SHA256
3
0
forked from pool/libsepol

Accepting request 904153 from home:jsegitz:branches:security:SELinux

- Fix use-after-free in __cil_verify_classperms (CVE-2021-36085, 1187965).
  Added CVE-2021-36085.patch
- Fix use-after-free in cil_reset_classpermission (CVE-2021-36086, 1187964).
  Added CVE-2021-36086.patch

OBS-URL: https://build.opensuse.org/request/show/904153
OBS-URL: https://build.opensuse.org/package/show/security:SELinux/libsepol?expand=0&rev=87
This commit is contained in:
Johannes Segitz 2021-07-05 12:52:59 +00:00 committed by Git OBS Bridge
parent d9c6b82ffe
commit d28af01c4e
4 changed files with 84 additions and 0 deletions

33
CVE-2021-36085.patch Normal file
View File

@ -0,0 +1,33 @@
From 2d35fcc7e9e976a2346b1de20e54f8663e8a6cba Mon Sep 17 00:00:00 2001
From: James Carter <jwcart2@gmail.com>
Date: Thu, 8 Apr 2021 13:32:04 -0400
Subject: [PATCH] libsepol/cil: Destroy classperm list when resetting map perms
Map perms share the same struct as regular perms, but only the
map perms use the classperms field. This field is a pointer to a
list of classperms that is created and added to when resolving
classmapping rules, so the map permission doesn't own any of the
data in the list and this list should be destroyed when the AST is
reset.
When resetting a perm, destroy the classperms list without destroying
the data in the list.
Signed-off-by: James Carter <jwcart2@gmail.com>
---
libsepol/cil/src/cil_reset_ast.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
Index: libsepol/libsepol-3.2/cil/src/cil_reset_ast.c
===================================================================
--- libsepol.orig/libsepol-3.2/cil/src/cil_reset_ast.c
+++ libsepol/libsepol-3.2/cil/src/cil_reset_ast.c
@@ -36,7 +36,7 @@ static void cil_reset_class(struct cil_c
static void cil_reset_perm(struct cil_perm *perm)
{
- cil_reset_classperms_list(perm->classperms);
+ cil_list_destroy(&perm->classperms, CIL_FALSE);
}
static inline void cil_reset_classperms(struct cil_classperms *cp)

39
CVE-2021-36086.patch Normal file
View File

@ -0,0 +1,39 @@
From c49a8ea09501ad66e799ea41b8154b6770fec2c8 Mon Sep 17 00:00:00 2001
From: James Carter <jwcart2@gmail.com>
Date: Thu, 8 Apr 2021 13:32:06 -0400
Subject: [PATCH] libsepol/cil: cil_reset_classperms_set() should not reset
classpermission
In struct cil_classperms_set, the set field is a pointer to a
struct cil_classpermission which is looked up in the symbol table.
Since the cil_classperms_set does not create the cil_classpermission,
it should not reset it.
Set the set field to NULL instead of resetting the classpermission
that it points to.
Signed-off-by: James Carter <jwcart2@gmail.com>
---
libsepol/cil/src/cil_reset_ast.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/libsepol/cil/src/cil_reset_ast.c b/libsepol/cil/src/cil_reset_ast.c
index 89f91e56..1d9ca704 100644
--- a/libsepol/cil/src/cil_reset_ast.c
+++ b/libsepol/cil/src/cil_reset_ast.c
@@ -59,7 +59,11 @@ static void cil_reset_classpermission(struct cil_classpermission *cp)
static void cil_reset_classperms_set(struct cil_classperms_set *cp_set)
{
- cil_reset_classpermission(cp_set->set);
+ if (cp_set == NULL) {
+ return;
+ }
+
+ cp_set->set = NULL;
}
static inline void cil_reset_classperms_list(struct cil_list *cp_list)
--
2.26.2

View File

@ -1,3 +1,11 @@
-------------------------------------------------------------------
Mon Jul 5 11:31:07 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
- Fix use-after-free in __cil_verify_classperms (CVE-2021-36085, 1187965).
Added CVE-2021-36085.patch
- Fix use-after-free in cil_reset_classpermission (CVE-2021-36086, 1187964).
Added CVE-2021-36086.patch
-------------------------------------------------------------------
Tue Mar 9 09:11:42 UTC 2021 - Johannes Segitz <jsegitz@suse.com>

View File

@ -27,6 +27,9 @@ Group: Development/Libraries/C and C++
URL: https://github.com/SELinuxProject/selinux/wiki/Releases
Source: https://github.com/SELinuxProject/selinux/releases/download/%{version}/%{name}-%{version}.tar.gz
Source2: baselibs.conf
# all upstream, remove in next version
Patch0: CVE-2021-36085.patch
Patch1: CVE-2021-36086.patch
BuildRequires: flex
BuildRequires: pkgconfig
BuildRoot: %{_tmppath}/%{name}-%{version}-build
@ -88,6 +91,7 @@ policies.
%prep
%setup -q
%autopatch -p2
%build
%define _lto_cflags %{nil}