[meta-selinux][dunfell][PATCH 1/3] libsepol: Security fix CVE-2021-36084
|
From: Armin Kuster <akuster@...>
Source: https://github.com/SELinuxProject/selinux MR: 111851 Type: Security Fix Disposition: Backport from https://github.com/SELinuxProject/selinux/commit/f34d3d30c8325e4847a6b696fe7a3936a8a361f3 ChangeID: 7fae27568e26ccbb18be3d2a1ce7332d42706f18 Description: Affects: libsepol < 3.2 Signed-off-by: Armin Kuster <akuster@...> --- .../selinux/libsepol/CVE-2021-36084.patch | 99 +++++++++++++++++++ recipes-security/selinux/libsepol_3.0.bb | 1 + 2 files changed, 100 insertions(+) create mode 100644 recipes-security/selinux/libsepol/CVE-2021-36084.patch diff --git a/recipes-security/selinux/libsepol/CVE-2021-36084.patch b/recipes-security/selinux/libsepol/CVE-2021-36084.patch new file mode 100644 index 0000000..1001563 --- /dev/null +++ b/recipes-security/selinux/libsepol/CVE-2021-36084.patch @@ -0,0 +1,99 @@ +From f34d3d30c8325e4847a6b696fe7a3936a8a361f3 Mon Sep 17 00:00:00 2001 +From: James Carter <jwcart2@...> +Date: Thu, 8 Apr 2021 13:32:01 -0400 +Subject: [PATCH] libsepol/cil: Destroy classperms list when resetting + classpermission + +Nicolas Iooss reports: + A few months ago, OSS-Fuzz found a crash in the CIL compiler, which + got reported as + https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28648 (the title + is misleading, or is caused by another issue that conflicts with the + one I report in this message). Here is a minimized CIL policy which + reproduces the issue: + + (class CLASS (PERM)) + (classorder (CLASS)) + (sid SID) + (sidorder (SID)) + (user USER) + (role ROLE) + (type TYPE) + (category CAT) + (categoryorder (CAT)) + (sensitivity SENS) + (sensitivityorder (SENS)) + (sensitivitycategory SENS (CAT)) + (allow TYPE self (CLASS (PERM))) + (roletype ROLE TYPE) + (userrole USER ROLE) + (userlevel USER (SENS)) + (userrange USER ((SENS)(SENS (CAT)))) + (sidcontext SID (USER ROLE TYPE ((SENS)(SENS)))) + + (classpermission CLAPERM) + + (optional OPT + (roletype nonexistingrole nonexistingtype) + (classpermissionset CLAPERM (CLASS (PERM))) + ) + + The CIL policy fuzzer (which mimics secilc built with clang Address + Sanitizer) reports: + + ==36541==ERROR: AddressSanitizer: heap-use-after-free on address + 0x603000004f98 at pc 0x56445134c842 bp 0x7ffe2a256590 sp + 0x7ffe2a256588 + READ of size 8 at 0x603000004f98 thread T0 + #0 0x56445134c841 in __cil_verify_classperms + /selinux/libsepol/src/../cil/src/cil_verify.c:1620:8 + #1 0x56445134a43e in __cil_verify_classpermission + /selinux/libsepol/src/../cil/src/cil_verify.c:1650:9 + #2 0x56445134a43e in __cil_pre_verify_helper + /selinux/libsepol/src/../cil/src/cil_verify.c:1715:8 + #3 0x5644513225ac in cil_tree_walk_core + /selinux/libsepol/src/../cil/src/cil_tree.c:272:9 + #4 0x564451322ab1 in cil_tree_walk + /selinux/libsepol/src/../cil/src/cil_tree.c:316:7 + #5 0x5644513226af in cil_tree_walk_core + /selinux/libsepol/src/../cil/src/cil_tree.c:284:9 + #6 0x564451322ab1 in cil_tree_walk + /selinux/libsepol/src/../cil/src/cil_tree.c:316:7 + #7 0x5644512b88fd in cil_pre_verify + /selinux/libsepol/src/../cil/src/cil_post.c:2510:7 + #8 0x5644512b88fd in cil_post_process + /selinux/libsepol/src/../cil/src/cil_post.c:2524:7 + #9 0x5644511856ff in cil_compile + /selinux/libsepol/src/../cil/src/cil.c:564:7 + +The classperms list of a classpermission rule is created and filled +in when classpermissionset rules are processed, so it doesn't own any +part of the list and shouldn't retain any of it when it is reset. + +Destroy the classperms list (without destroying the data in it) when +resetting a classpermission rule. + +Reported-by: Nicolas Iooss <nicolas.iooss@...> +Signed-off-by: James Carter <jwcart2@...> + +Upstream-Status: Backport +CVE: CVE-2021-36084 +Signed-off-by: Armin Kuster <akuster@...> + +--- + libsepol/cil/src/cil_reset_ast.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +Index: libsepol-3.0/cil/src/cil_reset_ast.c +=================================================================== +--- libsepol-3.0.orig/cil/src/cil_reset_ast.c ++++ libsepol-3.0/cil/src/cil_reset_ast.c +@@ -52,7 +52,7 @@ static void cil_reset_classpermission(st + return; + } + +- cil_reset_classperms_list(cp->classperms); ++ cil_list_destroy(&cp->classperms, CIL_FALSE); + } + + static void cil_reset_classperms_set(struct cil_classperms_set *cp_set) diff --git a/recipes-security/selinux/libsepol_3.0.bb b/recipes-security/selinux/libsepol_3.0.bb index 58559d7..537377b 100644 --- a/recipes-security/selinux/libsepol_3.0.bb +++ b/recipes-security/selinux/libsepol_3.0.bb @@ -9,4 +9,5 @@ SRC_URI[sha256sum] = "5b7ae1881909f1048b06f7a0c364c5c8a86ec12e0ec76e740fe9595a60 SRC_URI += "\ file://0001-libsepol-fix-CIL_KEY_-build-errors-with-fno-common.patch \ file://0001-libsepol-remove-leftovers-of-cil_mem_error_handler.patch \ + file://CVE-2021-36084.patch \ " -- 2.25.1 |
|
|