[1/3] libselinux: free empty scandir(3) result

Message ID	20240429163901.65239-1-cgoettsche@seltendoof.de (mailing list archive)
State	New
Delegated to:	Petr Lautrbach
Headers	show Received: from server02.seltendoof.de (server02.seltendoof.de [168.119.48.163]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 057FA8624A for <selinux@vger.kernel.org>; Mon, 29 Apr 2024 16:39:07 +0000 (UTC) From: =?utf-8?q?Christian_G=C3=B6ttsche?= <cgoettsche@seltendoof.de> To: selinux@vger.kernel.org Cc: =?utf-8?q?Christian_G=C3=B6ttsche?= <cgzones@googlemail.com> Subject: [PATCH 1/3] libselinux: free empty scandir(3) result Date: Mon, 29 Apr 2024 18:38:59 +0200 Message-ID: <20240429163901.65239-1-cgoettsche@seltendoof.de> Reply-To: cgzones@googlemail.com Precedence: bulk MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit
Series	[1/3] libselinux: free empty scandir(3) result \| expand [1/3] libselinux: free empty scandir(3) result [2/3] libselinux: avoid pointer dereference before check [3/3] mcstrans: free constraint in error branch

Message ID

20240429163901.65239-1-cgoettsche@seltendoof.de (mailing list archive)

State

New

Delegated to:

Petr Lautrbach

Headers

From: =?utf-8?q?Christian_G=C3=B6ttsche?= <cgoettsche@seltendoof.de>
To: selinux@vger.kernel.org
Cc: =?utf-8?q?Christian_G=C3=B6ttsche?= <cgzones@googlemail.com>
Subject: [PATCH 1/3] libselinux: free empty scandir(3) result
Date: Mon, 29 Apr 2024 18:38:59 +0200
Message-ID: <20240429163901.65239-1-cgoettsche@seltendoof.de>
Reply-To: cgzones@googlemail.com
Precedence: bulk
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Series

[1/3] libselinux: free empty scandir(3) result | expand

Commit Message

Christian Göttsche April 29, 2024, 4:38 p.m. UTC

From: Christian Göttsche <cgzones@googlemail.com>

In case scandir(3) finds no entries still free the returned result to
avoid leaking it.

Also do not override errno in case of a failure.

Reported.by: Cppcheck

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
---
 libselinux/src/booleans.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

Comments

William Roberts April 29, 2024, 8:34 p.m. UTC | #1

On Mon, Apr 29, 2024 at 11:39 AM Christian Göttsche
<cgoettsche@seltendoof.de> wrote:
>
> From: Christian Göttsche <cgzones@googlemail.com>
>
> In case scandir(3) finds no entries still free the returned result to
> avoid leaking it.
>
> Also do not override errno in case of a failure.
>
> Reported.by: Cppcheck
>
> Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
> ---
>  libselinux/src/booleans.c | 6 +++++-
>  1 file changed, 5 insertions(+), 1 deletion(-)
>
> diff --git a/libselinux/src/booleans.c b/libselinux/src/booleans.c
> index c557df65..1ede8e2d 100644
> --- a/libselinux/src/booleans.c
> +++ b/libselinux/src/booleans.c
> @@ -53,7 +53,11 @@ int security_get_boolean_names(char ***names, int *len)
>
>         snprintf(path, sizeof path, "%s%s", selinux_mnt, SELINUX_BOOL_DIR);
>         *len = scandir(path, &namelist, &filename_select, alphasort);
> -       if (*len <= 0) {
> +       if (*len < 0) {
> +               return -1;
> +       }
> +       if (*len == 0) {

Changing this will allow scandir to fail and it continue, what's the point?

> +               free(namelist);
>                 errno = ENOENT;
>                 return -1;
>         }
> --
> 2.43.0
>
>

