profile
viewpoint
If you are wondering where the data of this site comes from, please visit https://api.github.com/users/evverx/events. GitMemory does not store any data, but only uses NGINX to cache data for a period of time. The idea behind GitMemory is simply to give users a better reading experience.

evverx/ansible-modules-core 0

Ansible modules - these modules ship with ansible

evverx/bcc 0

BCC - Tools for BPF-based Linux IO analysis, networking, monitoring, and more

evverx/blockade 0

Docker-based utility for testing network failures and partitions in distributed applications

evverx/cargo-fuzz 0

Command line helpers for fuzzing

evverx/chef-collectd_plugins 0

Chef cookbook for collectd plugins

evverx/consul 0

Consul is a tool for service discovery, monitoring and configuration.

evverx/docker 0

Docker - the open-source application container engine

evverx/fzf 0

:cherry_blossom: A command-line fuzzy finder written in Go

issue commentgoogle/oss-fuzz

Cannot reproduce issues reported by oss-fuzz

If the bugs were found with AFL, I suspect they have something to do with https://github.com/google/oss-fuzz/issues/6037

vitaut

comment created time in 7 days

PR closed SELinuxProject/selinux

Move the fuzz target from OSS-Fuzz to the selinux repository

@fishilico All your comments should be addressed. Could you take a look? I'll send the branch to the mailing list later but since I'm working on it here on GitHub to be able to run various GHActions to make sure it works I thought I'd leave it here for review to somewhat speed up the review process. Thanks!

The patch was sent to the mailing list: https://lore.kernel.org/selinux/20210715061135.2756-1-evvers@ya.ru/

+128 -0

0 comment

2 changed files

evverx

pr closed time in 9 days

issue commentgoogle/oss-fuzz

AFL_LLVM_INSTRUMENT=CLASSIC,CTX-2 seems to cause fuzz targets to crash as soon as they start

@vanhauser-thc thanks!

@inferno-chromium @jonathanmetzman I'm not sure if it's possible but it would probably help if you could take a look at the build history of the selinux project to see when it started happening to figure out what changed around that time. Given that I had never seen backtraces like that my guess would be that it regressed in June or July.

evverx

comment created time in 11 days

push eventevverx/oss-fuzz

Evgeny Vereshchagin

commit sha 9d2abad625cdc923444b703a70ebe7c12c61ab1a

[selinux] point OSS-Fuzz to my fork temporarily to make sure it works

view details

push time in 11 days

issue openedgoogle/oss-fuzz

AFL_LLVM_INSTRUMENT=CLASSIC,CTX-2 seems to cause fuzz targets to crash as soon as they start

I haven't figure out what's going on yet so I'll just leave a couple of links to build failures (where fuzz targets were compiled with AFL_LLVM_INSTRUMENT=CLASSIC,CTX-2):

selinux: https://oss-fuzz-build-logs.storage.googleapis.com/log-e70a0b72-e756-4cae-8cea-fcbf192572a8.txt systemd: https://oss-fuzz-build-logs.storage.googleapis.com/log-cc176a50-d8f8-4c4c-b1bf-db3a46061d57.txt

[+] All test cases processed.

[-] PROGRAM ABORT : We need at least one valid input seed that does not crash!
         Location : main(), src/afl-fuzz.c:1881

Without AFL_LLVM_INSTRUMENT=CLASSIC,CTX-2 both systemd and selinux seem to pass the "bad build" check.

cc @@vanhauser-thc

created time in 11 days

push eventevverx/selinux

Evgeny Vereshchagin

commit sha c7f437c25c1dec2e3bdc1405b1d96cf207cdb990

oss-fuzz: stop overwriting all the Makefiles Signed-off-by: Evgeny Vereshchagin <evvers@ya.ru>

view details

push time in 11 days

push eventevverx/selinux

Evgeny Vereshchagin

commit sha 1a6af29939e463dde9f7019437d6862c410efbd3

oss-fuzz: make shellcheck happy Signed-off-by: Evgeny Vereshchagin <evvers@ya.ru>

view details

Evgeny Vereshchagin

commit sha b4afc90dc623e5f7d4501ba3e7c2747ac1a465ac

oss-fuzz: build libsepol only The fuzz target covers libsepol so it's unnecessary to build everything else. Apart from that, the "LDFLAGS" kludge was removed since libsepol is compatible with the sanitizers flags passed via CFLAGS only. It should be brought back one way or another eventually though to fix build failures like ``` clang -L/home/vagrant/selinux/selinux/DESTDIR/usr/lib -L/home/vagrant/selinux/selinux/DESTDIR/usr/lib -L../src sefcontext_compile.o ../src/regex.o -lselinux -lpcre ../src/libselinux.a -lsepol -o sefcontext_compile /usr/bin/ld: sefcontext_compile.o: in function `usage': /home/vagrant/selinux/selinux/libselinux/utils/sefcontext_compile.c:271: undefined reference to `__asan_report_load8' /usr/bin/ld: /home/vagrant/selinux/selinux/libselinux/utils/sefcontext_compile.c:292: undefined reference to `__asan_handle_no_return' /usr/bin/ld: sefcontext_compile.o: in function `asan.module_ctor': ``` Signed-off-by: Evgeny Vereshchagin <evvers@ya.ru>

view details

Evgeny Vereshchagin

commit sha bfcd3c6ba3d57d55f9f029b56b4ec30044998d08

oss-fuzz: make it possible to run the script more than once by removing various build artifacts Signed-off-by: Evgeny Vereshchagin <evvers@ya.ru>

