| Message ID | 20211011162533.53404-13-cgzones@googlemail.com (mailing list archive) |
|---|---|
| State | Changes Requested |
| Headers | show |
| Series | libsepol: add fuzzer for reading binary policies | expand |
On Mon, Oct 11, 2021 at 12:41 PM Christian Göttsche <cgzones@googlemail.com> wrote: > > Free the local access vector list on failure as it does not get moved > into the policy structure. > > Direct leak of 16 byte(s) in 1 object(s) allocated from: > #0 0x52596d in malloc (./out/binpolicy-fuzzer+0x52596d) > #1 0x5b30d2 in cond_insertf ./libsepol/src/conditional.c:682:9 > #2 0x5ac218 in avtab_read_item ./libsepol/src/avtab.c:583:10 > #3 0x5b21f4 in cond_read_av_list ./libsepol/src/conditional.c:725:8 > #4 0x5b21f4 in cond_read_node ./libsepol/src/conditional.c:798:7 > #5 0x5b21f4 in cond_read_list ./libsepol/src/conditional.c:847:7 > #6 0x576b6e in policydb_read ./libsepol/src/policydb.c:4436:8 > #7 0x55a1fe in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:24:6 > #8 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o > #9 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o > #10 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o > #11 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2) > #12 0x7f47abeb87ec in __libc_start_main csu/../csu/libc-start.c:332:16 > > Signed-off-by: Christian Göttsche <cgzones@googlemail.com> > --- > libsepol/src/conditional.c | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > > diff --git a/libsepol/src/conditional.c b/libsepol/src/conditional.c > index 9a10aae1..50cb5395 100644 > --- a/libsepol/src/conditional.c > +++ b/libsepol/src/conditional.c > @@ -724,8 +724,10 @@ static int cond_read_av_list(policydb_t * p, void *fp, > for (i = 0; i < len; i++) { > rc = avtab_read_item(fp, p->policyvers, &p->te_cond_avtab, > cond_insertf, &data); > - if (rc) > + if (rc) { > + cond_av_list_destroy(data.head); > return rc; > + } > > } > > -- > 2.33.0 > Please remove the cond_av_list_destroy() call in cond_insertf(). That won't be needed with it being called here. Jim
diff --git a/libsepol/src/conditional.c b/libsepol/src/conditional.c index 9a10aae1..50cb5395 100644 --- a/libsepol/src/conditional.c +++ b/libsepol/src/conditional.c @@ -724,8 +724,10 @@ static int cond_read_av_list(policydb_t * p, void *fp, for (i = 0; i < len; i++) { rc = avtab_read_item(fp, p->policyvers, &p->te_cond_avtab, cond_insertf, &data); - if (rc) + if (rc) { + cond_av_list_destroy(data.head); return rc; + } }
Free the local access vector list on failure as it does not get moved into the policy structure. Direct leak of 16 byte(s) in 1 object(s) allocated from: #0 0x52596d in malloc (./out/binpolicy-fuzzer+0x52596d) #1 0x5b30d2 in cond_insertf ./libsepol/src/conditional.c:682:9 #2 0x5ac218 in avtab_read_item ./libsepol/src/avtab.c:583:10 #3 0x5b21f4 in cond_read_av_list ./libsepol/src/conditional.c:725:8 #4 0x5b21f4 in cond_read_node ./libsepol/src/conditional.c:798:7 #5 0x5b21f4 in cond_read_list ./libsepol/src/conditional.c:847:7 #6 0x576b6e in policydb_read ./libsepol/src/policydb.c:4436:8 #7 0x55a1fe in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:24:6 #8 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o #9 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o #10 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o #11 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2) #12 0x7f47abeb87ec in __libc_start_main csu/../csu/libc-start.c:332:16 Signed-off-by: Christian Göttsche <cgzones@googlemail.com> --- libsepol/src/conditional.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-)