Re: [PATCH 1/3] libselinux: fix potential NULL reference and memory leak in audit2why

James Carter <jwcart2@xxxxxxxxx> · Fri, 16 Dec 2022 11:03:43 -0500

On Mon, Dec 5, 2022 at 7:13 AM Jie Lu <lujie54@xxxxxxxxxx> wrote:
>
> In audit2why.c add return check for memory allocation. And free every element
> in the boollist when function fails.
>
> Signed-off-by: Jie Lu <lujie54@xxxxxxxxxx>
> ---
>  libselinux/src/audit2why.c | 26 ++++++++++++++++++++++++--
>  1 file changed, 24 insertions(+), 2 deletions(-)
>
> diff --git a/libselinux/src/audit2why.c b/libselinux/src/audit2why.c
> index ba1a66eb..742b4ff5 100644
> --- a/libselinux/src/audit2why.c
> +++ b/libselinux/src/audit2why.c
> @@ -55,7 +55,16 @@ static int load_booleans(const sepol_bool_t * boolean,
>                          void *arg __attribute__ ((__unused__)))
>  {
>         boollist[boolcnt] = malloc(sizeof(struct boolean_t));
> +       if (!boollist[boolcnt]) {
> +               PyErr_SetString( PyExc_MemoryError, "Out of memory\n");
> +               return -1;
> +       }
>         boollist[boolcnt]->name = strdup(sepol_bool_get_name(boolean));
> +       if (!boollist[boolcnt]->name) {
> +               PyErr_SetString( PyExc_MemoryError, "Out of memory\n");
> +               free(boollist[boolcnt]);
> +               return -1;
> +       }
>         boollist[boolcnt]->active = sepol_bool_get_value(boolean);
>         boolcnt++;
>         return 0;
> @@ -149,6 +158,11 @@ static int check_booleans(struct boolean_t **bools)
>
>         if (fcnt > 0) {
>                 *bools = calloc(sizeof(struct boolean_t), fcnt + 1);
> +               if (!*bools) {
> +                       PyErr_SetString( PyExc_MemoryError, "Out of memory\n");
> +                       free(foundlist);
> +                       return 0;
> +               }
>                 struct boolean_t *b = *bools;
>                 for (i = 0; i < fcnt; i++) {
>                         int ctr = foundlist[i];
> @@ -278,14 +292,22 @@ static int __policy_init(const char *init_path)
>         return 0;
>
>  err:
> -       if (boollist)
> -               free(boollist);
> +       if (boollist) {
> +               for (i = 0; i < boolcnt; i++) {
> +                        free(boollist[i]->name);
> +                        free(boollist[i]);
> +                }
> +                free(boollist);
> +                boollist = NULL;
> +                boolcnt = 0;
> +       }

i is not declared and it is indented with spaces rather than tabs.

Thanks,
Jim

>         if (avc){
>                 if (avc->handle)
>                         sepol_handle_destroy(avc->handle);
>                 if (avc->policydb)
>                         sepol_policydb_free(avc->policydb);
>                 free(avc);
> +               avc = NULL;
>         }
>         if (pf)
>                 sepol_policy_file_free(pf);
> --
> 2.27.0
>