view details

Evgeny Vereshchagin

commit sha 0db734f7beabf2c8826bd3f1dc8dcdd010599143

oss-fuzz: make it possible to run the script from any directory Signed-off-by: Evgeny Vereshchagin <evvers@ya.ru>

view details

Evgeny Vereshchagin

commit sha 4e660bbca0b2066dd14a225dbc96630cf4e34013

oss-fuzz: be a little bit more specific about what the script does Signed-off-by: Evgeny Vereshchagin <evvers@ya.ru>

view details

Evgeny Vereshchagin

commit sha 38fcee22a35bfa3abca6b8bd81e46d0f3412e954

oss-fuzz: stop overwriting all the Makefiles Signed-off-by: Evgeny Vereshchagin <evvers@ya.ru>

view details

push time in 11 days

PR opened SELinuxProject/selinux

Move the fuzz target from OSS-Fuzz to the selinux repository

@fishilico All your comments should be addressed. Could you take a look? I'll send the branch to the mailing list later but since I'm working on it here on GitHub to be able to run various GHActions to make sure it works I thought I'd leave it here for review to somewhat speed up the review process. Thanks!

+125 -0

0 comment

2 changed files

pr created time in 11 days

push eventevverx/oss-fuzz

Evgeny Vereshchagin

commit sha 5448a8432264094e68052734efcf8ba0cd8a2bc3

[selinux] point OSS-Fuzz to my fork temporarily to make sure it works

view details

push time in 11 days

push eventevverx/selinux

Christian Göttsche

commit sha 44d56761bed0a394cceb4b0c57fee4fc0e4d9a85

libsepol: avoid unsigned integer overflow Unsigned integer overflow is well-defined and not undefined behavior. It is commonly used for hashing or pseudo random number generation. But it is still useful to enable undefined behavior sanitizer checks on unsigned arithmetic to detect possible issues on counters or variables with similar purpose or missed overflow checks on user input. Use a spaceship operator like comparison instead of subtraction. policydb.c:851:24: runtime error: unsigned integer overflow: 801 - 929 cannot be represented in type 'unsigned int' Follow-up of: 1537ea8412e4 ("libsepol: avoid unsigned integer overflow") Signed-off-by: Christian Göttsche <cgzones@googlemail.com>

view details

Christian Göttsche

commit sha 09405ba91c40e4e08f2212c946a432fa001d04bb

libsepol: ignore UBSAN false-positives Unsigned integer overflow is well-defined and not undefined behavior. But it is still useful to enable undefined behavior sanitizer checks on unsigned arithmetic to detect possible issues on counters or variables with similar purpose. Annotate functions, in which unsigned overflows are expected to happen, with the respective Clang function attribute[1]. GCC does not support sanitizing unsigned integer arithmetic[2]. avtab.c:76:2: runtime error: unsigned integer overflow: 6 * 3432918353 cannot be represented in type 'unsigned int' policydb.c:795:42: runtime error: unsigned integer overflow: 8160943042179512010 * 11 cannot be represented in type 'unsigned long' symtab.c:25:12: runtime error: left shift of 1766601759 by 4 places cannot be represented in type 'unsigned int' [1]: https://clang.llvm.org/docs/AttributeReference.html#no-sanitize [2]: https://gcc.gnu.org/onlinedocs/gcc/Instrumentation-Options.html Signed-off-by: Christian Göttsche <cgzones@googlemail.com>

view details

Christian Göttsche

commit sha e1491388d570a83f6b005d7dc1906765a02b922e

libsepol: avoid implicit conversions Avoid implicit conversions from signed to unsigned values, found by UB sanitizers, by using unsigned values in the first place. expand.c:1644:18: runtime error: implicit conversion from type 'int' of value -1 (32-bit, signed) to type 'uint32_t' (aka 'unsigned int') changed the value to 4294967295 (32-bit, unsigned) expand.c:2892:24: runtime error: implicit conversion from type 'int' of value -2 (32-bit, signed) to type 'unsigned int' changed the value to 4294967294 (32-bit, unsigned) policy_define.c:2344:4: runtime error: implicit conversion from type 'int' of value -1048577 (32-bit, signed) to type 'unsigned int' changed the value to 4293918719 (32-bit, unsigned) Signed-off-by: Christian Göttsche <cgzones@googlemail.com>

view details

Christian Göttsche

commit sha 07d6f1cea5a8ec0251606636189bc519d80b0729

libsepol: assure string NUL-termination of ibdev_name Clang complains: ibendport_record.c: In function ‘sepol_ibendport_get_ibdev_name’: ibendport_record.c:169:2: error: ‘strncpy’ specified bound 64 equals destination size [-Werror=stringop-truncation] 169 | strncpy(tmp_ibdev_name, ibendport->ibdev_name, IB_DEVICE_NAME_MAX); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ibendport_record.c: In function ‘sepol_ibendport_set_ibdev_name’: ibendport_record.c:189:2: error: ‘strncpy’ specified bound 64 equals destination size [-Werror=stringop-truncation] 189 | strncpy(tmp, ibdev_name, IB_DEVICE_NAME_MAX); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ strncpy(3) does not NUL-terminate the destination if the source is of the same length or longer then the specified size. The source of these copies are retrieved from sepol_ibendport_alloc_ibdev_name(), which allocates a fixed amount of IB_DEVICE_NAME_MAX bytes. Reduce the size to copy by 1 of all memory regions allocated by sepol_ibendport_alloc_ibdev_name(). Signed-off-by: Christian Göttsche <cgzones@googlemail.com>

