On Mon, Jun 15, 2020 at 4:45 PM <trix@xxxxxxxxxx> wrote:
> From: Tom Rix <trix@xxxxxxxxxx>
>
> Clang static analysis reports this double free error
>
> security/selinux/ss/conditional.c:139:2: warning: Attempt to free released memory [unix.Malloc]
> kfree(node->expr.nodes);
> ^~~~~~~~~~~~~~~~~~~~~~~
>
> When cond_read_node fails, it calls cond_node_destroy which frees the
> node but does not poison the entry in the node list. So when it
> returns to its caller cond_read_list, cond_read_list deletes the
> partial list. The latest entry in the list will be deleted twice.
>
> So instead of freeing the node in cond_read_node, let list freeing in
> code_read_list handle the freeing the problem node along with all of the
> earlier nodes.
>
> Because cond_read_node no longer does any error handling, the goto's
> the error case are redundant. Instead just return the error code.
>
> Fixes: 60abd3181db2 ("selinux: convert cond_list to array")
>
> Signed-off-by: Tom Rix <trix@xxxxxxxxxx>
> ---
> v3: simplify returns
>
> security/selinux/ss/conditional.c | 18 +++++-------------
> 1 file changed, 5 insertions(+), 13 deletions(-)
Merged into selinux/stable-5.8 with a better subject line. Thanks for
catching this and submitting the fix. Assuming everything goes well
I'll send this up to Linus later this week.
It might be nice to do a follow-up patch for selinux/next which folds
cond_node_destroy() into cond_list_destroy() as there is no longer a
need for that code to be in a separate function.
--
paul moore
www.paul-moore.com
