libsepol/cil: do not allow \0 in quoted strings

2022-02-16 11:03:16 +08:00 · 2022-02-16 11:03:16 +08:00 · fd9e1e6f30
commit fd9e1e6f30
parent 76dd5f3bc3
2 changed files with 46 additions and 1 deletions
--- a/backport-libsepol-cil-do-not-allow-0-in-quoted-strings.patch
+++ b/backport-libsepol-cil-do-not-allow-0-in-quoted-strings.patch
@ -0,0 +1,41 @@
+From af29a235531f66882e5a027e1348658b8d8c1e68 Mon Sep 17 00:00:00 2001
+From: Nicolas Iooss <nicolas.iooss@m4x.org>
+Date: Mon, 12 Jul 2021 10:44:28 +0200
+Subject: [PATCH] libsepol/cil: do not allow \0 in quoted strings
+
+Using the '\0' character in strings in a CIL policy is not expected to
+happen, and makes the flex tokenizer very slow. For example when
+generating a file with:
+
+    python -c 'print("\"" + "\0"*100000 + "\"")' > policy.cil
+
+secilc fails after 26 seconds, on my desktop computer. Increasing the
+numbers of \0 makes this time increase significantly. But replacing \0
+with another character makes secilc fail in only few milliseconds.
+
+Fix this "possible denial of service" issue by forbidding \0 in strings
+in CIL policies.
+
+Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=36016
+
+Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
+---
+ libsepol/cil/src/cil_lexer.l | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libsepol/cil/src/cil_lexer.l b/libsepol/cil/src/cil_lexer.l
+index e28c33e..8bf2b6e 100644
+--- a/libsepol/cil/src/cil_lexer.l
+++ b/libsepol/cil/src/cil_lexer.l
+@@ -49,7 +49,7 @@ spec_char	[\[\]\.\@\=\/\*\-\_\$\%\+\-\!\|\&\^\:\~\`\#\{\}\'\<\>\?\,]
+ symbol		({digit}|{alpha}|{spec_char})+
+ white		[ \t]
+ newline		[\n\r]
+-qstring		\"[^"\n]*\"
+qstring		\"[^"\n\0]*\"
+ hll_lm          ^;;\*
+ comment		;
+ 
+-- 
+1.8.3.1
+
--- a/libsepol.spec
+++ b/libsepol.spec
@ -1,6 +1,6 @@
 Name:           libsepol
 Version:        3.1
-Release:        6
+Release:        7
 Summary:        SELinux binary policy manipulation library
 License:        LGPLv2+
 URL:            https://github.com/SELinuxProject/selinux/wiki/Releases
@ -46,6 +46,7 @@ Patch36:        backport-libsepol-cil-Allow-permission-expressions-when-using.pa
 Patch37:        backport-libsepol-cil-fix-NULL-pointer-dereference-in-__cil_i.patch
 Patch38:        backport-libsepol-cil-Properly-check-for-parameter-when-inser.patch
 Patch39:        backport-libsepol-cil-Reset-expandtypeattribute-rules-when-re.patch
+Patch40:        backport-libsepol-cil-do-not-allow-0-in-quoted-strings.patch

 BuildRequires:  gcc flex

@ -105,6 +106,9 @@ make DESTDIR="%{buildroot}" LIBDIR="%{_libdir}" SHLIBDIR="%{_libdir}" install
 %{_mandir}/man3/*

 %changelog
+* Tue Feb 15 2022 panxiaohe <panxh.life@foxmail.com> - 3.1-7
+- libsepol/cil: do not allow \0 in quoted strings
+
 * Fri Dec 10 2021 panxiaohe <panxiaohe@huawei.com> - 3.1-6
 - fix secilc-fuzzer issues