define_te_avtab_xperms_helper() allocates memory for the avrule, while define_te_avtab_ioctl() does not transfer any ownership of it. Free the affected memory. Direct leak of 272 byte(s) in 2 object(s) allocated from: #0 0x49bb8d in __interceptor_malloc (./checkpolicy/checkmodule+0x49bb8d) #1 0x4f379c in define_te_avtab_xperms_helper ./checkpolicy/policy_define.c:2047:24 #2 0x4f379c in define_te_avtab_extended_perms ./checkpolicy/policy_define.c:2469:6 #3 0x4cf417 in yyparse ./checkpolicy/policy_parse.y:494:30 #4 0x4eaf35 in read_source_policy ./checkpolicy/parse_util.c:63:6 #5 0x50cccd in main ./checkpolicy/checkmodule.c:278:7 #6 0x7fbfa455ce49 in __libc_start_main csu/../csu/libc-start.c:314:16 Direct leak of 32 byte(s) in 2 object(s) allocated from: #0 0x49bb8d in __interceptor_malloc (./checkpolicy/checkmodule+0x49bb8d) #1 0x4f4a38 in avrule_sort_ioctls ./checkpolicy/policy_define.c:1844:12 #2 0x4f4a38 in avrule_ioctl_ranges ./checkpolicy/policy_define.c:2021:6 #3 0x4f4a38 in define_te_avtab_ioctl ./checkpolicy/policy_define.c:2399:6 #4 0x4f4a38 in define_te_avtab_extended_perms ./checkpolicy/policy_define.c:2475:7 #5 0x4cf417 in yyparse ./checkpolicy/policy_parse.y:494:30 #6 0x4eaf35 in read_source_policy ./checkpolicy/parse_util.c:63:6 #7 0x50cccd in main ./checkpolicy/checkmodule.c:278:7 #8 0x7fbfa455ce49 in __libc_start_main csu/../csu/libc-start.c:314:16 Reported-by: liwugang <liwugang@xxxxxxx> Signed-off-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx> --- checkpolicy/policy_define.c | 23 ++++++++++++++++------- 1 file changed, 16 insertions(+), 7 deletions(-) diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c index c71e0571..185d5704 100644 --- a/checkpolicy/policy_define.c +++ b/checkpolicy/policy_define.c @@ -2390,7 +2390,7 @@ static int avrule_cpy(avrule_t *dest, const avrule_t *src) static int define_te_avtab_ioctl(const avrule_t *avrule_template) { avrule_t *avrule; - struct av_ioctl_range_list *rangelist; + struct av_ioctl_range_list *rangelist, *r; av_extended_perms_t *complete_driver, *partial_driver, *xperms; unsigned int i; @@ -2448,6 +2448,12 @@ done: if (partial_driver) free(partial_driver); + while (rangelist != NULL) { + r = rangelist; + rangelist = rangelist->next; + free(r); + } + return 0; } @@ -2456,6 +2462,7 @@ int define_te_avtab_extended_perms(int which) char *id; unsigned int i; avrule_t *avrule_template; + int rc = 0; if (pass == 1) { for (i = 0; i < 4; i++) { @@ -2471,15 +2478,17 @@ int define_te_avtab_extended_perms(int which) id = queue_remove(id_queue); if (strcmp(id,"ioctl") == 0) { - free(id); - if (define_te_avtab_ioctl(avrule_template)) - return -1; + rc = define_te_avtab_ioctl(avrule_template); } else { yyerror("only ioctl extended permissions are supported"); - free(id); - return -1; + rc = -1; } - return 0; + + free(id); + avrule_destroy(avrule_template); + free(avrule_template); + + return rc; } static int define_te_avtab_helper(int which, avrule_t ** rule) -- 2.33.0