Hi,
Currently libselinux/src/label.c defines selabel_subs_init() like this [1]:
struct selabel_sub *selabel_subs_init(/* ... */)
{
/* ... */
while (fgets_unlocked(buf, sizeof(buf) - 1, cfg)) {
/* ... allocate and fill "sub" ... */
sub->next = list;
list = sub;
}
if (digest_add_specfile(digest, cfg, NULL, sb.st_size, path) < 0)
goto err;
out:
fclose(cfg);
return list;
err:
if (sub)
free(sub->src);
free(sub);
goto out;
}
When digest_add_specfile() fails, sub is freed (in the err label), but
as list=sub, it means that the return value, list, is freed. This
leads to a use-after-free when this value is used.
What should selabel_subs_init() do (and return) when
digest_add_specfile() fails?
Nicolas
[1] https://github.com/SELinuxProject/selinux/blob/9cc62ce35d099acf7897b6259228479737521709/libselinux/src/label.c#L94
