add pcr/libsepol

1 files changed, 44 insertions, 0 deletions

diff --git a/pcr/libsepol/0004-libsepol-cil-Check-if-identifier-is-NULL-when-verify.patch b/pcr/libsepol/0004-libsepol-cil-Check-if-identifier-is-NULL-when-verify.patch
new file mode 100644
index 000000000..7f286e02e
--- /dev/null
+++ b/pcr/libsepol/0004-libsepol-cil-Check-if-identifier-is-NULL-when-verify.patch
@@ -0,0 +1,44 @@
+From 5d3404acf99ac42cba5182fcbb099930754fc588 Mon Sep 17 00:00:00 2001
+From: James Carter <jwcart2@tycho.nsa.gov>
+Date: Tue, 18 Oct 2016 14:21:59 -0400
+Subject: [PATCH] libsepol/cil: Check if identifier is NULL when verifying name
+
+Nicolas Iooss found while fuzzing secilc with AFL that the statement
+"(class C (()))" will cause a segfault.
+
+When CIL checks the syntax of the class statement it sees "(())" as a
+valid permission list, but since "()" is not an identifier a NULL is
+passed as the string for name verification. A segfault occurs because
+name verification assumes that the string being checked is non-NULL.
+
+Check if identifier is NULL when verifying name.
+
+Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
+---
+ libsepol/cil/src/cil_verify.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/libsepol/cil/src/cil_verify.c b/libsepol/cil/src/cil_verify.c
+index 038f77af57d7..47dcfaa27ca0 100644
+--- a/libsepol/cil/src/cil_verify.c
++++ b/libsepol/cil/src/cil_verify.c
+@@ -50,9 +50,15 @@
+ int __cil_verify_name(const char *name)
+ {
+ 	int rc = SEPOL_ERR;
+-	int len = strlen(name);
++	int len;
+ 	int i = 0;
+ 
++	if (name == NULL) {
++		cil_log(CIL_ERR, "Name is NULL\n");
++		goto exit;
++	}
++
++	len = strlen(name);
+ 	if (len >= CIL_MAX_NAME_LENGTH) {
+ 		cil_log(CIL_ERR, "Name length greater than max name length of %d", 
+ 			CIL_MAX_NAME_LENGTH);
+-- 
+2.10.2
+