2 files changed, 100 insertions, 0 deletions
diff --git a/recipes-security/selinux/libsepol/CVE-2021-36084.patch b/recipes-security/selinux/libsepol/CVE-2021-36084.patch
new file mode 100644
index 0000000..1001563
--- /dev/null
+++ b/recipes-security/selinux/libsepol/CVE-2021-36084.patch
@@ -0,0 +1,99 @@
+From f34d3d30c8325e4847a6b696fe7a3936a8a361f3 Mon Sep 17 00:00:00 2001
+From: James Carter <jwcart2@gmail.com>
+Date: Thu, 8 Apr 2021 13:32:01 -0400
+Subject: [PATCH] libsepol/cil: Destroy classperms list when resetting
+ classpermission
+Nicolas Iooss reports:
+  A few months ago, OSS-Fuzz found a crash in the CIL compiler, which
+  got reported as
+  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28648 (the title
+  is misleading, or is caused by another issue that conflicts with the
+  one I report in this message). Here is a minimized CIL policy which
+  reproduces the issue:
+  (class CLASS (PERM))
+  (classorder (CLASS))
+  (sid SID)
+  (sidorder (SID))
+  (user USER)
+  (role ROLE)
+  (type TYPE)
+  (category CAT)
+  (categoryorder (CAT))
+  (sensitivity SENS)
+  (sensitivityorder (SENS))
+  (sensitivitycategory SENS (CAT))
+  (allow TYPE self (CLASS (PERM)))
+  (roletype ROLE TYPE)
+  (userrole USER ROLE)
+  (userlevel USER (SENS))
+  (userrange USER ((SENS)(SENS (CAT))))
+  (sidcontext SID (USER ROLE TYPE ((SENS)(SENS))))
+  (classpermission CLAPERM)
+  (optional OPT
+      (roletype nonexistingrole nonexistingtype)
+      (classpermissionset CLAPERM (CLASS (PERM)))
+  )
+  The CIL policy fuzzer (which mimics secilc built with clang Address
+  Sanitizer) reports:
+  ==36541==ERROR: AddressSanitizer: heap-use-after-free on address
+  0x603000004f98 at pc 0x56445134c842 bp 0x7ffe2a256590 sp
+  0x7ffe2a256588
+  READ of size 8 at 0x603000004f98 thread T0
+      #0 0x56445134c841 in __cil_verify_classperms
+  /selinux/libsepol/src/../cil/src/cil_verify.c:1620:8
+      #1 0x56445134a43e in __cil_verify_classpermission
+  /selinux/libsepol/src/../cil/src/cil_verify.c:1650:9
+      #2 0x56445134a43e in __cil_pre_verify_helper
+  /selinux/libsepol/src/../cil/src/cil_verify.c:1715:8
+      #3 0x5644513225ac in cil_tree_walk_core
+  /selinux/libsepol/src/../cil/src/cil_tree.c:272:9
+      #4 0x564451322ab1 in cil_tree_walk
+  /selinux/libsepol/src/../cil/src/cil_tree.c:316:7
+      #5 0x5644513226af in cil_tree_walk_core
+  /selinux/libsepol/src/../cil/src/cil_tree.c:284:9
+      #6 0x564451322ab1 in cil_tree_walk
+  /selinux/libsepol/src/../cil/src/cil_tree.c:316:7
+      #7 0x5644512b88fd in cil_pre_verify
+  /selinux/libsepol/src/../cil/src/cil_post.c:2510:7
+      #8 0x5644512b88fd in cil_post_process
+  /selinux/libsepol/src/../cil/src/cil_post.c:2524:7
+      #9 0x5644511856ff in cil_compile
+  /selinux/libsepol/src/../cil/src/cil.c:564:7
+The classperms list of a classpermission rule is created and filled
+in when classpermissionset rules are processed, so it doesn't own any
+part of the list and shouldn't retain any of it when it is reset.
+Destroy the classperms list (without destroying the data in it)  when
+resetting a classpermission rule.
