libsepol: check scope permissions refer to valid class

cgzones · jwcart2 · commit 589e2dba72f4 · 2024-06-21T09:29:50.000-04:00
Validate that the permission maps in the scope index refer to a valid class datum. Otherwise since commit 52e5c30 ("libsepol: move unchanged data out of loop") this can lead to a NULL dereference in the class existence check during linking. Reported-by: oss-fuzz (issue 69655) Signed-off-by: Christian Göttsche <cgzones@googlemail.com> Acked-by: James Carter <jwcart2@gmail.com>
diff --git a/libsepol/src/policydb_validate.c b/libsepol/src/policydb_validate.c
@@ -1468,6 +1468,8 @@ static int validate_range_trans_rules(sepol_handle_t *handle, const range_trans_
 
 static int validate_scope_index(sepol_handle_t *handle, const scope_index_t *scope_index, validate_t flavors[])
 {
+	uint32_t i;
+
 	if (!ebitmap_is_empty(&scope_index->scope[SYM_COMMONS]))
 		goto bad;
 	if (validate_ebitmap(&scope_index->p_classes_scope, &flavors[SYM_CLASSES]))
@@ -1484,8 +1486,10 @@ static int validate_scope_index(sepol_handle_t *handle, const scope_index_t *sco
 		goto bad;
 	if (validate_ebitmap(&scope_index->p_cat_scope, &flavors[SYM_CATS]))
 		goto bad;
-	if (scope_index->class_perms_len > flavors[SYM_CLASSES].nprim)
-		goto bad;
+
+	for (i = 0; i < scope_index->class_perms_len; i++)
+		if (validate_value(i + 1, &flavors[SYM_CLASSES]))
+			goto bad;
 
 	return 0;
 
