libsepol/cil: Check datum in ordered list for expected flavor

The secilc-fuzzer found an out of bounds memory access occurs when building the binary policy if a map class is included in a classorder statement. The order statements in CIL (sidorder, classorder, categoryorder, and sensitivityorder) are used to specify an ordering for sids, classes, categories, and sensitivities. When the order statments are resolved and merged, only in the case of the category order list is the datum resolved checked to see if it is the expected flavor. When resolving the sid, class, and sensitivity order statements, check that each name resolved to a datum of the expected flavor and return an error if it does not. Signed-off-by: James Carter <jwcart2@gmail.com>
sailfishos-mirror · May 4, 2021 · d438b6c · d438b6c
1 parent 74d00a8
commit d438b6c
Showing 1 changed file with 16 additions and 0 deletions.
diff --git a/libsepol/cil/src/cil_resolve_ast.c b/libsepol/cil/src/cil_resolve_ast.c
@@ -1488,6 +1488,11 @@ int cil_resolve_classorder(struct cil_tree_node *current, void *extra_args)
 			rc = SEPOL_ERR;
 			goto exit;
 		}
+		if (FLAVOR(datum) != CIL_CLASS) {
+			cil_log(CIL_ERR, "%s is not a class. Only classes are allowed in classorder statements\n", datum->name);
+			rc = SEPOL_ERR;
+			goto exit;
+		}
 		cil_list_append(new, CIL_CLASS, datum);
 	}
 
@@ -1526,6 +1531,12 @@ int cil_resolve_sidorder(struct cil_tree_node *current, void *extra_args)
 			cil_log(CIL_ERR, "Failed to resolve sid %s in sidorder\n", (char *)curr->data);
 			goto exit;
 		}
+		if (FLAVOR(datum) != CIL_SID) {
+			cil_log(CIL_ERR, "%s is not a sid. Only sids are allowed in sidorder statements\n", datum->name);
+			rc = SEPOL_ERR;
+			goto exit;
+		}
+
 		cil_list_append(new, CIL_SID, datum);
 	}
 
@@ -1617,6 +1628,11 @@ int cil_resolve_sensitivityorder(struct cil_tree_node *current, void *extra_args
 			cil_log(CIL_ERR, "Failed to resolve sensitivty %s in sensitivityorder\n", (char *)curr->data);
 			goto exit;
 		}
+		if (FLAVOR(datum) != CIL_SENS) {
+			cil_log(CIL_ERR, "%s is not a sensitivity. Only sensitivities are allowed in sensitivityorder statements\n", datum->name);
+			rc = SEPOL_ERR;
+			goto exit;
+		}
 		cil_list_append(new, CIL_SENS, datum);
 	}