+Reported-by: Nicolas Iooss <nicolas.iooss@m4x.org>
+Signed-off-by: James Carter <jwcart2@gmail.com>
+Upstream-Status: Backport
+CVE: CVE-2021-36084
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ libsepol/cil/src/cil_reset_ast.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+Index: libsepol-3.0/cil/src/cil_reset_ast.c
+===================================================================
+--- libsepol-3.0.orig/cil/src/cil_reset_ast.c
+++ libsepol-3.0/cil/src/cil_reset_ast.c
+@@ -52,7 +52,7 @@ static void cil_reset_classpermission(st
+                return;
+        }
+ 
+-       cil_reset_classperms_list(cp->classperms);
+       cil_list_destroy(&cp->classperms, CIL_FALSE);
+ }
+ 
+ static void cil_reset_classperms_set(struct cil_classperms_set *cp_set)
diff --git a/recipes-security/selinux/libsepol_3.0.bb b/recipes-security/selinux/libsepol_3.0.bb
index 58559d7..537377b 100644
--- a/recipes-security/selinux/libsepol_3.0.bb
+++ b/recipes-security/selinux/libsepol_3.0.bb
@@ -9,4 +9,5 @@ SRC_URI[sha256sum] = "5b7ae1881909f1048b06f7a0c364c5c8a86ec12e0ec76e740fe9595a60
 SRC_URI += "\
        file://0001-libsepol-fix-CIL_KEY_-build-errors-with-fno-common.patch \
        file://0001-libsepol-remove-leftovers-of-cil_mem_error_handler.patch \
+        file://CVE-2021-36084.patch \
        "

diff --git a/recipes-security/selinux/libsepol/CVE-2021-36084.patch b/recipes-security/selinux/libsepol/CVE-2021-36084.patch new file mode 100644 index 0000000..1001563 --- /dev/null +++ b/recipes-security/selinux/libsepol/CVE-2021-36084.patch
@@ -0,0 +1,99 @@
		1	From f34d3d30c8325e4847a6b696fe7a3936a8a361f3 Mon Sep 17 00:00:00 2001
		2	From: James Carter <jwcart2@gmail.com>
		3	Date: Thu, 8 Apr 2021 13:32:01 -0400
		4	Subject: [PATCH] libsepol/cil: Destroy classperms list when resetting
		5	classpermission
		6
		7	Nicolas Iooss reports:
		8	A few months ago, OSS-Fuzz found a crash in the CIL compiler, which
		9	got reported as
		10	https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28648 (the title
		11	is misleading, or is caused by another issue that conflicts with the
		12	one I report in this message). Here is a minimized CIL policy which
		13	reproduces the issue:
		14
		15	(class CLASS (PERM))
		16	(classorder (CLASS))
		17	(sid SID)
		18	(sidorder (SID))
		19	(user USER)
		20	(role ROLE)
		21	(type TYPE)
		22	(category CAT)
		23	(categoryorder (CAT))
		24	(sensitivity SENS)
		25	(sensitivityorder (SENS))
		26	(sensitivitycategory SENS (CAT))
		27	(allow TYPE self (CLASS (PERM)))
		28	(roletype ROLE TYPE)
		29	(userrole USER ROLE)
		30	(userlevel USER (SENS))
		31	(userrange USER ((SENS)(SENS (CAT))))
		32	(sidcontext SID (USER ROLE TYPE ((SENS)(SENS))))
		33
		34	(classpermission CLAPERM)
		35
		36	(optional OPT
		37	(roletype nonexistingrole nonexistingtype)
		38	(classpermissionset CLAPERM (CLASS (PERM)))
		39	)
		40
		41	The CIL policy fuzzer (which mimics secilc built with clang Address
		42	Sanitizer) reports:
		43
		44	==36541==ERROR: AddressSanitizer: heap-use-after-free on address
