[PATCH 0/3] selinux: Fix and clean policydb->cond_list error paths

[PATCH 0/3] selinux: Fix and clean policydb->cond_list error paths

[vbendel]

There are two users of policydb->cond_list: cond_read_list()
and duplicate_policydb_cond_list(). If any of them gets an error,
usually an -ENOMEM, the error-path-cleanup *_destroy() functions
get called twice: firstly from these two and secondly from
the caller functions' error paths.

In case such -ENOMEM happens while assigning cond_node data, i.e.
while ->cond_list_len is already non-zero, it leads to inappropriate
dereferencing of policydb->cond_list[] data in the second called
cond_list_destroy() from the caller functions' error paths, resulting
with:
- NULL pointer deref from cond_read_list();
- use-after-free + double-free from duplicate_policydb_cond_list().
(the cond_read_list() manages to set ->cond_list to NULL)

Patch 1/3 simply makes the error behavior consistent by always setting
->cond_list to NULL.

Patch 2/3 fixes the actual bug by resetting ->cond_list_len to 0,
so any subsequent cond_list_destroy() calls would become noop.

Patch 3/3 cleans up the duplicate *_destroy calls on these error paths,
albeit it's a bit questionable and I'm looking for feedback on it:
- on one hand the idea is that the caller functions call the *_destroy()
bits anyway, hence removing duplicate efforts (which also fixes the bug,
but I'd still prefer to apply patches 1 and 2 regardless);
- on the other hand it's appropriate and more bug-proof for a function
to clean everything it allocated on error.
Hence I'm looking forward to seeing what approach the upstream would find
more appropriate.

Signed-off-by: Vratislav Bendel <vbendel@redhat.com>

[PATCH 1/3] selinux: consistently clear cond_list on error paths

[vbendel]

From: Vratislav Bendel <vbendel@redhat.com>

Currently there are two users of policydb->cond_list: cond_read_list()
and duplicate_policydb_cond_list(). On their error path one clears
->cond_list to NULL, but the other doesn't.
Make the behavior consistent by resetting ->cond_list to NULL in
cond_list_destroy(), which is called by both on the error path.

Signed-off-by: Vratislav Bendel <vbendel@redhat.com>
---
 security/selinux/ss/conditional.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/selinux/ss/conditional.c b/security/selinux/ss/conditional.c
index 2ec6e5cd25d9..1d0e5f326b62 100644
--- a/security/selinux/ss/conditional.c
+++ b/security/selinux/ss/conditional.c
@@ -152,6 +152,7 @@ static void cond_list_destroy(struct policydb *p)
 	for (i = 0; i < p->cond_list_len; i++)
 		cond_node_destroy(&p->cond_list[i]);
 	kfree(p->cond_list);
+	p->cond_list = NULL;
 }
 
 void cond_policydb_destroy(struct policydb *p)
@@ -441,7 +442,6 @@ int cond_read_list(struct policydb *p, void *fp)
 	return 0;
 err:
 	cond_list_destroy(p);
-	p->cond_list = NULL;
 	return rc;
 }
 
-- 
2.26.3

Re: [PATCH 1/3] selinux: consistently clear cond_list on error paths

[Paul Moore]

On Fri, Jan 28, 2022 at 3:29 PM <vbendel@redhat.com> wrote:
> From: Vratislav Bendel <vbendel@redhat.com>
>
> Currently there are two users of policydb->cond_list: cond_read_list()
> and duplicate_policydb_cond_list(). On their error path one clears
> ->cond_list to NULL, but the other doesn't.
> Make the behavior consistent by resetting ->cond_list to NULL in
> cond_list_destroy(), which is called by both on the error path.

It's also important to see if there are any callers of
cond_list_destroy() which incorrectly might be making use of
policydb::cond_list after it has been freed; thankfully that does not
appear to be the case in any of the call paths I looked at just now.
As this is more a a style/Right-Thing-To-Do patch and not an immediate
bugfix I'm going to go and merge this into selinux/next.