view details

Christian Göttsche

commit sha 40e2f98519ba3fc6a4a0f2b4a2b8b0e1d864fd9e

checkpolicy: pass CFLAGS at link stage Pass CFLAGS when invoking CC at link time, it might contain optimization or sanitizer flags required for linking. Signed-off-by: Christian Göttsche <cgzones@googlemail.com>

view details

Christian Göttsche

commit sha 02678b9d40f7de5cae1840f3d7ceedf1499c84a8

checkpolicy: drop -pipe compile option The compiler option -pipe does not affect the generated code; it affects whether the compiler uses temporary files or pipes. As the benefit might vary from system to system usually its up to the packager or build framework to set it. Also these are the only places where the flag is used. Signed-off-by: Christian Göttsche <cgzones@googlemail.com>

view details

Christian Göttsche

commit sha 7cdb2a8fd2af0a063d6e505fd1250ca10ebbea11

checkpolicy: simplify assignment checkpolicy.c:504:20: style: The statement 'if (policyvers!=n) policyvers=n' is logically equivalent to 'policyvers=n'. [duplicateConditionalAssign] if (policyvers != n) ^ checkpolicy.c:505:17: note: Assignment 'policyvers=n' policyvers = n; ^ checkpolicy.c:504:20: note: Condition 'policyvers!=n' is redundant if (policyvers != n) ^ Found by Cppcheck Signed-off-by: Christian Göttsche <cgzones@googlemail.com>

view details

Christian Göttsche

commit sha db674bf2186b34a3712e2069c769131503dcb9ff

checkpolicy: drop dead condition The variable `id` is guaranteed to be non-NULL due to the preceding while condition. policy_define.c:1171:7: style: Condition '!id' is always false [knownConditionTrueFalse] if (!id) { ^ policy_define.c:1170:13: note: Assuming that condition 'id=queue_remove(id_queue)' is not redundant while ((id = queue_remove(id_queue))) { ^ policy_define.c:1171:7: note: Condition '!id' is always false if (!id) { ^ Found by Cppcheck. Signed-off-by: Christian Göttsche <cgzones@googlemail.com>

view details

Christian Göttsche

commit sha babc3d53518b7f9f01b83b9c997f9233a58af92b

checkpolicy: use correct format specifier for unsigned test/dispol.c:288:4: warning: %d in format string (no. 1) requires 'int' but the argument type is 'unsigned int'. [invalidPrintfArgType_sint] snprintf(buf, sizeof(buf), "unknown (%d)", i); ^ test/dismod.c:830:4: warning: %d in format string (no. 1) requires 'int' but the argument type is 'unsigned int'. [invalidPrintfArgType_sint] snprintf(buf, sizeof(buf), "unknown (%d)", i); ^ Found by Cppcheck. Signed-off-by: Christian Göttsche <cgzones@googlemail.com>

view details

Christian Göttsche

commit sha 79e7724930d49cc8cdac4c7d4e80b1fafd22d1d7

checkpolicy: follow declaration-after-statement Follow the project style of no declaration after statement. Found by the GCC warning -Wdeclaration-after-statement. Signed-off-by: Christian Göttsche <cgzones@googlemail.com>

view details

Christian Göttsche

commit sha 7723180fa09b0c483c07a76a4678f2c2cd51bff6

checkpolicy: remove dead assignments The variable `cladatum` is otherwise always assigned before used, so these two assignments without a follow up usages are not needed. Found by clang-analyzer. Signed-off-by: Christian Göttsche <cgzones@googlemail.com>

view details

Christian Göttsche

commit sha 5a10f05f53ef78c48ebce3d512960c71100073d0

checkpolicy: check before potential NULL dereference policy_define.c: In function ‘define_te_avtab_extended_perms’: policy_define.c:1946:17: error: potential null pointer dereference [-Werror=null-dereference] 1946 | r->omit = omit; | ^ In the case of `r` being NULL, avrule_read_ioctls() would return with its parameter `rangehead` being a pointer to NULL, which is considered a failure in its caller `avrule_ioctl_ranges`. So it is not necessary to alter the return value. Found by GCC 11 with LTO enabled. Signed-off-by: Christian Göttsche <cgzones@googlemail.com>

view details

Christian Göttsche

commit sha 5218bf4b262ae6c3aa0ec72c5116a73bbdb7806f

checkpolicy: avoid potential use of uninitialized variable checkpolicy.c: In function ‘main’: checkpolicy.c:1000:25: error: ‘tsid’ may be used uninitialized in this function [-Werror=maybe-uninitialized] 1000 | printf("if_sid %d default_msg_sid %d\n", ssid, tsid); | ^ checkpolicy.c: In function ‘main’: checkpolicy.c:971:25: error: ‘tsid’ may be used uninitialized in this function [-Werror=maybe-uninitialized] 971 | printf("fs_sid %d default_file_sid %d\n", ssid, tsid); | ^ Found by GCC 11 with LTO enabled. Signed-off-by: Christian Göttsche <cgzones@googlemail.com>

view details

Christian Göttsche

commit sha 4e3d0990c6be73419df3c32b7de98c992797e3ef

checkpolicy: drop redundant cast to the same type Found by clang-tidy. Signed-off-by: Christian Göttsche <cgzones@googlemail.com>

view details

Christian Göttsche

commit sha 47f4cbd357fa0b0dc46e2e95ce10fc2d9a586061

checkpolicy: parse_util drop unused declaration Signed-off-by: Christian Göttsche <cgzones@googlemail.com>