Christian Göttsche April 30, 2024, 2:34 p.m. UTC | #2

On Mon, 29 Apr 2024 at 22:35, William Roberts <bill.c.roberts@gmail.com> wrote:
>
> On Mon, Apr 29, 2024 at 11:39 AM Christian Göttsche
> <cgoettsche@seltendoof.de> wrote:
> >
> > From: Christian Göttsche <cgzones@googlemail.com>
> >
> > In case scandir(3) finds no entries still free the returned result to
> > avoid leaking it.
> >
> > Also do not override errno in case of a failure.
> >
> > Reported.by: Cppcheck
> >
> > Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
> > ---
> >  libselinux/src/booleans.c | 6 +++++-
> >  1 file changed, 5 insertions(+), 1 deletion(-)
> >
> > diff --git a/libselinux/src/booleans.c b/libselinux/src/booleans.c
> > index c557df65..1ede8e2d 100644
> > --- a/libselinux/src/booleans.c
> > +++ b/libselinux/src/booleans.c
> > @@ -53,7 +53,11 @@ int security_get_boolean_names(char ***names, int *len)
> >
> >         snprintf(path, sizeof path, "%s%s", selinux_mnt, SELINUX_BOOL_DIR);
> >         *len = scandir(path, &namelist, &filename_select, alphasort);
> > -       if (*len <= 0) {
> > +       if (*len < 0) {
> > +               return -1;
> > +       }
> > +       if (*len == 0) {
>
> Changing this will allow scandir to fail and it continue, what's the point?

What do you mean by "continue"?
The function will still return -1 with errno set if scandir(3) returns
<= 0, like it does currently.
But currently if scandir() returns 0, we currently leak the pointer to
the empty array.

>
> > +               free(namelist);
> >                 errno = ENOENT;
> >                 return -1;
> >         }
> > --
> > 2.43.0
> >
> >

William Roberts April 30, 2024, 2:52 p.m. UTC | #3

On Tue, Apr 30, 2024 at 9:35 AM Christian Göttsche
<cgzones@googlemail.com> wrote:
>
> On Mon, 29 Apr 2024 at 22:35, William Roberts <bill.c.roberts@gmail.com> wrote:
> >
> > On Mon, Apr 29, 2024 at 11:39 AM Christian Göttsche
> > <cgoettsche@seltendoof.de> wrote:
> > >
> > > From: Christian Göttsche <cgzones@googlemail.com>
> > >
> > > In case scandir(3) finds no entries still free the returned result to
> > > avoid leaking it.
> > >
> > > Also do not override errno in case of a failure.
> > >
> > > Reported.by: Cppcheck
> > >
> > > Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
> > > ---
> > >  libselinux/src/booleans.c | 6 +++++-
> > >  1 file changed, 5 insertions(+), 1 deletion(-)
> > >
> > > diff --git a/libselinux/src/booleans.c b/libselinux/src/booleans.c
> > > index c557df65..1ede8e2d 100644
> > > --- a/libselinux/src/booleans.c
> > > +++ b/libselinux/src/booleans.c
> > > @@ -53,7 +53,11 @@ int security_get_boolean_names(char ***names, int *len)
> > >
> > >         snprintf(path, sizeof path, "%s%s", selinux_mnt, SELINUX_BOOL_DIR);
> > >         *len = scandir(path, &namelist, &filename_select, alphasort);
> > > -       if (*len <= 0) {
> > > +       if (*len < 0) {
> > > +               return -1;
> > > +       }
> > > +       if (*len == 0) {
> >
> > Changing this will allow scandir to fail and it continue, what's the point?
>
> What do you mean by "continue"?
> The function will still return -1 with errno set if scandir(3) returns
> <= 0, like it does currently.
> But currently if scandir() returns 0, we currently leak the pointer to
> the empty array.

I completely misread that, my apologies. I just mocked scandir for all
those paths
with the leak sanitizer enabled, lgtm.

>
> >
> > > +               free(namelist);
> > >                 errno = ENOENT;
> > >                 return -1;
> > >         }
> > > --
> > > 2.43.0
> > >
> > >

diff --git a/libselinux/src/booleans.c b/libselinux/src/booleans.c
index c557df65..1ede8e2d 100644
--- a/libselinux/src/booleans.c
+++ b/libselinux/src/booleans.c
@@ -53,7 +53,11 @@  int security_get_boolean_names(char ***names, int *len)
 
 	snprintf(path, sizeof path, "%s%s", selinux_mnt, SELINUX_BOOL_DIR);
 	*len = scandir(path, &namelist, &filename_select, alphasort);
-	if (*len <= 0) {
+	if (*len < 0) {
+		return -1;
+	}
+	if (*len == 0) {
+		free(namelist);
 		errno = ENOENT;
 		return -1;
 	}

[1/3] libselinux: free empty scandir(3) result

Commit Message

Comments

Patch