		45	0x603000004f98 at pc 0x56445134c842 bp 0x7ffe2a256590 sp
		46	0x7ffe2a256588
		47	READ of size 8 at 0x603000004f98 thread T0
		48	#0 0x56445134c841 in __cil_verify_classperms
		49	/selinux/libsepol/src/../cil/src/cil_verify.c:1620:8
		50	#1 0x56445134a43e in __cil_verify_classpermission
		51	/selinux/libsepol/src/../cil/src/cil_verify.c:1650:9
		52	#2 0x56445134a43e in __cil_pre_verify_helper
		53	/selinux/libsepol/src/../cil/src/cil_verify.c:1715:8
		54	#3 0x5644513225ac in cil_tree_walk_core
		55	/selinux/libsepol/src/../cil/src/cil_tree.c:272:9
		56	#4 0x564451322ab1 in cil_tree_walk
		57	/selinux/libsepol/src/../cil/src/cil_tree.c:316:7
		58	#5 0x5644513226af in cil_tree_walk_core
		59	/selinux/libsepol/src/../cil/src/cil_tree.c:284:9
		60	#6 0x564451322ab1 in cil_tree_walk
		61	/selinux/libsepol/src/../cil/src/cil_tree.c:316:7
		62	#7 0x5644512b88fd in cil_pre_verify
		63	/selinux/libsepol/src/../cil/src/cil_post.c:2510:7
		64	#8 0x5644512b88fd in cil_post_process
		65	/selinux/libsepol/src/../cil/src/cil_post.c:2524:7
		66	#9 0x5644511856ff in cil_compile
		67	/selinux/libsepol/src/../cil/src/cil.c:564:7
		68
		69	The classperms list of a classpermission rule is created and filled
		70	in when classpermissionset rules are processed, so it doesn't own any
		71	part of the list and shouldn't retain any of it when it is reset.
		72
		73	Destroy the classperms list (without destroying the data in it) when
		74	resetting a classpermission rule.
		75
		76	Reported-by: Nicolas Iooss <nicolas.iooss@m4x.org>
		77	Signed-off-by: James Carter <jwcart2@gmail.com>
		78
		79	Upstream-Status: Backport
		80	CVE: CVE-2021-36084
		81	Signed-off-by: Armin Kuster <akuster@mvista.com>
		82
		83	---
		84	libsepol/cil/src/cil_reset_ast.c \| 2 +-
		85	1 file changed, 1 insertion(+), 1 deletion(-)
		86
		87	Index: libsepol-3.0/cil/src/cil_reset_ast.c
		88	===================================================================
		89	--- libsepol-3.0.orig/cil/src/cil_reset_ast.c
		90	+++ libsepol-3.0/cil/src/cil_reset_ast.c
		91	@@ -52,7 +52,7 @@ static void cil_reset_classpermission(st
		92	return;
		93	}
		94
		95	- cil_reset_classperms_list(cp->classperms);
		96	+ cil_list_destroy(&cp->classperms, CIL_FALSE);
		97	}
		98
		99	static void cil_reset_classperms_set(struct cil_classperms_set *cp_set)


diff --git a/recipes-security/selinux/libsepol_3.0.bb b/recipes-security/selinux/libsepol_3.0.bb index 58559d7..537377b 100644 --- a/recipes-security/selinux/libsepol_3.0.bb +++ b/recipes-security/selinux/libsepol_3.0.bb
@@ -9,4 +9,5 @@ SRC_URI[sha256sum] = "5b7ae1881909f1048b06f7a0c364c5c8a86ec12e0ec76e740fe9595a60
9	SRC_URI += "\	9	SRC_URI += "\
10	file://0001-libsepol-fix-CIL_KEY_-build-errors-with-fno-common.patch \	10	file://0001-libsepol-fix-CIL_KEY_-build-errors-with-fno-common.patch \
11	file://0001-libsepol-remove-leftovers-of-cil_mem_error_handler.patch \	11	file://0001-libsepol-remove-leftovers-of-cil_mem_error_handler.patch \
		12	file://CVE-2021-36084.patch \
12	"	13	"