view details

Christian Göttsche

commit sha b306cd5b90979a4d6e1a85b842835deb77272873

checkpolicy/test: mark file local functions static Signed-off-by: Christian Göttsche <cgzones@googlemail.com>

view details

Christian Göttsche

commit sha 1711757378d1ff1e7437fd7d5ddf263272284641

checkpolicy: mark read-only parameters in policy define const Make it more obvious which parameters are read-only and not being modified and allow callers to pass const pointers. Signed-off-by: Christian Göttsche <cgzones@googlemail.com>

view details

Evgeny Vereshchagin

commit sha a2a40f0345a487b49e8a9ae570d50ebd9f2ae744

ci: turn on CIFuzz Now that almost all the bugs reported by OSS-Fuzz have been fixed libsepol/cil should be stable enough to get CIFuzz working more or less reliably. It should help to catch regressions/new bugs faster. https://google.github.io/oss-fuzz/getting-started/continuous-integration/ The patch was tested on GitHub in https://github.com/SELinuxProject/selinux/pull/285 The CIFuzz job can be found at https://github.com/SELinuxProject/selinux/actions/runs/1017865690 Signed-off-by: Evgeny Vereshchagin <evvers@ya.ru>

view details

Evgeny Vereshchagin

commit sha e45642441f853c6823d6a1b83ae41c463c627a53

README: add OSS-Fuzz/CIFuzz badges It should make it easier to keep track of what's going on there Signed-off-by: Evgeny Vereshchagin <evvers@ya.ru>

view details

James Carter

commit sha 8470058934e89d1876b8e034d1ea818bde62b994

libsepol/cil: Fix handling category sets in an expression There are two problems that need to be addressed when resolving an expression with category sets. 1. Only expand anonymous category sets in an expression. Commit 982ec302b67f3c7f8df667dadb67352b1e4a6d18 (libsepol/cil: Account for anonymous category sets in an expression) attempted to properly handle anonymous category sets when resolving category expressions. Unfortunately, it did not check whether a category set was actually an anonymous category set and expanded all category sets in an expression. If a category set refers to itself in the expression, then everything from the name of the category set to the end of the expression is ignored. For example, the rule "(categoryset cs (c0 cs c1 c2))", would be equivalent to the rule "(categoryset cs (c0))" as everything from "cs" to the end would be dropped. The secilc-fuzzer found that the rule "(categoryset cat (not cat))" would cause a segfault since "(not)" is not a valid expression and it is assumed to be valid during later evaluation because syntax checking has already been done. Instead, check whether or not the category set is anonymous before expanding it when resolving an expression. 2. Category sets cannot be used in a category range A category range can be used to specify a large number of categories. The range "(range c0 c1023)" refers to 1024 categories. Only categories and category aliases can be used in a range. Determining if an identifier is a category, an alias, or a set can only be done after resolving the identifer. Keep track of the current operator as an expression is being resolved and if the expression involves categories and a category set is encountered, then return an error if the expression is a category range. Signed-off-by: James Carter <jwcart2@gmail.com>

view details

push time in 11 days

push eventevverx/selinux

Evgeny Vereshchagin

commit sha f56e013792e60aed7186ffbaa065c159a3d972b0

oss-fuzz: stop overwriting all the Makefiles

view details

push time in 11 days

push eventevverx/oss-fuzz

Evgeny Vereshchagin

commit sha 4bd68be89cce1566e677b4cccff653fbfb16ea6a

[selinux] point OSS-Fuzz to my fork temporarily to make sure it works

view details

push time in 11 days

push eventevverx/selinux

Evgeny Vereshchagin

commit sha 58548cbdd3c6d97eea23a4caca4d0d3c1b21545f

libsepol/cil: move the fuzz target and build script to the selinux repository It should make it easier to reproduce bugs found by OSS-Fuzz locally without docker. The fuzz target can be built and run with the corpus OSS-Fuzz has accumulated so far by running the following commands: ``` ./scripts/oss-fuzz.sh wget https://storage.googleapis.com/selinux-backup.clusterfuzz-external.appspot.com/corpus/libFuzzer/selinux_secilc-fuzzer/public.zip unzip -d CORPUS public.zip ./out/secilc-fuzzer CORPUS/ ``` It was tested in https://github.com/google/oss-fuzz/pull/6026 by pointing OSS-Fuzz to the branch containing the patch and running all the tests with all the sanitizers and fuzzing engines there: https://github.com/google/oss-fuzz/actions/runs/1024673143 Signed-off-by: Evgeny Vereshchagin <evvers@ya.ru>

view details

Evgeny Vereshchagin

commit sha 64761277e07490d96ab0a6de2ccfd55cf2044e77

oss-fuzz: make shellcheck happy

view details

Evgeny Vereshchagin

commit sha 77e03b5e67309011ad6f3bfa4c29193f05b80433

oss-fuzz: build libsepol only The fuzz target covers libsepol so it's unnecessary to build everything else. Apart from that, the "LDFLAGS" kludge was removed since libsepol is compatible with the sanitizers flags passed via CFLAGS only. It should be brought back one way or another eventually though to fix build failures like ``` clang -L/home/vagrant/selinux/selinux/DESTDIR/usr/lib -L/home/vagrant/selinux/selinux/DESTDIR/usr/lib -L../src sefcontext_compile.o ../src/regex.o -lselinux -lpcre ../src/libselinux.a -lsepol -o sefcontext_compile /usr/bin/ld: sefcontext_compile.o: in function `usage': /home/vagrant/selinux/selinux/libselinux/utils/sefcontext_compile.c:271: undefined reference to `__asan_report_load8' /usr/bin/ld: /home/vagrant/selinux/selinux/libselinux/utils/sefcontext_compile.c:292: undefined reference to `__asan_handle_no_return' /usr/bin/ld: sefcontext_compile.o: in function `asan.module_ctor': ```