Thanks Vratislav.

> Signed-off-by: Vratislav Bendel <vbendel@redhat.com>
> ---
>  security/selinux/ss/conditional.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/security/selinux/ss/conditional.c b/security/selinux/ss/conditional.c
> index 2ec6e5cd25d9..1d0e5f326b62 100644
> --- a/security/selinux/ss/conditional.c
> +++ b/security/selinux/ss/conditional.c
> @@ -152,6 +152,7 @@ static void cond_list_destroy(struct policydb *p)
>         for (i = 0; i < p->cond_list_len; i++)
>                 cond_node_destroy(&p->cond_list[i]);
>         kfree(p->cond_list);
> +       p->cond_list = NULL;
>  }
>
>  void cond_policydb_destroy(struct policydb *p)
> @@ -441,7 +442,6 @@ int cond_read_list(struct policydb *p, void *fp)
>         return 0;
>  err:
>         cond_list_destroy(p);
> -       p->cond_list = NULL;
>         return rc;
>  }
>
> --
> 2.26.3

-- 
paul-moore.com

Re: [PATCH 1/3] selinux: consistently clear cond_list on error paths

[Paul Moore]

On Tue, Feb 1, 2022 at 12:38 PM Paul Moore <paul@paul-moore.com> wrote:
> On Fri, Jan 28, 2022 at 3:29 PM <vbendel@redhat.com> wrote:
> > From: Vratislav Bendel <vbendel@redhat.com>
> >
> > Currently there are two users of policydb->cond_list: cond_read_list()
> > and duplicate_policydb_cond_list(). On their error path one clears
> > ->cond_list to NULL, but the other doesn't.
> > Make the behavior consistent by resetting ->cond_list to NULL in
> > cond_list_destroy(), which is called by both on the error path.
>
> It's also important to see if there are any callers of
> cond_list_destroy() which incorrectly might be making use of
> policydb::cond_list after it has been freed; thankfully that does not
> appear to be the case in any of the call paths I looked at just now.
> As this is more a a style/Right-Thing-To-Do patch and not an immediate
> bugfix I'm going to go and merge this into selinux/next.

After looking at patches 2/3 and 3/3, ignore the last sentence above
and see my comments below :)

> Thanks Vratislav.
>
> > Signed-off-by: Vratislav Bendel <vbendel@redhat.com>
> > ---
> >  security/selinux/ss/conditional.c | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/security/selinux/ss/conditional.c b/security/selinux/ss/conditional.c
> > index 2ec6e5cd25d9..1d0e5f326b62 100644
> > --- a/security/selinux/ss/conditional.c
> > +++ b/security/selinux/ss/conditional.c
> > @@ -152,6 +152,7 @@ static void cond_list_destroy(struct policydb *p)
> >         for (i = 0; i < p->cond_list_len; i++)
> >                 cond_node_destroy(&p->cond_list[i]);
> >         kfree(p->cond_list);
> > +       p->cond_list = NULL;

While patch 1/3 may not be a candidate for selinux/stable-5.17 by
itself, patch 2/3 definitely qualifies.  Considering that both patches
are small, easily understood, and the likelihood of a merge conflict
between the two is high, why don't you squash 1/3 and 2/3 together so
we can submit this for selinux/stable-5.17?  In addition, put the two
lines which reset cond_list and cond_list_len together in v2, it's
cleaner that way, example below.  If you don't have time to do that
let me know and I can squash them together and move the
"p->cond_list_len = 0" line (don't worry, I'll preserve your
name/email as the patch author).

  static void cond_list_destroy(...)
  {

    /* ... */

    kfree(p->cond_list);
    p->cond_list = NULL;
    p->cond_list_len = 0;
  }

> >  }
> >
> >  void cond_policydb_destroy(struct policydb *p)
> > @@ -441,7 +442,6 @@ int cond_read_list(struct policydb *p, void *fp)
> >         return 0;
> >  err:
> >         cond_list_destroy(p);
> > -       p->cond_list = NULL;
> >         return rc;
> >  }

