On Sun, Feb 28, 2021 at 3:51 AM Nicolas Iooss <nicolas.iooss@xxxxxxx> wrote:
>
> Facebook's Infer static analyzer warns about a use-after-free issue in
> libsemanage:
>
> int semanage_direct_mls_enabled(semanage_handle_t * sh)
> {
> sepol_policydb_t *p = NULL;
> int retval;
>
> retval = sepol_policydb_create(&p);
> if (retval < 0)
> goto cleanup;
>
> /* ... */
> cleanup:
> sepol_policydb_free(p);
> return retval;
> }
>
> When sepol_policydb_create() is called, p is allocated and
> policydb_init() is called. If this second call fails, p is freed
> andsepol_policydb_create() returns -1, but p still stores a pointer to
> freed memory. This pointer is then freed again in the cleanup part of
> semanage_direct_mls_enabled().
>
> Fix this by setting p to NULL in sepol_policydb_create() after freeing
> it.
>
> Signed-off-by: Nicolas Iooss <nicolas.iooss@xxxxxxx>
Acked-by: James Carter <jwcart2@xxxxxxxxx>
> ---
> libsepol/src/policydb_public.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/libsepol/src/policydb_public.c b/libsepol/src/policydb_public.c
> index e5def7078eb0..0218c9403856 100644
> --- a/libsepol/src/policydb_public.c
> +++ b/libsepol/src/policydb_public.c
> @@ -68,6 +68,7 @@ int sepol_policydb_create(sepol_policydb_t ** sp)
> p = &(*sp)->p;
> if (policydb_init(p)) {
> free(*sp);
> + *sp = NULL;
> return -1;
> }
> return 0;
> --
> 2.30.0
>
