From patchwork Mon Oct  3 20:46:57 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Nicolas Iooss <nicolas.iooss@m4x.org>
X-Patchwork-Id: 9360927
Return-Path: <selinux-bounces@tycho.nsa.gov>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	AF28A601C0 for <patchwork-selinux@patchwork.kernel.org>;
	Mon,  3 Oct 2016 20:49:14 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id A374728A7F
	for <patchwork-selinux@patchwork.kernel.org>;
	Mon,  3 Oct 2016 20:49:14 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 96B1228A81; Mon,  3 Oct 2016 20:49:14 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.2 required=2.0 tests=BAYES_00, RCVD_IN_DNSWL_MED
	autolearn=ham version=3.3.1
Received: from emsm-gh1-uea11.nsa.gov (smtp.nsa.gov [8.44.101.9])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id DC7B128A7F
	for <patchwork-selinux@patchwork.kernel.org>;
	Mon,  3 Oct 2016 20:49:12 +0000 (UTC)
X-IronPort-AV: E=Sophos;i="5.31,291,1473120000"; d="scan'208";a="19768084"
IronPort-PHdr: =?us-ascii?q?9a23=3AlQqEyx+MrUv1zv9uRHKM819IXTAuvvDOBiVQ1KB9?=
	=?us-ascii?q?1ukcTK2v8tzYMVDF4r011RmSDN+dsa8P0raN+4nbGkU4qa6bt34DdJEeHzQksu?=
	=?us-ascii?q?4x2zIaPcieFEfgJ+TrZSFpVO5LVVti4m3peRMNQJW2WVTerzWI4CIIHV2nbEwu?=
	=?us-ascii?q?d76zQNOZ1pjsn8mJuLTrKz1SgzS8Zb4gZD6Xli728vcsvI15N6wqwQHIqHYbM8?=
	=?us-ascii?q?5fxGdvOE7B102kvpT4wYRnuxh0l7phspcYEPayQ6NtVrFcDTI7I0gp9cbrsl/F?=
	=?us-ascii?q?VgLJ6XwCAUsMlR8dJQnO6xXzRd/QtSzhraIp3iiROsn/VvY1XjO59I9uFA+ujz?=
	=?us-ascii?q?0IYW1quFrLg9B92foI6CmqoAZylsuNOIw=3D?=
X-IPAS-Result: =?us-ascii?q?A2EWBQBvw/JX/wHyM5BeHQEFAQsBGBgNgwABAQEBAR6BU7p?=
	=?us-ascii?q?PJYdyTAEBAQEBAQEBAgECWyeCMgQDEwWCEQIEAQIkExQgDgMJAQEXKQgIAwEtF?=
	=?us-ascii?q?REOCwUYBIgsBAG1BIdVhjiIaxEBaIUSAQSZeIFljgKKCYVzSJAkVIMgHIFScIU?=
	=?us-ascii?q?1eIEoAQEB?=
Received: from unknown (HELO tarius.tycho.ncsc.mil) ([144.51.242.1])
	by emsm-gh1-uea11.nsa.gov with ESMTP; 03 Oct 2016 20:49:10 +0000
Received: from prometheus.infosec.tycho.ncsc.mil (prometheus [192.168.25.40])
	by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u93Kn7lA004154;
	Mon, 3 Oct 2016 16:49:09 -0400
Received: from tarius.tycho.ncsc.mil (tarius.infosec.tycho.ncsc.mil
	[144.51.242.1])
	by prometheus.infosec.tycho.ncsc.mil (8.15.2/8.15.2) with ESMTP id
	u93KlE3s120339 for <selinux@prometheus.infosec.tycho.ncsc.mil>;
	Mon, 3 Oct 2016 16:47:14 -0400
Received: from goalie.tycho.ncsc.mil (goalie [144.51.242.250])
	by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u93KlDJ9004088
	for <selinux@tycho.nsa.gov>; Mon, 3 Oct 2016 16:47:13 -0400
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: 
 A1AmAwDowvJXhyIeaIFeg20BAQEBAYFxpH+RR4Qph3dMAQIBAQEBAQITAQEBCgsJCRmFEQYnYlFXGYhNBAG1AodVhjiJZYUSAQSZeIFljgKPfEiQJIMiDEYcgVJwh1UBAQE
X-IPAS-Result: 
 A1AmAwDowvJXhyIeaIFeg20BAQEBAYFxpH+RR4Qph3dMAQIBAQEBAQITAQEBCgsJCRmFEQYnYlFXGYhNBAG1AodVhjiJZYUSAQSZeIFljgKPfEiQJIMiDEYcgVJwh1UBAQE
X-IronPort-AV: E=Sophos;i="5.31,291,1473134400"; d="scan'208";a="5742503"
Received: from emsm-gh1-uea11.corp.nsa.gov (HELO emsm-gh1-uea11.nsa.gov)
	([10.208.41.37])
	by goalie.tycho.ncsc.mil with ESMTP; 03 Oct 2016 16:47:13 -0400
IronPort-PHdr: =?us-ascii?q?9a23=3ARpThlhGIhuDWkI4atvqoop1GYnF86YWxBRYc798d?=
	=?us-ascii?q?s5kLTJ75pMSwAkXT6L1XgUPTWs2DsrQf2rCQ6f2rADBbqb+681k6OKRWUBEEjc?=
	=?us-ascii?q?hE1ycBO+WiTXPBEfjxciYhF95DXlI2t1uyMExSBdqsLwaK+i760zceF13FOBZv?=
	=?us-ascii?q?IaytQ8iJ3p7xjb35osGIKyxzxxOFKYtoKxu3qQiD/uI3uqBFbpgL9x3Sv3FTcP?=
	=?us-ascii?q?5Xz247bXianhL7+9vitMU7q3cY6Lod8JtbXKH7ebkoZaBJBzQhdWYu7YvksgeQ?=
	=?us-ascii?q?YxGI4y46U24RlhNTSynC6wrhFsP3syD9suNmniidOtbtZbVoSXKl9ag9G0ygsz?=
	=?us-ascii?q?sOKzNsqDKfscd3lq8O+B8=3D?=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0ETAgBvw/JXhyIeaIFeRwEBFgEBBgEEA?=
	=?us-ascii?q?QGCfwEBAQEBgXGkf5FHhCmHd0wBAQEBAQEBAQIBAhABAQEKCwkJGS+CMhiCGAY?=
	=?us-ascii?q?nYlFXGYhNBAG1BIdVhjiJZYUSAQSZeIFljgKPfEiQJIMiDEYcgVJwh1UBAQE?=
X-IPAS-Result: =?us-ascii?q?A0ETAgBvw/JXhyIeaIFeRwEBFgEBBgEEAQGCfwEBAQEBgXG?=
	=?us-ascii?q?kf5FHhCmHd0wBAQEBAQEBAQIBAhABAQEKCwkJGS+CMhiCGAYnYlFXGYhNBAG1B?=
	=?us-ascii?q?IdVhjiJZYUSAQSZeIFljgKPfEiQJIMiDEYcgVJwh1UBAQE?=
X-IronPort-AV: E=Sophos;i="5.31,291,1473120000"; d="scan'208";a="19768025"
Received: from mx1.polytechnique.org ([129.104.30.34])
	by emsm-gh1-uea11.nsa.gov with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384;
	03 Oct 2016 20:47:03 +0000
Received: from localhost.localdomain (32.206.133.77.rev.sfr.net
	[77.133.206.32])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128
	bits)) (No client certificate requested)
	by ssl.polytechnique.org (Postfix) with ESMTPSA id 0F40B564743
	for <selinux@tycho.nsa.gov>; Mon,  3 Oct 2016 22:47:02 +0200 (CEST)
From: Nicolas Iooss <nicolas.iooss@m4x.org>
To: selinux@tycho.nsa.gov
Subject: [PATCH 3/3] libsepol/cil: fix memory leak in __cil_fill_expr()
Date: Mon,  3 Oct 2016 22:46:57 +0200
Message-Id: <20161003204657.2635-4-nicolas.iooss@m4x.org>
X-Mailer: git-send-email 2.10.0
In-Reply-To: <20161003204657.2635-1-nicolas.iooss@m4x.org>
References: <20161003204657.2635-1-nicolas.iooss@m4x.org>
X-AV-Checked: ClamAV using ClamSMTP at svoboda.polytechnique.org (Mon Oct 3
	22:47:02 2016 +0200 (CEST))
X-Org-Mail: nicolas.iooss.2010@polytechnique.org
X-BeenThere: selinux@tycho.nsa.gov
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: "Security-Enhanced Linux \(SELinux\) mailing list"
	<selinux.tycho.nsa.gov>
List-Post: <mailto:selinux@tycho.nsa.gov>
List-Help: <mailto:selinux-request@tycho.nsa.gov?subject=help>
MIME-Version: 1.0
Errors-To: selinux-bounces@tycho.nsa.gov
Sender: "Selinux" <selinux-bounces@tycho.nsa.gov>
X-Virus-Scanned: ClamAV using ClamSMTP

