On Mon, Oct 11, 2021 at 12:41 PM Christian Göttsche
<cgzones@xxxxxxxxxxxxxx> wrote:
>
> Free the local access vector list on failure as it does not get moved
> into the policy structure.
>
> Direct leak of 16 byte(s) in 1 object(s) allocated from:
> #0 0x52596d in malloc (./out/binpolicy-fuzzer+0x52596d)
> #1 0x5b30d2 in cond_insertf ./libsepol/src/conditional.c:682:9
> #2 0x5ac218 in avtab_read_item ./libsepol/src/avtab.c:583:10
> #3 0x5b21f4 in cond_read_av_list ./libsepol/src/conditional.c:725:8
> #4 0x5b21f4 in cond_read_node ./libsepol/src/conditional.c:798:7
> #5 0x5b21f4 in cond_read_list ./libsepol/src/conditional.c:847:7
> #6 0x576b6e in policydb_read ./libsepol/src/policydb.c:4436:8
> #7 0x55a1fe in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:24:6
> #8 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o
> #9 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o
> #10 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o
> #11 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2)
> #12 0x7f47abeb87ec in __libc_start_main csu/../csu/libc-start.c:332:16
>
> Signed-off-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx>
> ---
> libsepol/src/conditional.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/libsepol/src/conditional.c b/libsepol/src/conditional.c
> index 9a10aae1..50cb5395 100644
> --- a/libsepol/src/conditional.c
> +++ b/libsepol/src/conditional.c
> @@ -724,8 +724,10 @@ static int cond_read_av_list(policydb_t * p, void *fp,
> for (i = 0; i < len; i++) {
> rc = avtab_read_item(fp, p->policyvers, &p->te_cond_avtab,
> cond_insertf, &data);
> - if (rc)
> + if (rc) {
> + cond_av_list_destroy(data.head);
> return rc;
> + }
>
> }
>
> --
> 2.33.0
>
Please remove the cond_av_list_destroy() call in cond_insertf(). That
won't be needed with it being called here.
Jim
