All of lore.kernel.org
 help / color / mirror / Atom feed
From: "Christian Göttsche" <cgzones@googlemail.com>
To: selinux@vger.kernel.org
Cc: liwugang <liwugang@163.com>
Subject: [PATCH 13/13] checkpolicy: free extended permission memory
Date: Tue, 14 Sep 2021 14:48:28 +0200	[thread overview]
Message-ID: <20210914124828.19488-14-cgzones@googlemail.com> (raw)
In-Reply-To: <20210914124828.19488-1-cgzones@googlemail.com>

define_te_avtab_xperms_helper() allocates memory for the avrule, while
define_te_avtab_ioctl() does not transfer any ownership of it.
Free the affected memory.

    Direct leak of 272 byte(s) in 2 object(s) allocated from:
        #0 0x49bb8d in __interceptor_malloc (./checkpolicy/checkmodule+0x49bb8d)
        #1 0x4f379c in define_te_avtab_xperms_helper ./checkpolicy/policy_define.c:2047:24
        #2 0x4f379c in define_te_avtab_extended_perms ./checkpolicy/policy_define.c:2469:6
        #3 0x4cf417 in yyparse ./checkpolicy/policy_parse.y:494:30
        #4 0x4eaf35 in read_source_policy ./checkpolicy/parse_util.c:63:6
        #5 0x50cccd in main ./checkpolicy/checkmodule.c:278:7
        #6 0x7fbfa455ce49 in __libc_start_main csu/../csu/libc-start.c:314:16

    Direct leak of 32 byte(s) in 2 object(s) allocated from:
        #0 0x49bb8d in __interceptor_malloc (./checkpolicy/checkmodule+0x49bb8d)
        #1 0x4f4a38 in avrule_sort_ioctls ./checkpolicy/policy_define.c:1844:12
        #2 0x4f4a38 in avrule_ioctl_ranges ./checkpolicy/policy_define.c:2021:6
        #3 0x4f4a38 in define_te_avtab_ioctl ./checkpolicy/policy_define.c:2399:6
        #4 0x4f4a38 in define_te_avtab_extended_perms ./checkpolicy/policy_define.c:2475:7
        #5 0x4cf417 in yyparse ./checkpolicy/policy_parse.y:494:30
        #6 0x4eaf35 in read_source_policy ./checkpolicy/parse_util.c:63:6
        #7 0x50cccd in main ./checkpolicy/checkmodule.c:278:7
        #8 0x7fbfa455ce49 in __libc_start_main csu/../csu/libc-start.c:314:16

Reported-by: liwugang <liwugang@163.com>
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
---
 checkpolicy/policy_define.c | 23 ++++++++++++++++-------
 1 file changed, 16 insertions(+), 7 deletions(-)

diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c
index c71e0571..185d5704 100644
--- a/checkpolicy/policy_define.c
+++ b/checkpolicy/policy_define.c
@@ -2390,7 +2390,7 @@ static int avrule_cpy(avrule_t *dest, const avrule_t *src)
 static int define_te_avtab_ioctl(const avrule_t *avrule_template)
 {
 	avrule_t *avrule;
-	struct av_ioctl_range_list *rangelist;
+	struct av_ioctl_range_list *rangelist, *r;
 	av_extended_perms_t *complete_driver, *partial_driver, *xperms;
 	unsigned int i;
 
@@ -2448,6 +2448,12 @@ done:
 	if (partial_driver)
 		free(partial_driver);
 
+	while (rangelist != NULL) {
+		r = rangelist;
+		rangelist = rangelist->next;
+		free(r);
+	}
+
 	return 0;
 }
 
@@ -2456,6 +2462,7 @@ int define_te_avtab_extended_perms(int which)
 	char *id;
 	unsigned int i;
 	avrule_t *avrule_template;
+	int rc = 0;
 
 	if (pass == 1) {
 		for (i = 0; i < 4; i++) {
@@ -2471,15 +2478,17 @@ int define_te_avtab_extended_perms(int which)
 
 	id = queue_remove(id_queue);
 	if (strcmp(id,"ioctl") == 0) {
-		free(id);
-		if (define_te_avtab_ioctl(avrule_template))
-			return -1;
+		rc = define_te_avtab_ioctl(avrule_template);
 	} else {
 		yyerror("only ioctl extended permissions are supported");
-		free(id);
-		return -1;
+		rc = -1;
 	}
-	return 0;
+
+	free(id);
+	avrule_destroy(avrule_template);
+	free(avrule_template);
+
+	return rc;
 }
 
 static int define_te_avtab_helper(int which, avrule_t ** rule)
-- 
2.33.0


  parent reply	other threads:[~2021-09-14 12:50 UTC|newest]

Thread overview: 22+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-09-14 12:48 [PATCH 00/13] checkpolicy improvements Christian Göttsche
2021-09-14 12:48 ` [PATCH 01/13] libsepol: avoid implicit conversions Christian Göttsche
2021-09-14 12:48 ` [PATCH 02/13] libsepol: free memory after policy validation Christian Göttsche
2021-09-15 13:11   ` [PATCH v2 " Christian Göttsche
2021-09-15 13:19     ` [PATCH v3 " Christian Göttsche
2021-09-14 12:48 ` [PATCH 03/13] checkpolicy: enclose macro argument in parentheses Christian Göttsche
2021-09-14 12:48 ` [PATCH 04/13] checkpolicy: misc checkmodule tweaks Christian Göttsche
2021-09-14 12:48 ` [PATCH 05/13] checkpolicy: misc checkpolicy tweaks Christian Göttsche
2021-09-14 12:48 ` [PATCH 06/13] checkpolicy: mark read-only parameters in module compiler const Christian Göttsche
2021-09-14 12:48 ` [PATCH 07/13] checkpolicy: mark file local functions in policy_define static Christian Göttsche
2021-09-14 12:48 ` [PATCH 08/13] checkpolicy: add missing function declarations Christian Göttsche
2021-09-14 12:48 ` [PATCH 09/13] checkpolicy: resolve dismod memory leaks Christian Göttsche
2021-09-14 19:45   ` James Carter
2021-09-15 13:11   ` [PATCH v2 " Christian Göttsche
2021-09-14 12:48 ` [PATCH 10/13] checkpolicy: avoid implicit conversion Christian Göttsche
2021-09-14 12:48 ` [PATCH 11/13] checkpolicy: error out on parsing too big integers Christian Göttsche
2021-09-14 20:43   ` James Carter
2021-09-15 13:11   ` [PATCH v2 " Christian Göttsche
2021-09-14 12:48 ` [PATCH 12/13] checkpolicy: print warning on source line overflow Christian Göttsche
2021-09-14 12:48 ` Christian Göttsche [this message]
2021-09-15 14:59 ` [PATCH 00/13] checkpolicy improvements James Carter
2021-09-16 20:34   ` James Carter

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20210914124828.19488-14-cgzones@googlemail.com \
    --to=cgzones@googlemail.com \
    --cc=liwugang@163.com \
    --cc=selinux@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.