__cil_fill_expr() initializes 'cil_list *sub_expr' but does not destroy
it when __cil_fill_expr_helper() fails. This list is therefore leaked
when __cil_fill_expr() returns.

This occurs when secilc compiles the following policy:

    (class CLASS (PERM))
    (classorder (CLASS))
    (sid SID)
    (sidorder (SID))
    (user USER)
    (role ROLE)
    (type TYPE)
    (category CAT)
    (categoryorder (CAT))
    (sensitivity SENS)
    (sensitivityorder (SENS))
    (sensitivitycategory SENS (CAT))
    (allow TYPE self (CLASS (PERM)))
    (roletype ROLE TYPE)
    (userrole USER ROLE)
    (userlevel USER (SENS))
    (userrange USER ((SENS)(SENS (CAT))))
    (sidcontext SID (USER ROLE TYPE ((SENS)(SENS))))

    (categoryset cats (not (range unknown)))

This bug has been found using gcc address sanitizer.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
---
 libsepol/cil/src/cil_build_ast.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/libsepol/cil/src/cil_build_ast.c b/libsepol/cil/src/cil_build_ast.c
index f57bd21358d3..ee283b535147 100644
--- a/libsepol/cil/src/cil_build_ast.c
+++ b/libsepol/cil/src/cil_build_ast.c
@@ -2562,6 +2562,7 @@ static int __cil_fill_expr(struct cil_tree_node *current, enum cil_flavor flavor
 		cil_list_init(&sub_expr, flavor);
 		rc = __cil_fill_expr_helper(current->cl_head, flavor, sub_expr, depth);
 		if (rc != SEPOL_OK) {
+			cil_list_destroy(&sub_expr, CIL_TRUE);
 			goto exit;
 		}
 		cil_list_append(expr, CIL_LIST, sub_expr);