From patchwork Wed Aug 10 21:51:21 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: "Roberts, William C" <william.c.roberts@intel.com>
X-Patchwork-Id: 9274249
Return-Path: <selinux-bounces@tycho.nsa.gov>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	09720600CB for <patchwork-selinux@patchwork.kernel.org>;
	Wed, 10 Aug 2016 21:52:27 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id EBAE828409
	for <patchwork-selinux@patchwork.kernel.org>;
	Wed, 10 Aug 2016 21:52:26 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id DFFA228413; Wed, 10 Aug 2016 21:52:26 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.2 required=2.0 tests=BAYES_00, RCVD_IN_DNSWL_MED
	autolearn=ham version=3.3.1
Received: from emsm-gh1-uea11.nsa.gov (emsm-gh1-uea11.nsa.gov [8.44.101.9])
	(using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256
	bits)) (No client certificate requested)
	by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 391C528409
	for <patchwork-selinux@patchwork.kernel.org>;
	Wed, 10 Aug 2016 21:52:25 +0000 (UTC)
X-IronPort-AV: E=Sophos;i="5.28,502,1464652800"; d="scan'208";a="18384171"
IronPort-PHdr: =?us-ascii?q?9a23=3A+g36uxe7p1shwxsKoAV9g8ETlGMj4u6mDksu8pMi?=
	=?us-ascii?q?zoh2WeGdxc+5Yx7h7PlgxGXEQZ/co6odzbGH6ua4BydYsd7B6ClEK80UEUddyI?=
	=?us-ascii?q?0/pE8JOIa9E0r1LfrnPWQRPf9pcxtbxUy9KlVfA83kZlff8TWY5D8WHQjjZ0Iu?=
	=?us-ascii?q?frymUrDbg8n/7e2u4ZqbO1wO32vkJ+ssZ03m5UWJ749N0NMkcv5wgjLy4VJwM9?=
	=?us-ascii?q?xMwm1pIV/B1z3d3eyXuKBZziJLpvg6/NRBW6ipN44xTLhfESh0ezttvJ6jiAPH?=
	=?us-ascii?q?BTeryjNcFzxO00kAPw+Q9xz+X5HsogPmp+F932+cJsSwQrcqHXyg8KxiUgOyoD?=
	=?us-ascii?q?sWPD4+tmfMg4p/i7wf6Amsrhpz2YnVbMSRNeFiVr/MdtMdA2xaV4BeUDIFSpiw?=
	=?us-ascii?q?dKMTHuEBOqBetIC7qFwQ/jWkAgz5G+Lrzj5Bgzn9m7c92ek7DRru3Qo8EtZIu3?=
	=?us-ascii?q?PR/4a9D7sbTe3glPqA9j7Edf4DnG6l5Q=3D=3D?=
X-IPAS-Result: =?us-ascii?q?A2HIBAAjoatX/wHyM5BdGwEBAYMngVKnCZQTI4dlTAEBAQE?=
	=?us-ascii?q?BAQICWieCMgQDEYIVAgQBAiQTFCAOAwkBARcIIQgIAwEtFREHBwsFGASIEMIUA?=
	=?us-ascii?q?QoBAQEjiCqGXxEBhXcFjw6KLo8SAolqhVdIj2RUhBpOAYYagTYBAQE?=
Received: from unknown (HELO tarius.tycho.ncsc.mil) ([144.51.242.1])
	by emsm-gh1-uea11.nsa.gov with ESMTP; 10 Aug 2016 21:52:23 +0000
Received: from prometheus.infosec.tycho.ncsc.mil (prometheus [192.168.25.40])
	by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u7ALpW7u027204;
	Wed, 10 Aug 2016 17:51:40 -0400
Received: from tarius.tycho.ncsc.mil (tarius.infosec.tycho.ncsc.mil
	[144.51.242.1])
	by prometheus.infosec.tycho.ncsc.mil (8.15.2/8.15.2) with ESMTP id
	u7ALpUX3106423 for <selinux@prometheus.infosec.tycho.ncsc.mil>;
	Wed, 10 Aug 2016 17:51:30 -0400
Received: from goalie.tycho.ncsc.mil (goalie [144.51.242.250])
	by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u7ALpTtr027154;
	Wed, 10 Aug 2016 17:51:30 -0400
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: 
 A1B2BACKoKtX/yNjr8ZdGwEBAYMngVK3GoQMhh0CgV9MAQEBAQEBXoUGAgQnUhAgMVcHEogxwhIBAQEBAQEEAQEBASOIKoxoBY8Oii6PEgKPQUiPZFSEGhwyAYdQAQEB
X-IPAS-Result: 
 A1B2BACKoKtX/yNjr8ZdGwEBAYMngVK3GoQMhh0CgV9MAQEBAQEBXoUGAgQnUhAgMVcHEogxwhIBAQEBAQEEAQEBASOIKoxoBY8Oii6PEgKPQUiPZFSEGhwyAYdQAQEB
X-IronPort-AV: E=Sophos;i="5.28,502,1464667200"; d="scan'208";a="5637700"
Received: from emsm-gh1-uea11.corp.nsa.gov (HELO emsm-gh1-uea11.nsa.gov)
	([10.208.41.37])
	by goalie.tycho.ncsc.mil with ESMTP; 10 Aug 2016 17:51:31 -0400
IronPort-PHdr: =?us-ascii?q?9a23=3AP/SwBxMsBYGJ2NEovgIl6mtUPXoX/o7sNwtQ0KIM?=
	=?us-ascii?q?zox0Kfj/rarrMEGX3/hxlliBBdydsKMdzbKI+PiwESxYuNDa4ShEKMQNHzY+yu?=