view details

Evgeny Vereshchagin

commit sha cf22fbdef1be7649cf9b6cc6ad5d4440279d89d4

oss-fuzz: make it possible to run the script more than once by removing various build artifacts

view details

Evgeny Vereshchagin

commit sha 6ffd8203696c44becca7c30f29634c15d7fddd14

oss-fuzz: make it possible to run the script from any directory

view details

Evgeny Vereshchagin

commit sha 99add2acea9dc37aa26c9e422d1b38949acc9d3a

oss-fuzz: be a little bit more specific about what the script does

view details

push time in 11 days

push eventevverx/oss-fuzz

Evgeny Vereshchagin

commit sha 5e22d9d7d4d94f45f990c8b701382a6566ac4777

[selinux] point OSS-Fuzz to my fork temporarily to make sure it works

view details

push time in 12 days

push eventevverx/selinux

Evgeny Vereshchagin

commit sha 721d4be980219fd9ae7eafec6b0b4c967503902c

libsepol/cil: move the fuzz target and build script to the selinux repository It should make it easier to reproduce bugs found by OSS-Fuzz locally without docker. The fuzz target can be built and run with the corpus OSS-Fuzz has accumulated so far by running the following commands: ``` ./scripts/oss-fuzz.sh wget https://storage.googleapis.com/selinux-backup.clusterfuzz-external.appspot.com/corpus/libFuzzer/selinux_secilc-fuzzer/public.zip unzip -d CORPUS public.zip ./out/secilc-fuzzer CORPUS/ ```

view details

push time in 12 days

CommitCommentEvent
CommitCommentEvent

PR opened google/oss-fuzz

[selinux] move the fuzz target and build script upstream

to make it easier to reproduce and fix bugs locally

+2 -98

0 comment

3 changed files

pr created time in 13 days

create barnchevverx/oss-fuzz

branch : move-upstream

created branch time in 13 days

CommitCommentEvent

create barnchevverx/selinux

branch : move-fuzzer

created branch time in 13 days

PR closed SELinuxProject/selinux

ci: turn on CIFuzz

Now that roughly half the bugs reported by OSS-Fuzz have been fixed libsepol/cil should be stable enough to get CIFuzz working more or less reliably. It should help to catch regressions/new bugs faster.

https://google.github.io/oss-fuzz/getting-started/continuous-integration/

@fishilico could you take a look?

+41 -0

6 comments

2 changed files

evverx

pr closed time in 15 days

pull request commentSELinuxProject/selinux

ci: turn on CIFuzz

I've just sent the patch to the mailing list: https://lore.kernel.org/selinux/20210710120302.74862-1-evvers@ya.ru/T/#t. Closing the PR here.

evverx

comment created time in 15 days

push eventevverx/selinux

Dominick Grift

commit sha 1e4e7f6a125af20c563f8c6932d210a8f5f902e9

cil_conditional_statements.md: fix expr definition expr "(expr (tunable_id tunable_id))" does not work but "(expr tunable_id tunable_id)" does work for example, this works (tunable test1) (tunable test2) (tunableif (or test1 test2) (true (allow a b (c (d))))) but this does not work: (tunable test1) (tunable test2) (tunableif (or (test1 test2)) (true (allow a b (c (d))))) Signed-off-by: Dominick Grift <dominick.grift@defensec.nl>

view details

Yi-Yo Chiang

commit sha d1a34d3f1df5e90c9e01fcd9791c26db89064a7e

secilc.c: Don't fail if input file is empty fread(3) returns zero if |size| is zero. This confuses secilc, and causes it to fail with a "Failure reading file" error, even though there is no error. Add a shortcut that closes and skips an input file if file size is zero. Signed-off-by: Yi-Yo Chiang <yochiang@google.com>

view details

James Carter

commit sha e13c8162656665f9ec1c76a033cae5b011b8c658

libsepol/cil: Fix out-of-bound read of file context pattern ending with "\" Based on patch by Nicolas Iooss, who writes: OSS-Fuzz found a Heap-buffer-overflow in the CIL compiler when trying to compile the following policy: (sid SID) (sidorder(SID)) (filecon "\" any ()) (filecon "" any ()) When cil_post_fc_fill_data() processes "\", it goes beyond the NUL terminator of the string. Fix this by returning when '\0' is read after a backslash. To be consistent with the function compute_diffdata() in refpolicy/support/fc_sort.py, also increment str_len in this case. Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28484 Reported-by: Nicolas Iooss <nicolas.iooss@m4x.org> Signed-off-by: James Carter <jwcart2@gmail.com>

