master

分支 (35)

标签 (22)

管理

管理

master

openEuler-24.03-LTS-SP1

openEuler-25.03

openEuler-24.03-LTS-SP2

openEuler-24.03-LTS

openEuler-24.03-LTS-Next

sync-pr62--to-openEuler-24.03-LTS-SP2

sync-pr62--to-openEuler-24.03-LTS-Next

sync-pr62--to-openEuler-24.03-LTS

openEuler-22.03-LTS-SP4

openEuler-22.03-LTS-SP3

sync-pr47-openEuler-22.03-LTS-SP1-to-openEuler-22.03-LTS-SP3

sync-pr47-openEuler-22.03-LTS-SP1-to-openEuler-22.03-LTS-SP2

sync-pr47-openEuler-22.03-LTS-SP1-to-openEuler-22.03-LTS-Next

sync-pr47-openEuler-22.03-LTS-SP1-to-openEuler-22.03-LTS

openEuler-22.03-LTS-SP1

openEuler-20.03-LTS-SP4

openEuler-20.03-LTS-SP3

openEuler-20.03-LTS-SP1

openEuler-22.03-LTS

openEuler-25.03-release

openEuler-24.03-LTS-SP1-release

openEuler-22.03-LTS-SP4-release

openEuler-24.09-release

openEuler-24.03-LTS-release

openEuler-22.03-LTS-SP3-release

openEuler-23.09-rc5

openEuler-22.03-LTS-SP1-release

openEuler-22.09-release

openEuler-22.09-rc5

openEuler-22.09-20220829

openEuler-22.03-LTS-20220331

openEuler-22.03-LTS-round5

openEuler-22.03-LTS-round3

openEuler-22.03-LTS-round2

openEuler-22.03-LTS-round1

openEuler-20.03-LTS-SP3-release

openEuler-20.03-LTS-SP2-20210624

openEuler-21.03-20210330

openEuler-20.09-20200929

libsemanage
/
backport-libsemanage-direct_api-INTEG...

From 9b4eff9222b24d4b5f2784db281f4f53019263b0 Mon Sep 17 00:00:00 2001
From: Vit Mojzis <vmojzis@redhat.com>
Date: Fri, 25 Oct 2024 20:32:07 +0200
Subject: [PATCH] libsemanage/direct_api: INTEGER_OVERFLOW read_len = read()

The following statement is always true if read_len is unsigned:
(read_len = read(fd, data_read + data_read_len, max_len - data_read_len)) > 0

Fixes:
 Error: INTEGER_OVERFLOW (CWE-190): [#def19] [important]
 libsemanage-3.7/src/direct_api.c:598:2: tainted_data_return: Called function "read(fd, data_read + data_read_len, max_len - data_read_len)", and a possible return value may be less than zero.
 libsemanage-3.7/src/direct_api.c:598:2: cast_underflow: An assign of a possibly negative number to an unsigned type, which might trigger an underflow.
 libsemanage-3.7/src/direct_api.c:599:3: overflow: The expression "data_read_len += read_len" is deemed underflowed because at least one of its arguments has underflowed.
 libsemanage-3.7/src/direct_api.c:598:2: overflow: The expression "max_len - data_read_len" is deemed underflowed because at least one of its arguments has underflowed.
 libsemanage-3.7/src/direct_api.c:598:2: overflow_sink: "max_len - data_read_len", which might have underflowed, is passed to "read(fd, data_read + data_read_len, max_len - data_read_len)". [Note: The source code implementation of the function has been overridden by a builtin model.]
 \#  596|   	}
 \#  597|
 \#  598|-> 	while ((read_len = read(fd, data_read + data_read_len, max_len - data_read_len)) > 0) {
 \#  599|   		data_read_len += read_len;
 \#  600|   		if (data_read_len == max_len) {

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Acked-by: James Carter <jwcart2@gmail.com>

Conflict:NA
Reference:https://github.com/SELinuxProject/selinux/commit/9b4eff9222b24d4b5f2784db281f4f53019263b0

---
 src/direct_api.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/direct_api.c b/src/direct_api.c
index d740070d..7631c7bf 100644
--- a/src/direct_api.c
+++ b/src/direct_api.c
@@ -582,7 +582,7 @@ cleanup:
 static int read_from_pipe_to_data(semanage_handle_t *sh, size_t initial_len, int fd, char **out_data_read, size_t *out_read_len)
 {
 	size_t max_len = initial_len;
-	size_t read_len = 0;
+	ssize_t read_len = 0;
 	size_t data_read_len = 0;
 	char *data_read = NULL;

--
2.33.0