-- 
paul-moore.com

Re: [PATCH 1/3] selinux: consistently clear cond_list on error paths

[Vratislav Bendel]

On Tue, Feb 1, 2022 at 9:10 PM Paul Moore <paul@paul-moore.com> wrote:
>
> On Tue, Feb 1, 2022 at 12:38 PM Paul Moore <paul@paul-moore.com> wrote:
> > On Fri, Jan 28, 2022 at 3:29 PM <vbendel@redhat.com> wrote:
> > > From: Vratislav Bendel <vbendel@redhat.com>
> > >
> > > Currently there are two users of policydb->cond_list: cond_read_list()
> > > and duplicate_policydb_cond_list(). On their error path one clears
> > > ->cond_list to NULL, but the other doesn't.
> > > Make the behavior consistent by resetting ->cond_list to NULL in
> > > cond_list_destroy(), which is called by both on the error path.
> >
> > It's also important to see if there are any callers of
> > cond_list_destroy() which incorrectly might be making use of
> > policydb::cond_list after it has been freed; thankfully that does not
> > appear to be the case in any of the call paths I looked at just now.
> > As this is more a a style/Right-Thing-To-Do patch and not an immediate
> > bugfix I'm going to go and merge this into selinux/next.
>
> After looking at patches 2/3 and 3/3, ignore the last sentence above
> and see my comments below :)
>
> > Thanks Vratislav.
> >
> > > Signed-off-by: Vratislav Bendel <vbendel@redhat.com>
> > > ---
> > >  security/selinux/ss/conditional.c | 2 +-
> > >  1 file changed, 1 insertion(+), 1 deletion(-)
> > >
> > > diff --git a/security/selinux/ss/conditional.c b/security/selinux/ss/conditional.c
> > > index 2ec6e5cd25d9..1d0e5f326b62 100644
> > > --- a/security/selinux/ss/conditional.c
> > > +++ b/security/selinux/ss/conditional.c
> > > @@ -152,6 +152,7 @@ static void cond_list_destroy(struct policydb *p)
> > >         for (i = 0; i < p->cond_list_len; i++)
> > >                 cond_node_destroy(&p->cond_list[i]);
> > >         kfree(p->cond_list);
> > > +       p->cond_list = NULL;
>
> While patch 1/3 may not be a candidate for selinux/stable-5.17 by
> itself, patch 2/3 definitely qualifies.  Considering that both patches
> are small, easily understood, and the likelihood of a merge conflict
> between the two is high, why don't you squash 1/3 and 2/3 together so
> we can submit this for selinux/stable-5.17?  In addition, put the two
> lines which reset cond_list and cond_list_len together in v2, it's
> cleaner that way, example below.  If you don't have time to do that
> let me know and I can squash them together and move the
> "p->cond_list_len = 0" line (don't worry, I'll preserve your
> name/email as the patch author).

I was also wondering about the possible conflict for submission
into stable. I see no problem with squashing 1/3 and 2/3 together.
I'll send the v2, as per your suggestions. :)

Thank you and have a nice day!

>
>   static void cond_list_destroy(...)
>   {
>
>     /* ... */
>
>     kfree(p->cond_list);
>     p->cond_list = NULL;
>     p->cond_list_len = 0;
>   }
>
> > >  }
> > >
> > >  void cond_policydb_destroy(struct policydb *p)
> > > @@ -441,7 +442,6 @@ int cond_read_list(struct policydb *p, void *fp)
> > >         return 0;
> > >  err:
> > >         cond_list_destroy(p);
> > > -       p->cond_list = NULL;
> > >         return rc;
> > >  }
>
> --
> paul-moore.com
>

[PATCH 2/3] selinux: fix double free of cond_list on error paths

[vbendel]

From: Vratislav Bendel <vbendel@redhat.com>

On error path from cond_read_list() and duplicate_policydb_cond_list()
the cond_list_destroy() gets called a second time in caller functions,
resulting in NULL pointer deref.
Fix this by resetting the cond_list_len to 0 in cond_list_destroy(),
making subsequent calls a noop.