view details

James Carter

commit sha f34d3d30c8325e4847a6b696fe7a3936a8a361f3

libsepol/cil: Destroy classperms list when resetting classpermission Nicolas Iooss reports: A few months ago, OSS-Fuzz found a crash in the CIL compiler, which got reported as https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28648 (the title is misleading, or is caused by another issue that conflicts with the one I report in this message). Here is a minimized CIL policy which reproduces the issue: (class CLASS (PERM)) (classorder (CLASS)) (sid SID) (sidorder (SID)) (user USER) (role ROLE) (type TYPE) (category CAT) (categoryorder (CAT)) (sensitivity SENS) (sensitivityorder (SENS)) (sensitivitycategory SENS (CAT)) (allow TYPE self (CLASS (PERM))) (roletype ROLE TYPE) (userrole USER ROLE) (userlevel USER (SENS)) (userrange USER ((SENS)(SENS (CAT)))) (sidcontext SID (USER ROLE TYPE ((SENS)(SENS)))) (classpermission CLAPERM) (optional OPT (roletype nonexistingrole nonexistingtype) (classpermissionset CLAPERM (CLASS (PERM))) ) The CIL policy fuzzer (which mimics secilc built with clang Address Sanitizer) reports: ==36541==ERROR: AddressSanitizer: heap-use-after-free on address 0x603000004f98 at pc 0x56445134c842 bp 0x7ffe2a256590 sp 0x7ffe2a256588 READ of size 8 at 0x603000004f98 thread T0 #0 0x56445134c841 in __cil_verify_classperms /selinux/libsepol/src/../cil/src/cil_verify.c:1620:8 #1 0x56445134a43e in __cil_verify_classpermission /selinux/libsepol/src/../cil/src/cil_verify.c:1650:9 #2 0x56445134a43e in __cil_pre_verify_helper /selinux/libsepol/src/../cil/src/cil_verify.c:1715:8 #3 0x5644513225ac in cil_tree_walk_core /selinux/libsepol/src/../cil/src/cil_tree.c:272:9 #4 0x564451322ab1 in cil_tree_walk /selinux/libsepol/src/../cil/src/cil_tree.c:316:7 #5 0x5644513226af in cil_tree_walk_core /selinux/libsepol/src/../cil/src/cil_tree.c:284:9 #6 0x564451322ab1 in cil_tree_walk /selinux/libsepol/src/../cil/src/cil_tree.c:316:7 #7 0x5644512b88fd in cil_pre_verify /selinux/libsepol/src/../cil/src/cil_post.c:2510:7 #8 0x5644512b88fd in cil_post_process /selinux/libsepol/src/../cil/src/cil_post.c:2524:7 #9 0x5644511856ff in cil_compile /selinux/libsepol/src/../cil/src/cil.c:564:7 The classperms list of a classpermission rule is created and filled in when classpermissionset rules are processed, so it doesn't own any part of the list and shouldn't retain any of it when it is reset. Destroy the classperms list (without destroying the data in it) when resetting a classpermission rule. Reported-by: Nicolas Iooss <nicolas.iooss@m4x.org> Signed-off-by: James Carter <jwcart2@gmail.com>

view details

James Carter

commit sha 2d35fcc7e9e976a2346b1de20e54f8663e8a6cba

libsepol/cil: Destroy classperm list when resetting map perms Map perms share the same struct as regular perms, but only the map perms use the classperms field. This field is a pointer to a list of classperms that is created and added to when resolving classmapping rules, so the map permission doesn't own any of the data in the list and this list should be destroyed when the AST is reset. When resetting a perm, destroy the classperms list without destroying the data in the list. Signed-off-by: James Carter <jwcart2@gmail.com>

view details

James Carter

commit sha c49a8ea09501ad66e799ea41b8154b6770fec2c8

libsepol/cil: cil_reset_classperms_set() should not reset classpermission In struct cil_classperms_set, the set field is a pointer to a struct cil_classpermission which is looked up in the symbol table. Since the cil_classperms_set does not create the cil_classpermission, it should not reset it. Set the set field to NULL instead of resetting the classpermission that it points to. Signed-off-by: James Carter <jwcart2@gmail.com>

view details

James Carter

commit sha a7a80ef51b915071f0339e5e0262f06d84112874

libsepol/cil: Set class field to NULL when resetting struct cil_classperms The class field of a struct cil_classperms points to the class looked up in the symbol table, so that field should be set to NULL when the cil_classperms is reset. Set the class field to NULL when resetting the struct cil_classperms. Signed-off-by: James Carter <jwcart2@gmail.com>

view details

James Carter

commit sha e978e7692e16d6d8b801700d1dc5129ca31dfbad

libsepol/cil: More strict verification of constraint leaf expressions In constraint expressions u1, u3, r1, r3, t1, and t3 are never allowed on the right side of an expression, but there were no checks to verify that they were not used on the right side. The result was that the expression "(eq t1 t1)" would be silently turned into "(eq t1 t2)" when the binary policy was created. Verify that u1, u3, r1, r3, t1, and t3 are not used on the right side of a constraint expression. Signed-off-by: James Carter <jwcart2@gmail.com>

view details

James Carter

commit sha 532469a251607cfd8bd5e9299d3bba3764345ab6

libsepol/cil: Exit with an error if declaration name is a reserved word When CIL parses sets or conditional expressions, any identifier that matches an operator name will always be taken as an operator. If a declaration has the same name as an operator, then there is the possibility of causing either confusion or a syntax error if it is used in an expression. The potential for problems is much greater than any possible advantage in allowing a declaration to share the name of a reserved word. Create a new function, __cil_is_reserved_name() that is called when an identifier is declared and its name is being validated. In this function, check if the declaration has the same name as a reserved word for an expression operator that can be used with the identifer's flavor and exit with an error if it does. Also, move the check for types, type aliases, and type attributes matching the reserved word "self" to this new function. Finally, change the name of the function __cil_verify_name() to cil_verify_name(), since this function is neither static nor a helper function. Signed-off-by: James Carter <jwcart2@gmail.com>

