From d28af01c4e145698d5670a2a567cdbb009d55a268fd1e463e65d4bfe5980b7e9 Mon Sep 17 00:00:00 2001
From: Johannes Segitz <jsegitz@suse.com>
Date: Mon, 5 Jul 2021 12:52:59 +0000
Subject: [PATCH] Accepting request 904153 from
 home:jsegitz:branches:security:SELinux

- Fix use-after-free in __cil_verify_classperms (CVE-2021-36085, 1187965).
  Added CVE-2021-36085.patch
- Fix use-after-free in cil_reset_classpermission (CVE-2021-36086, 1187964).
  Added CVE-2021-36086.patch

OBS-URL: https://build.opensuse.org/request/show/904153
OBS-URL: https://build.opensuse.org/package/show/security:SELinux/libsepol?expand=0&rev=87
---
 CVE-2021-36085.patch | 33 +++++++++++++++++++++++++++++++++
 CVE-2021-36086.patch | 39 +++++++++++++++++++++++++++++++++++++++
 libsepol.changes     |  8 ++++++++
 libsepol.spec        |  4 ++++
 4 files changed, 84 insertions(+)
 create mode 100644 CVE-2021-36085.patch
 create mode 100644 CVE-2021-36086.patch

diff --git a/CVE-2021-36085.patch b/CVE-2021-36085.patch
new file mode 100644
index 0000000..d6b760d
--- /dev/null
+++ b/CVE-2021-36085.patch
@@ -0,0 +1,33 @@
+From 2d35fcc7e9e976a2346b1de20e54f8663e8a6cba Mon Sep 17 00:00:00 2001
+From: James Carter <jwcart2@gmail.com>
+Date: Thu, 8 Apr 2021 13:32:04 -0400
+Subject: [PATCH] libsepol/cil: Destroy classperm list when resetting map perms
+
+Map perms share the same struct as regular perms, but only the
+map perms use the classperms field. This field is a pointer to a
+list of classperms that is created and added to when resolving
+classmapping rules, so the map permission doesn't own any of the
+data in the list and this list should be destroyed when the AST is
+reset.
+
+When resetting a perm, destroy the classperms list without destroying
+the data in the list.
+
+Signed-off-by: James Carter <jwcart2@gmail.com>
+---
+ libsepol/cil/src/cil_reset_ast.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+Index: libsepol/libsepol-3.2/cil/src/cil_reset_ast.c
+===================================================================
+--- libsepol.orig/libsepol-3.2/cil/src/cil_reset_ast.c
++++ libsepol/libsepol-3.2/cil/src/cil_reset_ast.c
+@@ -36,7 +36,7 @@ static void cil_reset_class(struct cil_c
+ 
+ static void cil_reset_perm(struct cil_perm *perm)
+ {
+-	cil_reset_classperms_list(perm->classperms);
++	cil_list_destroy(&perm->classperms, CIL_FALSE);
+ }
+ 
+ static inline void cil_reset_classperms(struct cil_classperms *cp)
diff --git a/CVE-2021-36086.patch b/CVE-2021-36086.patch
new file mode 100644
index 0000000..e989fea
--- /dev/null
+++ b/CVE-2021-36086.patch
@@ -0,0 +1,39 @@
+From c49a8ea09501ad66e799ea41b8154b6770fec2c8 Mon Sep 17 00:00:00 2001
+From: James Carter <jwcart2@gmail.com>
+Date: Thu, 8 Apr 2021 13:32:06 -0400
+Subject: [PATCH] libsepol/cil: cil_reset_classperms_set() should not reset
+ classpermission
+
+In struct cil_classperms_set, the set field is a pointer to a
+struct cil_classpermission which is looked up in the symbol table.
+Since the cil_classperms_set does not create the cil_classpermission,
+it should not reset it.
+
+Set the set field to NULL instead of resetting the classpermission
+that it points to.
+
+Signed-off-by: James Carter <jwcart2@gmail.com>
+---
+ libsepol/cil/src/cil_reset_ast.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/libsepol/cil/src/cil_reset_ast.c b/libsepol/cil/src/cil_reset_ast.c
+index 89f91e56..1d9ca704 100644
+--- a/libsepol/cil/src/cil_reset_ast.c
++++ b/libsepol/cil/src/cil_reset_ast.c
+@@ -59,7 +59,11 @@ static void cil_reset_classpermission(struct cil_classpermission *cp)
+ 
+ static void cil_reset_classperms_set(struct cil_classperms_set *cp_set)
+ {
+-	cil_reset_classpermission(cp_set->set);
++	if (cp_set == NULL) {
++		return;
++	}
++
++	cp_set->set = NULL;
+ }
+ 
+ static inline void cil_reset_classperms_list(struct cil_list *cp_list)
+-- 
+2.26.2
+
diff --git a/libsepol.changes b/libsepol.changes
index b43e218..af60787 100644
--- a/libsepol.changes
+++ b/libsepol.changes
@@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Mon Jul  5 11:31:07 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
+
+- Fix use-after-free in __cil_verify_classperms (CVE-2021-36085, 1187965).
+  Added CVE-2021-36085.patch
+- Fix use-after-free in cil_reset_classpermission (CVE-2021-36086, 1187964).
+  Added CVE-2021-36086.patch
+
 -------------------------------------------------------------------
 Tue Mar  9 09:11:42 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
 
diff --git a/libsepol.spec b/libsepol.spec
index 4f0768f..e24d788 100644
--- a/libsepol.spec
+++ b/libsepol.spec
@@ -27,6 +27,9 @@ Group:          Development/Libraries/C and C++
 URL:            https://github.com/SELinuxProject/selinux/wiki/Releases
 Source:         https://github.com/SELinuxProject/selinux/releases/download/%{version}/%{name}-%{version}.tar.gz
 Source2:        baselibs.conf
+# all upstream, remove in next version
+Patch0:         CVE-2021-36085.patch
+Patch1:         CVE-2021-36086.patch
 BuildRequires:  flex
 BuildRequires:  pkgconfig
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
@@ -88,6 +91,7 @@ policies.
 
 %prep
 %setup -q
+%autopatch -p2
 
 %build
 %define _lto_cflags %{nil}