Signed-off-by: Vratislav Bendel <vbendel@redhat.com>
---
 security/selinux/ss/conditional.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/security/selinux/ss/conditional.c b/security/selinux/ss/conditional.c
index 1d0e5f326b62..8bc16ad3af9e 100644
--- a/security/selinux/ss/conditional.c
+++ b/security/selinux/ss/conditional.c
@@ -151,6 +151,8 @@ static void cond_list_destroy(struct policydb *p)
 
 	for (i = 0; i < p->cond_list_len; i++)
 		cond_node_destroy(&p->cond_list[i]);
+	p->cond_list_len = 0;
+
 	kfree(p->cond_list);
 	p->cond_list = NULL;
 }
-- 
2.26.3

[PATCH 3/3] selinux: remove duplicate cond_list clean up calls

[vbendel]

From: Vratislav Bendel <vbendel@redhat.com>

On error path from cond_read_list() and duplicate_policydb_cond_list()
the *_destroy() functions get called a second time in caller functions.
Remove the first calls and let the callers clean it.

Suggested-by: Ondrej Mosnacek <omosnace@redhat.com>
Signed-off-by: Vratislav Bendel <vbendel@redhat.com>
---
 security/selinux/ss/conditional.c | 20 ++++++--------------
 1 file changed, 6 insertions(+), 14 deletions(-)

diff --git a/security/selinux/ss/conditional.c b/security/selinux/ss/conditional.c
index 8bc16ad3af9e..c333daaeceab 100644
--- a/security/selinux/ss/conditional.c
+++ b/security/selinux/ss/conditional.c
@@ -432,19 +432,16 @@ int cond_read_list(struct policydb *p, void *fp)
 
 	rc = avtab_alloc(&(p->te_cond_avtab), p->te_avtab.nel);
 	if (rc)
-		goto err;
+		return rc;
 
 	p->cond_list_len = len;
 
 	for (i = 0; i < len; i++) {
 		rc = cond_read_node(p, &p->cond_list[i], fp);
 		if (rc)
-			goto err;
+			return rc;
 	}
 	return 0;
-err:
-	cond_list_destroy(p);
-	return rc;
 }
 
 int cond_write_bool(void *vkey, void *datum, void *ptr)
@@ -643,7 +640,7 @@ static int duplicate_policydb_cond_list(struct policydb *newp,
 				sizeof(*newp->cond_list),
 				GFP_KERNEL);
 	if (!newp->cond_list)
-		goto error;
+		return -ENOMEM;
 
 	for (i = 0; i < origp->cond_list_len; i++) {
 		struct cond_node *newn = &newp->cond_list[i];
@@ -656,27 +653,22 @@ static int duplicate_policydb_cond_list(struct policydb *newp,
 				orign->expr.len * sizeof(*orign->expr.nodes),
 				GFP_KERNEL);
 		if (!newn->expr.nodes)
-			goto error;
+			return -ENOMEM;
 
 		newn->expr.len = orign->expr.len;
 
 		rc = cond_dup_av_list(&newn->true_list, &orign->true_list,
 				&newp->te_cond_avtab);
 		if (rc)
-			goto error;
+			return rc;
 
 		rc = cond_dup_av_list(&newn->false_list, &orign->false_list,
 				&newp->te_cond_avtab);
 		if (rc)
-			goto error;
+			return rc;
 	}
 
 	return 0;
-
-error:
-	avtab_destroy(&newp->te_cond_avtab);
-	cond_list_destroy(newp);
-	return -ENOMEM;
 }
 
 static int cond_bools_destroy(void *key, void *datum, void *args)
-- 
2.26.3

Re: [PATCH 3/3] selinux: remove duplicate cond_list clean up calls

[Paul Moore]