view details

James Carter

commit sha 22fb6f477bf10e834ece9eff84438fcaebf7d2ec

libsepol/cil: Allow permission expressions when using map classes The following policy will cause a segfault: (class CLASS (PERM)) (class C (P1 P2 P3)) (classorder (CLASS C)) (sid SID) (sidorder (SID)) (user USER) (role ROLE) (type TYPE) (category CAT) (categoryorder (CAT)) (sensitivity SENS) (sensitivityorder (SENS)) (sensitivitycategory SENS (CAT)) (allow TYPE self (CLASS (PERM))) (roletype ROLE TYPE) (userrole USER ROLE) (userlevel USER (SENS)) (userrange USER ((SENS)(SENS (CAT)))) (sidcontext SID (USER ROLE TYPE ((SENS)(SENS)))) (classmap CM (PM1 PM2 PM3)) (classmapping CM PM1 (C (P1))) (classmapping CM PM2 (C (P2))) (classmapping CM PM3 (C (P3))) (allow TYPE self (CM (and (all) (not PM2)))) The problem is that, while permission expressions are allowed for normal classes, map classes are expected to only have permission lists and no check is done to verify that only a permission list is being used. When the above policy is parsed, the "and" and "all" are seen as expression operators, but when the map permissions are converted to normal class and permissions, the permission expression is assumed to be a list of datums and since the operators are not datums a segfault is the result. There is no reason to limit map classes to only using a list of permissions and, in fact, it would be better to be able to use them in the same way normal classes are used. Allow permissions expressions to be used for map classes by first evaluating the permission expression and then converting the resulting list to normal classes and permissions. Signed-off-by: James Carter <jwcart2@gmail.com>

view details

James Carter

commit sha 63ce05ba07fc3517900fac22efe1c761d856762f

libsepol/cil: Refactor helper function for cil_gen_node() Change the name of cil_is_datum_multiple_decl() to cil_allow_multiple_decls() and make it static. The new function takes the CIL db and the flavors of the old and new datum as arguments. Also, put all of the logic of determining if multiple declarations are allowed into the new function. Finally, update the call from cil_gen_node(). Signed-off-by: James Carter <jwcart2@gmail.com>

view details

James Carter

commit sha 0d4e568afe5a28edc5fcdcff8e925d4ec1d0d3d0

libsepol/cil: Create function cil_add_decl_to_symtab() and refactor The functionality of adding a declaration to a symbol table is also needed in __cil_copy_node_helper() and not just cil_gen_node(). Create a new function called cil_add_decl_to_symtab() to add a declaration to a symtab and refactor cil_gen_node() and __cil_copy_node_helper() to use the new function. By using the new function, __cil_copy_node_helper() will now allow duplicate declarations when appropriate. Signed-off-by: James Carter <jwcart2@gmail.com>

view details

James Carter

commit sha e65cf030b784dbb1ff4415e0b63a3bdf0158ccf6

libsepol/cil: Move check for the shadowing of macro parameters In cil_gen_node(), after the declaration is added to the symbol table, if the parent is a macro, then a check is made to ensure the declaration does not shadow any of the macro's parameters. This check also needs to be done when copying the AST. Move the check for the shadowing of macro parameters to its own function, cil_verify_decl_does_not_shadow_macro_parameter(), and refactor cil_gen_node() and __cil_copy_node_helper() to use the new function. Signed-off-by: James Carter <jwcart2@gmail.com>

view details

James Carter

commit sha 69bfe64cdf659cc47c544e6b376f0a653ff06f6f

libsepol/cil: Reorder checks for invalid rules when building AST Reorder checks for invalid rules in the blocks of tunableifs, in-statements, macros, and booleanifs when building the AST for consistency. Order the checks in the same order the blocks will be resolved in, so tuanbleif, in-statement, macro, booleanif, and then non-block rules. Signed-off-by: James Carter <jwcart2@gmail.com>

view details

James Carter

commit sha f043078f1debeb1c84d4f6943aa689c33dd9cefc

libsepol/cil: Cleanup build AST helper functions Since parse_current, finished, and extra_args can never be NULL, remove the useless check and directly assign local variables from extra_args. Signed-off-by: James Carter <jwcart2@gmail.com>

view details

James Carter

commit sha ab90cb46abd4cfc5927f48c7b61782aa97e2561f

libsepol/cil: Create new first child helper function for building AST In order to find statements not allowed in tunableifs, in-statements, macros, and booleanifs, there are tree node pointers that point to each of these kinds of statements when its block is being parsed. If the pointer is non-NULL, then the rule being parsed is in the block of that kind of statement. The tree node pointers were being updated at the wrong point which prevented an invalid statement from being found if it was the first statement in the block of a tunableif, in-statement, macro, or booleanif. Create a first child helper function for walking the parse tree and in that function set the appropriate tree node pointer if the current AST node is a tunableif, in-statement, macro, or booleanif. This also makes the code symmetrical with the last child helper where the tree node pointers are set to NULL. Signed-off-by: James Carter <jwcart2@gmail.com>

view details

James Carter

commit sha 525f0312d51d3afd48f5e0cd8a58cced3532cfdf

libsepol/cil: Use AST to track blocks and optionals when resolving When resolving the AST, block and optional stacks are used to determine if the current rule being resolved is in a block or an optional. There is no need to do this since the parent node pointers can be used when exiting a block or an optional to determine if resolution is still within a block or an optional. When entering either a block or an optional, update the appropriate tree node pointer. When finished with the last child of a block or optional, set the appropriate pointer to NULL. If a parent of the same kind is found when the parent node pointers are followed back to the root node, then set the pointer to that tree node. Signed-off-by: James Carter <jwcart2@gmail.com>

