| Message ID | 1476817128-16108-3-git-send-email-jwcart2@tycho.nsa.gov (mailing list archive) |
|---|---|
| State | Not Applicable |
| Headers | show |
diff --git a/libsepol/cil/src/cil_post.c b/libsepol/cil/src/cil_post.c index caf3321..687962e 100644 --- a/libsepol/cil/src/cil_post.c +++ b/libsepol/cil/src/cil_post.c @@ -865,13 +865,7 @@ static int __evaluate_cat_expression(struct cil_cats *cats, struct cil_db *db) ebitmap_destroy(&bitmap); cil_list_destroy(&cats->datum_expr, CIL_FALSE); - if (new->head != NULL) { - cats->datum_expr = new; - } else { - /* empty list */ - cil_list_destroy(&new, CIL_FALSE); - cats->datum_expr = NULL; - } + cats->datum_expr = new; cats->evaluated = CIL_TRUE;
Nicolas Looss found while fuzzing secilc with AFL that the following policy will cause a segfault. (category c0) (category c1) (categoryorder (c0 c1)) (sensitivity s0) (sensitivitycategory s0 (not (all))) The expression "(not (all))" is evaluated as containing no categories. There is a check for the resulting empty list and the category datum expression is set to NULL. The segfault occurs because the datum expression is assumed to be non-NULL after evaluation. Assign the list to the datum expression even if it is empty. Signed-off-by: James Carter <jwcart2@tycho.nsa.gov> --- libsepol/cil/src/cil_post.c | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-)