forked from pool/libsepol
Accepting request 904153 from home:jsegitz:branches:security:SELinux
- Fix use-after-free in __cil_verify_classperms (CVE-2021-36085, 1187965). Added CVE-2021-36085.patch - Fix use-after-free in cil_reset_classpermission (CVE-2021-36086, 1187964). Added CVE-2021-36086.patch OBS-URL: https://build.opensuse.org/request/show/904153 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/libsepol?expand=0&rev=87
This commit is contained in:
Johannes Segitz
Git OBS Bridge
parent
d9c6b82ffe
commit
d28af01c4e
33
CVE-2021-36085.patch
Normal file
33
CVE-2021-36085.patch
Normal file
@ -0,0 +1,33 @@
|
||||
From 2d35fcc7e9e976a2346b1de20e54f8663e8a6cba Mon Sep 17 00:00:00 2001
|
||||
From: James Carter <jwcart2@gmail.com>
|
||||
Date: Thu, 8 Apr 2021 13:32:04 -0400
|
||||
Subject: [PATCH] libsepol/cil: Destroy classperm list when resetting map perms
|
||||
|
||||
Map perms share the same struct as regular perms, but only the
|
||||
map perms use the classperms field. This field is a pointer to a
|
||||
list of classperms that is created and added to when resolving
|
||||
classmapping rules, so the map permission doesn't own any of the
|
||||
data in the list and this list should be destroyed when the AST is
|
||||
reset.
|
||||
|
||||
When resetting a perm, destroy the classperms list without destroying
|
||||
the data in the list.
|
||||
|
||||
Signed-off-by: James Carter <jwcart2@gmail.com>
|
||||
---
|
||||
libsepol/cil/src/cil_reset_ast.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
Index: libsepol/libsepol-3.2/cil/src/cil_reset_ast.c
|
||||
===================================================================
|
||||
--- libsepol.orig/libsepol-3.2/cil/src/cil_reset_ast.c
|
||||
+++ libsepol/libsepol-3.2/cil/src/cil_reset_ast.c
|
||||
@@ -36,7 +36,7 @@ static void cil_reset_class(struct cil_c
|
||||
|
||||
static void cil_reset_perm(struct cil_perm *perm)
|
||||
{
|
||||
- cil_reset_classperms_list(perm->classperms);
|
||||
+ cil_list_destroy(&perm->classperms, CIL_FALSE);
|
||||
}
|
||||
|
||||
static inline void cil_reset_classperms(struct cil_classperms *cp)
|
||||
39
CVE-2021-36086.patch
Normal file
39
CVE-2021-36086.patch
Normal file
@ -0,0 +1,39 @@
|
||||
From c49a8ea09501ad66e799ea41b8154b6770fec2c8 Mon Sep 17 00:00:00 2001
|
||||
From: James Carter <jwcart2@gmail.com>
|
||||
Date: Thu, 8 Apr 2021 13:32:06 -0400
|
||||
Subject: [PATCH] libsepol/cil: cil_reset_classperms_set() should not reset
|
||||
classpermission
|
||||
|
||||
In struct cil_classperms_set, the set field is a pointer to a
|
||||
struct cil_classpermission which is looked up in the symbol table.
|
||||
Since the cil_classperms_set does not create the cil_classpermission,
|
||||
it should not reset it.
|
||||
|
||||
Set the set field to NULL instead of resetting the classpermission
|
||||
that it points to.
|
||||
|
||||
Signed-off-by: James Carter <jwcart2@gmail.com>
|
||||
---
|
||||
libsepol/cil/src/cil_reset_ast.c | 6 +++++-
|
||||
1 file changed, 5 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/libsepol/cil/src/cil_reset_ast.c b/libsepol/cil/src/cil_reset_ast.c
|
||||
index 89f91e56..1d9ca704 100644
|
||||
--- a/libsepol/cil/src/cil_reset_ast.c
|
||||
+++ b/libsepol/cil/src/cil_reset_ast.c
|
||||
@@ -59,7 +59,11 @@ static void cil_reset_classpermission(struct cil_classpermission *cp)
|
||||
|
||||
static void cil_reset_classperms_set(struct cil_classperms_set *cp_set)
|
||||
{
|
||||
- cil_reset_classpermission(cp_set->set);
|
||||
+ if (cp_set == NULL) {
|
||||
+ return;
|
||||
+ }
|
||||
+
|
||||
+ cp_set->set = NULL;
|
||||
}
|
||||
|
||||
static inline void cil_reset_classperms_list(struct cil_list *cp_list)
|
||||
--
|
||||
2.26.2
|
||||
|
||||
@ -1,3 +1,11 @@
|
||||
-------------------------------------------------------------------
|
||||
Mon Jul 5 11:31:07 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
|
||||
|
||||
- Fix use-after-free in __cil_verify_classperms (CVE-2021-36085, 1187965).
|
||||
Added CVE-2021-36085.patch
|
||||
- Fix use-after-free in cil_reset_classpermission (CVE-2021-36086, 1187964).
|
||||
Added CVE-2021-36086.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Mar 9 09:11:42 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
|
||||
|
||||
|
||||
@ -27,6 +27,9 @@ Group: Development/Libraries/C and C++
|
||||
URL: https://github.com/SELinuxProject/selinux/wiki/Releases
|
||||
Source: https://github.com/SELinuxProject/selinux/releases/download/%{version}/%{name}-%{version}.tar.gz
|
||||
Source2: baselibs.conf
|
||||
# all upstream, remove in next version
|
||||
Patch0: CVE-2021-36085.patch
|
||||
Patch1: CVE-2021-36086.patch
|
||||
BuildRequires: flex
|
||||
BuildRequires: pkgconfig
|
||||
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
||||
@ -88,6 +91,7 @@ policies.
|
||||
|
||||
%prep
|
||||
%setup -q
|
||||
%autopatch -p2
|
||||
|
||||
%build
|
||||
%define _lto_cflags %{nil}
|
||||
|
||||
Loading…
Reference in New Issue
Block a user