On Wed, May 18, 2022 at 11:22 AM James Carter <jwcart2@xxxxxxxxx> wrote: > > On Tue, May 10, 2022 at 4:53 PM Christian Göttsche > <cgzones@xxxxxxxxxxxxxx> wrote: > > > > In case the function __policy_init() gets called with a NULL pointer, > > the stack variable path remains uninitialized (except at its last > > index). If parsing the binary policy fails in sepol_policydb_read() the > > error branch would access those uninitialized memory. > > > > Signed-off-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx> > > For the series with v2 of patch 4: > Acked-by: James Carter <jwcart2@xxxxxxxxx> > Merged with v4 of patch 4. Thanks, Jim > > --- > > libselinux/src/audit2why.c | 34 +++++++++++++--------------------- > > 1 file changed, 13 insertions(+), 21 deletions(-) > > > > diff --git a/libselinux/src/audit2why.c b/libselinux/src/audit2why.c > > index ca38e13c..44a9a341 100644 > > --- a/libselinux/src/audit2why.c > > +++ b/libselinux/src/audit2why.c > > @@ -192,25 +192,16 @@ static PyObject *finish(PyObject *self __attribute__((unused)), PyObject *args) > > static int __policy_init(const char *init_path) > > { > > FILE *fp; > > - char path[PATH_MAX]; > > + const char *curpolicy; > > char errormsg[PATH_MAX+1024+20]; > > struct sepol_policy_file *pf = NULL; > > int rc; > > unsigned int cnt; > > > > - path[PATH_MAX-1] = '\0'; > > if (init_path) { > > - strncpy(path, init_path, PATH_MAX-1); > > - fp = fopen(path, "re"); > > - if (!fp) { > > - snprintf(errormsg, sizeof(errormsg), > > - "unable to open %s: %m\n", > > - path); > > - PyErr_SetString( PyExc_ValueError, errormsg); > > - return 1; > > - } > > + curpolicy = init_path; > > } else { > > - const char *curpolicy = selinux_current_policy_path(); > > + curpolicy = selinux_current_policy_path(); > > if (!curpolicy) { > > /* SELinux disabled, must use -p option. */ > > snprintf(errormsg, sizeof(errormsg), > > @@ -218,14 +209,15 @@ static int __policy_init(const char *init_path) > > PyErr_SetString( PyExc_ValueError, errormsg); > > return 1; > > } > > - fp = fopen(curpolicy, "re"); > > - if (!fp) { > > - snprintf(errormsg, sizeof(errormsg), > > - "unable to open %s: %m\n", > > - curpolicy); > > - PyErr_SetString( PyExc_ValueError, errormsg); > > - return 1; > > - } > > + } > > + > > + fp = fopen(curpolicy, "re"); > > + if (!fp) { > > + snprintf(errormsg, sizeof(errormsg), > > + "unable to open %s: %m\n", > > + curpolicy); > > + PyErr_SetString( PyExc_ValueError, errormsg); > > + return 1; > > } > > > > avc = calloc(sizeof(struct avc_t), 1); > > @@ -249,7 +241,7 @@ static int __policy_init(const char *init_path) > > sepol_policy_file_set_fp(pf, fp); > > if (sepol_policydb_read(avc->policydb, pf)) { > > snprintf(errormsg, sizeof(errormsg), > > - "invalid binary policy %s\n", path); > > + "invalid binary policy %s\n", curpolicy); > > PyErr_SetString( PyExc_ValueError, errormsg); > > fclose(fp); > > return 1; > > -- > > 2.36.1 > >