| Message ID | 20210228084858.8499-1-nicolas.iooss@m4x.org (mailing list archive) |
|---|---|
| State | Accepted |
| Headers | show |
| Series | libsepol: invalidate the pointer to the policydb if policydb_init fails | expand |
On Sun, Feb 28, 2021 at 3:51 AM Nicolas Iooss <nicolas.iooss@m4x.org> wrote: > > Facebook's Infer static analyzer warns about a use-after-free issue in > libsemanage: > > int semanage_direct_mls_enabled(semanage_handle_t * sh) > { > sepol_policydb_t *p = NULL; > int retval; > > retval = sepol_policydb_create(&p); > if (retval < 0) > goto cleanup; > > /* ... */ > cleanup: > sepol_policydb_free(p); > return retval; > } > > When sepol_policydb_create() is called, p is allocated and > policydb_init() is called. If this second call fails, p is freed > andsepol_policydb_create() returns -1, but p still stores a pointer to > freed memory. This pointer is then freed again in the cleanup part of > semanage_direct_mls_enabled(). > > Fix this by setting p to NULL in sepol_policydb_create() after freeing > it. > > Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org> Acked-by: James Carter <jwcart2@gmail.com> > --- > libsepol/src/policydb_public.c | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/libsepol/src/policydb_public.c b/libsepol/src/policydb_public.c > index e5def7078eb0..0218c9403856 100644 > --- a/libsepol/src/policydb_public.c > +++ b/libsepol/src/policydb_public.c > @@ -68,6 +68,7 @@ int sepol_policydb_create(sepol_policydb_t ** sp) > p = &(*sp)->p; > if (policydb_init(p)) { > free(*sp); > + *sp = NULL; > return -1; > } > return 0; > -- > 2.30.0 >
On Mon, Mar 1, 2021 at 3:55 PM James Carter <jwcart2@gmail.com> wrote: > > On Sun, Feb 28, 2021 at 3:51 AM Nicolas Iooss <nicolas.iooss@m4x.org> wrote: > > > > Facebook's Infer static analyzer warns about a use-after-free issue in > > libsemanage: > > > > int semanage_direct_mls_enabled(semanage_handle_t * sh) > > { > > sepol_policydb_t *p = NULL; > > int retval; > > > > retval = sepol_policydb_create(&p); > > if (retval < 0) > > goto cleanup; > > > > /* ... */ > > cleanup: > > sepol_policydb_free(p); > > return retval; > > } > > > > When sepol_policydb_create() is called, p is allocated and > > policydb_init() is called. If this second call fails, p is freed > > andsepol_policydb_create() returns -1, but p still stores a pointer to > > freed memory. This pointer is then freed again in the cleanup part of > > semanage_direct_mls_enabled(). > > > > Fix this by setting p to NULL in sepol_policydb_create() after freeing > > it. > > > > Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org> > > Acked-by: James Carter <jwcart2@gmail.com> Merged. Nicolas > > --- > > libsepol/src/policydb_public.c | 1 + > > 1 file changed, 1 insertion(+) > > > > diff --git a/libsepol/src/policydb_public.c b/libsepol/src/policydb_public.c > > index e5def7078eb0..0218c9403856 100644 > > --- a/libsepol/src/policydb_public.c > > +++ b/libsepol/src/policydb_public.c > > @@ -68,6 +68,7 @@ int sepol_policydb_create(sepol_policydb_t ** sp) > > p = &(*sp)->p; > > if (policydb_init(p)) { > > free(*sp); > > + *sp = NULL; > > return -1; > > } > > return 0; > > -- > > 2.30.0 > >
diff --git a/libsepol/src/policydb_public.c b/libsepol/src/policydb_public.c index e5def7078eb0..0218c9403856 100644 --- a/libsepol/src/policydb_public.c +++ b/libsepol/src/policydb_public.c @@ -68,6 +68,7 @@ int sepol_policydb_create(sepol_policydb_t ** sp) p = &(*sp)->p; if (policydb_init(p)) { free(*sp); + *sp = NULL; return -1; } return 0;
Facebook's Infer static analyzer warns about a use-after-free issue in libsemanage: int semanage_direct_mls_enabled(semanage_handle_t * sh) { sepol_policydb_t *p = NULL; int retval; retval = sepol_policydb_create(&p); if (retval < 0) goto cleanup; /* ... */ cleanup: sepol_policydb_free(p); return retval; } When sepol_policydb_create() is called, p is allocated and policydb_init() is called. If this second call fails, p is freed andsepol_policydb_create() returns -1, but p still stores a pointer to freed memory. This pointer is then freed again in the cleanup part of semanage_direct_mls_enabled(). Fix this by setting p to NULL in sepol_policydb_create() after freeing it. Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org> --- libsepol/src/policydb_public.c | 1 + 1 file changed, 1 insertion(+)