25 23:01:32 +0000