	=?us-ascii?q?wu1zQ6B8CEDUCpZNXLVAcdWPp4aVl+4nugOlJUEsutL3fbo3m18CJAUk6nbVk9?=
	=?us-ascii?q?GO35F8bogtit0KjqotuIMlwO3GT2OeM6bE3v616A7o9O2coqA51y4yOBmmFPde?=
	=?us-ascii?q?VSyDEgDnOotDG42P2N+oV++T9bofMr+p0Ie6z7e6MlUe4QV2x+YCgdrffmvhjb?=
	=?us-ascii?q?TAaJ+mBUEiBPykIJUED560ThU5PwtDbqnvZs0ymde8vtRPY7Xirmp6V0QxbylH?=
	=?us-ascii?q?0vKy8y8GaRjNd5yq1cvlbpvBF2xYLOZ4CZcf5/Zb/1YcIRRW0HWN1YESNGHMf0?=
	=?us-ascii?q?dIcUJ/YQNuZf6Y/mrh0BqgXtKxOrAbbwyztMh3bzm6Z8yeMrHBvaxyQhGc4DtD?=
	=?us-ascii?q?Lfq9CmZ+8pTempwfyQnn34ZPRM1GK4sdCQfw=3D=3D?=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0HIBAAjoatX/yNjr8ZdGwEBAYMngVKnC?=
	=?us-ascii?q?ZARhAyGHQKBX0wBAQEBAQECAlongjIEARMBghQCBCdSECAxVwcSiDHCFAEBAQE?=
	=?us-ascii?q?BAQQBAQEBASKIKoxoBY8Oii6PEgKPQUiPZFSEGhwyAYdQAQEB?=
X-IPAS-Result: =?us-ascii?q?A0HIBAAjoatX/yNjr8ZdGwEBAYMngVKnCZARhAyGHQKBX0w?=
	=?us-ascii?q?BAQEBAQECAlongjIEARMBghQCBCdSECAxVwcSiDHCFAEBAQEBAQQBAQEBASKIK?=
	=?us-ascii?q?oxoBY8Oii6PEgKPQUiPZFSEGhwyAYdQAQEB?=
X-IronPort-AV: E=Sophos;i="5.28,502,1464652800"; d="scan'208";a="18384159"
Received: from fmsmga002-icc.fm.intel.com ([198.175.99.35])
	by emsm-gh1-uea11.nsa.gov with ESMTP; 10 Aug 2016 21:51:29 +0000
Received: from orsmga001.jf.intel.com ([10.7.209.18])
	by fmsmga002-icc.fm.intel.com with ESMTP; 10 Aug 2016 14:51:27 -0700
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos; i="5.28,502,1464678000"; d="scan'208";
	a="1012165581"
Received: from kamiles-mobl.amr.corp.intel.com (HELO
	wcrobert-MOBL1.amr.corp.intel.com) ([10.252.141.225])
	by orsmga001.jf.intel.com with ESMTP; 10 Aug 2016 14:51:27 -0700
From: william.c.roberts@intel.com
To: selinux@tycho.nsa.gov, jwcart2@tycho.nsa.gov,
	seandroid-list@tycho.nsa.gov, sds@tycho.nsa.gov
Subject: [PATCH 4/5] genfs_read: fix use heap-use-after-free
Date: Wed, 10 Aug 2016 14:51:21 -0700
Message-Id: <1470865882-22435-4-git-send-email-william.c.roberts@intel.com>
X-Mailer: git-send-email 1.9.1
In-Reply-To: <1470865882-22435-1-git-send-email-william.c.roberts@intel.com>
References: <1470865882-22435-1-git-send-email-william.c.roberts@intel.com>
X-BeenThere: selinux@tycho.nsa.gov
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: "Security-Enhanced Linux \(SELinux\) mailing list"
	<selinux.tycho.nsa.gov>
List-Post: <mailto:selinux@tycho.nsa.gov>
List-Help: <mailto:selinux-request@tycho.nsa.gov?subject=help>
MIME-Version: 1.0
Errors-To: selinux-bounces@tycho.nsa.gov
Sender: "Selinux" <selinux-bounces@tycho.nsa.gov>
X-Virus-Scanned: ClamAV using ClamSMTP

From: William Roberts <william.c.roberts@intel.com>

The newc variable is calloc'd and assigned to a new
owner during a loop. After the first assignment of newc
to newgenfs->head, the subsequent iteration could fail
before the newc is reseated with a new heap allocation
pointer. When the subsequent iteration fails, the
newc variable is freed. Later, an attempt it made to
free the same pointer assigned to newgenfs->head.

To correct this, clear newc after every loop iteration.

Signed-off-by: William Roberts <william.c.roberts@intel.com>
---
 libsepol/src/policydb.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/libsepol/src/policydb.c b/libsepol/src/policydb.c
index 6a80f94..971793d 100644
--- a/libsepol/src/policydb.c
+++ b/libsepol/src/policydb.c
@@ -2812,6 +2812,8 @@ static int genfs_read(policydb_t * p, struct policy_file *fp)
 				l->next = newc;
 			else
 				newgenfs->head = newc;
+			/* clear newc after a new owner has the pointer */
+			newc = NULL;
 		}
 	}