1 files changed, 48 insertions, 0 deletions

diff --git a/0001-libsepol-cil-Check-for-improper-category-range.patch b/0001-libsepol-cil-Check-for-improper-category-range.patch
new file mode 100644
index 000000000000..dc4c07ea58b7
--- /dev/null
+++ b/0001-libsepol-cil-Check-for-improper-category-range.patch
@@ -0,0 +1,48 @@
+From 0763ecb640e0ad527ec21ba1f9bc95174744b12b Mon Sep 17 00:00:00 2001
+From: James Carter <jwcart2@tycho.nsa.gov>
+Date: Tue, 18 Oct 2016 14:17:03 -0400
+Subject: [PATCH] libsepol/cil: Check for improper category range
+
+Nicolas Iooss found while fuzzing secilc with AFL that the following
+policy will cause a segfault.
+
+(category c0)
+(category c1)
+(categoryorder (c0 c1))
+(sensitivity s0)
+(sensitivitycategory s0 (range c1 c0))
+
+The category range "(range c1 c0)" is invalid because c1 comes after c0
+in order.
+
+The invalid range is evaluated as containing no categories. There is a
+check for the resulting empty list and the category datum expression is
+set to NULL. The segfault occurs because the datum expression is assumed
+to be non-NULL after evaluation.
+
+Add a check for an invalid range when evaluating category ranges.
+
+Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
+---
+ libsepol/cil/src/cil_post.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/libsepol/cil/src/cil_post.c b/libsepol/cil/src/cil_post.c
+index f8447c981486..caf3321d09e1 100644
+--- a/libsepol/cil/src/cil_post.c
++++ b/libsepol/cil/src/cil_post.c
+@@ -952,6 +952,11 @@ static int __cil_cat_expr_range_to_bitmap_helper(struct cil_list_item *i1, struc
+ 		c2 = alias->actual;
+ 	}
+ 
++	if (c1->value > c2->value) {
++		cil_log(CIL_ERR, "Invalid category range\n");
++		goto exit;
++	}
++
+ 	for (i = c1->value; i <= c2->value; i++) {
+ 		if (ebitmap_set_bit(bitmap, i, 1)) {
+ 			cil_log(CIL_ERR, "Failed to set cat bit\n");
+-- 
+2.10.2
+