diff mbox series

[6/6] libsepol/cil: destroy perm_datums when __cil_resolve_perms fails

Message ID 20201230100746.2549568-6-nicolas.iooss@m4x.org (mailing list archive)
State Accepted
Headers show
Series [1/6] libsepol: do not decode out-of-bound rolebounds | expand

Commit Message

Nicolas Iooss Dec. 30, 2020, 10:07 a.m. UTC 
When __cil_resolve_perms fails, it does not destroy perm_datums, which
leads to a memory leak reported by OSS-Fuzz with the following CIL
policy:

    (class cl01())
    (classorder(cl01))
    (type at02)
    (type tpr3)
    (allow at02 tpr3(cl01((s))))

Calling cil_list_destroy() fixes the issue.

Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28466
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
---
 libsepol/cil/src/cil_resolve_ast.c | 1 +
 1 file changed, 1 insertion(+)

Comments

William Roberts Dec. 31, 2020, 3:05 p.m. UTC | #1 
On Wed, Dec 30, 2020 at 4:10 AM Nicolas Iooss <nicolas.iooss@m4x.org> wrote:
>
> When __cil_resolve_perms fails, it does not destroy perm_datums, which
> leads to a memory leak reported by OSS-Fuzz with the following CIL
> policy:
>
>     (class cl01())
>     (classorder(cl01))
>     (type at02)
>     (type tpr3)
>     (allow at02 tpr3(cl01((s))))
>
> Calling cil_list_destroy() fixes the issue.
>
> Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28466
> Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
> ---
>  libsepol/cil/src/cil_resolve_ast.c | 1 +
>  1 file changed, 1 insertion(+)
>
> diff --git a/libsepol/cil/src/cil_resolve_ast.c b/libsepol/cil/src/cil_resolve_ast.c
> index ecd05dfa5dab..255f17ae7e30 100644
> --- a/libsepol/cil/src/cil_resolve_ast.c
> +++ b/libsepol/cil/src/cil_resolve_ast.c
> @@ -146,6 +146,7 @@ static int __cil_resolve_perms(symtab_t *class_symtab, symtab_t *common_symtab,
>         return SEPOL_OK;
>
>  exit:
> +       cil_list_destroy(perm_datums, CIL_FALSE);
>         return rc;
>  }
>
> --
> 2.29.2
>

ack on all but patch #4, comments sent for that patch.
James Carter Jan. 4, 2021, 6:18 p.m. UTC | #2 
On Wed, Dec 30, 2020 at 5:10 AM Nicolas Iooss <nicolas.iooss@m4x.org> wrote:
>
> When __cil_resolve_perms fails, it does not destroy perm_datums, which
> leads to a memory leak reported by OSS-Fuzz with the following CIL
> policy:
>
>     (class cl01())
>     (classorder(cl01))
>     (type at02)
>     (type tpr3)
>     (allow at02 tpr3(cl01((s))))
>
> Calling cil_list_destroy() fixes the issue.
>
> Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28466
> Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>

Acked-by: James Carter <jwcart2@gmail.com>

> ---
>  libsepol/cil/src/cil_resolve_ast.c | 1 +
>  1 file changed, 1 insertion(+)
>
> diff --git a/libsepol/cil/src/cil_resolve_ast.c b/libsepol/cil/src/cil_resolve_ast.c
> index ecd05dfa5dab..255f17ae7e30 100644
> --- a/libsepol/cil/src/cil_resolve_ast.c
> +++ b/libsepol/cil/src/cil_resolve_ast.c
> @@ -146,6 +146,7 @@ static int __cil_resolve_perms(symtab_t *class_symtab, symtab_t *common_symtab,
>         return SEPOL_OK;
>
>  exit:
> +       cil_list_destroy(perm_datums, CIL_FALSE);
>         return rc;
>  }
>
> --
> 2.29.2
>
James Carter Jan. 5, 2021, 4:08 p.m. UTC | #3 
Applied.

Thanks,
Jim

On Mon, Jan 4, 2021 at 1:18 PM James Carter <jwcart2@gmail.com> wrote:
>
> On Wed, Dec 30, 2020 at 5:10 AM Nicolas Iooss <nicolas.iooss@m4x.org> wrote:
> >
> > When __cil_resolve_perms fails, it does not destroy perm_datums, which
> > leads to a memory leak reported by OSS-Fuzz with the following CIL
> > policy:
> >
> >     (class cl01())
> >     (classorder(cl01))
> >     (type at02)
> >     (type tpr3)
> >     (allow at02 tpr3(cl01((s))))
> >
> > Calling cil_list_destroy() fixes the issue.
> >
> > Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28466
> > Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
>
> Acked-by: James Carter <jwcart2@gmail.com>
>
> > ---
> >  libsepol/cil/src/cil_resolve_ast.c | 1 +
> >  1 file changed, 1 insertion(+)
> >
> > diff --git a/libsepol/cil/src/cil_resolve_ast.c b/libsepol/cil/src/cil_resolve_ast.c
> > index ecd05dfa5dab..255f17ae7e30 100644
> > --- a/libsepol/cil/src/cil_resolve_ast.c
> > +++ b/libsepol/cil/src/cil_resolve_ast.c
> > @@ -146,6 +146,7 @@ static int __cil_resolve_perms(symtab_t *class_symtab, symtab_t *common_symtab,
> >         return SEPOL_OK;
> >
> >  exit:
> > +       cil_list_destroy(perm_datums, CIL_FALSE);
> >         return rc;
> >  }
> >
> > --
> > 2.29.2
> >
diff mbox series

Patch

diff --git a/libsepol/cil/src/cil_resolve_ast.c b/libsepol/cil/src/cil_resolve_ast.c
index ecd05dfa5dab..255f17ae7e30 100644
--- a/libsepol/cil/src/cil_resolve_ast.c
+++ b/libsepol/cil/src/cil_resolve_ast.c
@@ -146,6 +146,7 @@  static int __cil_resolve_perms(symtab_t *class_symtab, symtab_t *common_symtab,
 	return SEPOL_OK;
 
 exit:
+	cil_list_destroy(perm_datums, CIL_FALSE);
 	return rc;
 }