Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
libsepol/cil: Limit the number of open parenthesis allowed
When parsing a CIL policy, the number of open parenthesis is tracked
to verify that each has a matching close parenthesis. If there are
too many open parenthesis, a stack overflow could occur during later
processing.

Exit with an error if the number of open parenthesis exceeds 4096
(which should be enough for any policy.)

This bug was found by the secilc-fuzzer.

Signed-off-by: James Carter <jwcart2@gmail.com>
  • Loading branch information
jwcart2 committed Jun 4, 2021
1 parent 29d6a3e commit 69fc31d
Showing 1 changed file with 6 additions and 1 deletion.
7 changes: 6 additions & 1 deletion libsepol/cil/src/cil_parser.c
Expand Up @@ -42,6 +42,8 @@
#include "cil_strpool.h"
#include "cil_stack.h"

#define CIL_PARSER_MAX_EXPR_DEPTH (0x1 << 12)

char *CIL_KEY_HLL_LMS;
char *CIL_KEY_HLL_LMX;
char *CIL_KEY_HLL_LME;
Expand Down Expand Up @@ -245,7 +247,10 @@ int cil_parser(const char *_path, char *buffer, uint32_t size, struct cil_tree *
break;
case OPAREN:
paren_count++;

if (paren_count > CIL_PARSER_MAX_EXPR_DEPTH) {
cil_log(CIL_ERR, "Number of open parenthesis exceeds limit of %d at line %d of %s\n", CIL_PARSER_MAX_EXPR_DEPTH, tok.line, path);
goto exit;
}
create_node(&node, current, tok.line, hll_lineno, NULL);
insert_node(node, current);
current = node;
Expand Down

0 comments on commit 69fc31d

Please sign in to comment.