view details

James Carter

commit sha ef533c8fd941bfb0c9a729b757d8a5b68fe3d080

libsepol/cil: Reorder checks for invalid rules when resolving AST Reorder checks for invalid rules in the blocks of tunableifs, in-statements, macros, and booleanifs when resolving the AST for consistency. Order the checks in the same order the blocks will be resolved in, so tuanbleif, in-statement, macro, booleanif, and then non-block rules. Signed-off-by: James Carter <jwcart2@gmail.com>

view details

James Carter

commit sha 8a74c05b97050bd226d61fc162e04dcdf8e91247

libsepol/cil: Sync checks for invalid rules in booleanifs When building the AST, typemember rules in a booleanif block will be incorrectly called invalid. They are allowed in the kernel policy and should be allowed in CIL. When resolving the AST, if a neverallow rule is copied into a booleanif block, it will not be considered an invalid rule, even though this is not allowed in the kernel policy. Update the booleanif checks to allow typemember rules and to not allow neverallow rules in booleanifs. Also use the same form of conditional for the checks when building and resolving the AST. Signed-off-by: James Carter <jwcart2@gmail.com>

view details

James Carter

commit sha 340f0eb7f3673e8aacaf0a96cbfcd4d12a405521

libsepol/cil: Check for statements not allowed in optional blocks While there are some checks for invalid statements in an optional block when resolving the AST, there are no checks when building the AST. OSS-Fuzz found the following policy which caused a null dereference in cil_tree_get_next_path(). (blockinherit b3) (sid SID) (sidorder(SID)) (optional o (ibpkeycon :(1 0)s) (block b3 (filecon""block()) (filecon""block()))) The problem is that the blockinherit copies block b3 before the optional block is disabled. When the optional is disabled, block b3 is deleted along with everything else in the optional. Later, when filecon statements with the same path are found an error message is produced and in trying to find out where the block was copied from, the reference to the deleted block is used. The error handling code assumes (rightly) that if something was copied from a block then that block should still exist. It is clear that in-statements, blocks, and macros cannot be in an optional, because that allows nodes to be copied from the optional block to somewhere outside even though the optional could be disabled later. When optionals are disabled the AST is reset and the resolution is restarted at the point of resolving macro calls, so anything resolved before macro calls will never be re-resolved. This includes tunableifs, in-statements, blockinherits, blockabstracts, and macro definitions. Tunable declarations also cannot be in an optional block because they are needed to resolve tunableifs. It should be fine to allow blockinherit statements in an optional, because that is copying nodes from outside the optional to the optional and if the optional is later disabled, everything will be deleted anyway. Check and quit with an error if a tunable declaration, in-statement, block, blockabstract, or macro definition is found within an optional when either building or resolving the AST. Signed-off-by: James Carter <jwcart2@gmail.com>

view details

push time in 15 days

issue commentgoogle/oss-fuzz

Report 32675 (CVE-2021-36087) found wrong commit as fix

@inferno-chromium I think one example of that script (or whatever that was) would be all the CVEs assigned to the selinux project on July 1st: https://nvd.nist.gov/vuln/detail/CVE-2021-36084 https://nvd.nist.gov/vuln/detail/CVE-2021-36085 https://nvd.nist.gov/vuln/detail/CVE-2021-36086 https://nvd.nist.gov/vuln/detail/CVE-2021-36087

I'm curious about who that was as well (mostly because I think that blindly assigning CVEs to all the issues OSS-Fuzz considers "vulnerabilities" isn't helpful)

jsegitz

comment created time in 16 days

issue commentgoogle/oss-fuzz

Report 32675 (CVE-2021-36087) found wrong commit as fix

On a somewhat unrelated note, looking at a bunch of CVEs pointing to OSS-Fuzz with descriptions with flattened backtraces copy-pasted from bug reports on Monorail and assigned at apparently the same time I wonder if the OSS-Fuzz project (or the OSV project) has started assigning CVEs automatically left and right?

jsegitz

comment created time in 18 days

issue commentlxc/lxc

Rewrite in Rust ?

Based on https://github.com/systemd/systemd/pull/19598#discussion_r641902890, I think at least the Rust testing ecosystem isn't mature enough to support code written in both Rust and C. Apart from that, it's weirdly hard to integrate Rust into build systems like meson (assuming calling cargo from build scripts isn't an option).

liberodark

comment created time in a month

pull request commentsystemd/systemd

core/service: fix assertion when Type=dbus but BusName= is not specified

Interesting, maybe because it requires a valid type rather than just garbage to get there?

@bluca my guess would be that apart from just parsing unit files the fuzzer should spawn a "fake" manager and do something useful to cover that part of the codebase.

yuwata

comment created time in a month

pull request commentsystemd/systemd

core/service: fix assertion when Type=dbus but BusName= is not specified

Do we have tests for feeding junk data to systemd as unit files? Overly large files, badly formatted, known broken ones, randomly generated junk, etc.

@mbiebl as far as I know there is one fuzz target covering config_parse. I'm not sure it triggers the code path mentioned in https://github.com/systemd/systemd/issues/19920. According to https://storage.googleapis.com/oss-fuzz-coverage/systemd/reports/20210613/linux/src/systemd/src/core/unit.c.html#L3491 unit_add_node_dependency has never been run on OSS-Fuzz

yuwata

comment created time in a month

PullRequestReviewEvent