afl-fuzz: Fix crash with policy line without ':'
This crash was found by running afl-fuzz. Policy lines without a ':'
were causing strsep(3) to place a NULL in |policy_line|, which was then
being dereferenced.
Bug: None
Test: make tests
Change-Id: I6228a3e4688d4e8641714ec9d10f8cd144dcb5c1
diff --git a/syscall_filter.c b/syscall_filter.c
index 5a3ef21..0cb9138 100644
--- a/syscall_filter.c
+++ b/syscall_filter.c
@@ -543,6 +543,13 @@
* statement, treat |policy_line| as a regular policy line.
*/
char *syscall_name = strsep(&policy_line, ":");
+ if (policy_line == NULL) {
+ warn("compile_file: malformed policy line, missing "
+ "':'");
+ ret = -1;
+ goto free_line;
+ }
+
policy_line = strip(policy_line);
if (*policy_line == '\0') {
warn("compile_file: empty policy line");
diff --git a/syscall_filter_unittest.cc b/syscall_filter_unittest.cc
index 12389f8..776f7db 100644
--- a/syscall_filter_unittest.cc
+++ b/syscall_filter_unittest.cc
@@ -947,6 +947,22 @@
struct filter_block *arg_blocks_;
};
+TEST_F(FileTest, malformed_policy) {
+ const char *policy =
+ "malformed";
+
+ FILE *policy_file = write_policy_to_pipe(policy, strlen(policy));
+ ASSERT_NE(policy_file, nullptr);
+ int res = compile_file(
+ policy_file, head_, &arg_blocks_, &labels_, USE_RET_KILL, NO_LOGGING, 0);
+ fclose(policy_file);
+
+ /*
+ * Policy is malformed, but process should not crash.
+ */
+ ASSERT_EQ(res, -1);
+}
+
TEST_F(FileTest, seccomp_mode1) {
const char *policy =
"read: 1\n"