On Fri, Jan 28, 2022 at 3:29 PM <vbendel@redhat.com> wrote:
> From: Vratislav Bendel <vbendel@redhat.com>
>
> On error path from cond_read_list() and duplicate_policydb_cond_list()
> the *_destroy() functions get called a second time in caller functions.
> Remove the first calls and let the callers clean it.
>
> Suggested-by: Ondrej Mosnacek <omosnace@redhat.com>
> Signed-off-by: Vratislav Bendel <vbendel@redhat.com>
> ---
>  security/selinux/ss/conditional.c | 20 ++++++--------------
>  1 file changed, 6 insertions(+), 14 deletions(-)
>
> diff --git a/security/selinux/ss/conditional.c b/security/selinux/ss/conditional.c
> index 8bc16ad3af9e..c333daaeceab 100644
> --- a/security/selinux/ss/conditional.c
> +++ b/security/selinux/ss/conditional.c
> @@ -432,19 +432,16 @@ int cond_read_list(struct policydb *p, void *fp)
>
>         rc = avtab_alloc(&(p->te_cond_avtab), p->te_avtab.nel);
>         if (rc)
> -               goto err;
> +               return rc;
>
>         p->cond_list_len = len;
>
>         for (i = 0; i < len; i++) {
>                 rc = cond_read_node(p, &p->cond_list[i], fp);
>                 if (rc)
> -                       goto err;
> +                       return rc;
>         }
>         return 0;
> -err:
> -       cond_list_destroy(p);
> -       return rc;
>  }

I tend to prefer functions that cleanup their own allocations on
error.  It makes it easier and quicker to reason about a function's
error handling.  I recognize in this case it may mean multiple calls
to cond_list_destroy(), but that should be safe (considering the
previous patches in this series), and we are on the error path anyway
so I'm not as worried about a few extra instructions.

-- 
paul-moore.com

Re: [PATCH 0/3] selinux: Fix and clean policydb->cond_list error paths

[Ondrej Mosnacek]

On Fri, Jan 28, 2022 at 9:29 PM <vbendel@redhat.com> wrote:
> There are two users of policydb->cond_list: cond_read_list()
> and duplicate_policydb_cond_list(). If any of them gets an error,
> usually an -ENOMEM, the error-path-cleanup *_destroy() functions
> get called twice: firstly from these two and secondly from
> the caller functions' error paths.
>
> In case such -ENOMEM happens while assigning cond_node data, i.e.
> while ->cond_list_len is already non-zero, it leads to inappropriate
> dereferencing of policydb->cond_list[] data in the second called
> cond_list_destroy() from the caller functions' error paths, resulting
> with:
> - NULL pointer deref from cond_read_list();
> - use-after-free + double-free from duplicate_policydb_cond_list().
> (the cond_read_list() manages to set ->cond_list to NULL)
>
> Patch 1/3 simply makes the error behavior consistent by always setting
> ->cond_list to NULL.
>
> Patch 2/3 fixes the actual bug by resetting ->cond_list_len to 0,
> so any subsequent cond_list_destroy() calls would become noop.
>
> Patch 3/3 cleans up the duplicate *_destroy calls on these error paths,
> albeit it's a bit questionable and I'm looking for feedback on it:
> - on one hand the idea is that the caller functions call the *_destroy()
> bits anyway, hence removing duplicate efforts (which also fixes the bug,
> but I'd still prefer to apply patches 1 and 2 regardless);
> - on the other hand it's appropriate and more bug-proof for a function
> to clean everything it allocated on error.
> Hence I'm looking forward to seeing what approach the upstream would find
> more appropriate.
>
> Signed-off-by: Vratislav Bendel <vbendel@redhat.com>

For the series (with or without the last patch):
Reviewed-by: Ondrej Mosnacek <omosnace@redhat.com>

--
Ondrej Mosnacek
Software Engineer, Linux Security - SELinux kernel
Red Hat, Inc.