Re: [PATCH] libsepol: invalidate the pointer to the policydb if policydb_init fails

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, Mar 1, 2021 at 3:55 PM James Carter <jwcart2@xxxxxxxxx> wrote:
>
> On Sun, Feb 28, 2021 at 3:51 AM Nicolas Iooss <nicolas.iooss@xxxxxxx> wrote:
> >
> > Facebook's Infer static analyzer warns about a use-after-free issue in
> > libsemanage:
> >
> >     int semanage_direct_mls_enabled(semanage_handle_t * sh)
> >     {
> >             sepol_policydb_t *p = NULL;
> >             int retval;
> >
> >             retval = sepol_policydb_create(&p);
> >             if (retval < 0)
> >                     goto cleanup;
> >
> >             /* ... */
> >     cleanup:
> >             sepol_policydb_free(p);
> >             return retval;
> >     }
> >
> > When sepol_policydb_create() is called, p is allocated and
> > policydb_init() is called. If this second call fails, p is freed
> > andsepol_policydb_create() returns -1, but p still stores a pointer to
> > freed memory. This pointer is then freed again in the cleanup part of
> > semanage_direct_mls_enabled().
> >
> > Fix this by setting p to NULL in sepol_policydb_create() after freeing
> > it.
> >
> > Signed-off-by: Nicolas Iooss <nicolas.iooss@xxxxxxx>
>
> Acked-by: James Carter <jwcart2@xxxxxxxxx>

Merged.
Nicolas

> > ---
> >  libsepol/src/policydb_public.c | 1 +
> >  1 file changed, 1 insertion(+)
> >
> > diff --git a/libsepol/src/policydb_public.c b/libsepol/src/policydb_public.c
> > index e5def7078eb0..0218c9403856 100644
> > --- a/libsepol/src/policydb_public.c
> > +++ b/libsepol/src/policydb_public.c
> > @@ -68,6 +68,7 @@ int sepol_policydb_create(sepol_policydb_t ** sp)
> >         p = &(*sp)->p;
> >         if (policydb_init(p)) {
> >                 free(*sp);
> > +               *sp = NULL;
> >                 return -1;
> >         }
> >         return 0;
> > --
> > 2.30.0
> >




[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux