All of lore.kernel.org
 help / color / mirror / Atom feed
From: "Roberts, William C" <william.c.roberts@intel.com>
To: "selinux@tycho.nsa.gov" <selinux@tycho.nsa.gov>,
	"seandroid-list@tycho.nsa.gov" <seandroid-list@tycho.nsa.gov>,
	"sds@tycho.nsa.gov" <sds@tycho.nsa.gov>
Subject: RE: [PATCH] libsepol: fix memory leak in expand.c
Date: Mon, 8 Aug 2016 17:29:50 +0000	[thread overview]
Message-ID: <476DC76E7D1DF2438D32BFADF679FC56012805C4@ORSMSX103.amr.corp.intel.com> (raw)
In-Reply-To: <1470677301-20065-1-git-send-email-william.c.roberts@intel.com>



> -----Original Message-----
> From: Roberts, William C
> Sent: Monday, August 8, 2016 10:28 AM
> To: selinux@tycho.nsa.gov; seandroid-list@tycho.nsa.gov; sds@tycho.nsa.gov
> Cc: Roberts, William C <william.c.roberts@intel.com>
> Subject: [PATCH] libsepol: fix memory leak in expand.c
> 
> From: William Roberts <william.c.roberts@intel.com>
> 
> ebitmap_set_bit() can possible allocate nodes, however, the bail early style of
> type_set_expand() could leave internal ebitmaps allocated but not free'd.
> 
> Modify type_set_expand() so that it free's all allocated ebitmaps before
> returning the error code to the calling routine.
> 
> Signed-off-by: William Roberts <william.c.roberts@intel.com>
> ---
>  libsepol/src/expand.c | 30 +++++++++++++++++-------------
>  1 file changed, 17 insertions(+), 13 deletions(-)
> 
> diff --git a/libsepol/src/expand.c b/libsepol/src/expand.c index 4d3c623..0ad57f5
> 100644
> --- a/libsepol/src/expand.c
> +++ b/libsepol/src/expand.c
> @@ -2497,6 +2497,7 @@ int type_set_expand(type_set_t * set, ebitmap_t * t,
> policydb_t * p,
>  	unsigned int i;
>  	ebitmap_t types, neg_types;
>  	ebitmap_node_t *tnode;
> +	int rc =-1;
> 
>  	ebitmap_init(&types);
>  	ebitmap_init(t);
> @@ -2511,7 +2512,7 @@ int type_set_expand(type_set_t * set, ebitmap_t * t,
> policydb_t * p,
>  				 * what's available in the type_val_to_struct
> mapping
>  				 */
>  				if (i > p->p_types.nprim - 1)
> -						return -1;
> +					goto err_types;
> 
>  				if (p->type_val_to_struct[i]->flavor ==
>  				    TYPE_ATTRIB) {
> @@ -2519,11 +2520,11 @@ int type_set_expand(type_set_t * set, ebitmap_t *
> t, policydb_t * p,
>  					    (&types,
>  					     &p->type_val_to_struct[i]->
>  					     types)) {
> -						return -1;
> +						goto err_types;
>  					}
>  				} else {
>  					if (ebitmap_set_bit(&types, i, 1)) {
> -						return -1;
> +						goto err_types;
>  					}
>  				}
>  			}
> @@ -2531,7 +2532,7 @@ int type_set_expand(type_set_t * set, ebitmap_t * t,
> policydb_t * p,
>  	} else {
>  		/* No expansion of attributes, just copy the set as is. */
>  		if (ebitmap_cpy(&types, &set->types))
> -			return -1;
> +			goto err_types;
>  	}
> 
>  	/* Now do the same thing for negset */ @@ -2543,11 +2544,11 @@ int
> type_set_expand(type_set_t * set, ebitmap_t * t, policydb_t * p,
>  				if (ebitmap_union
>  				    (&neg_types,
>  				     &p->type_val_to_struct[i]->types)) {
> -					return -1;
> +					goto err_neg;
>  				}
>  			} else {
>  				if (ebitmap_set_bit(&neg_types, i, 1)) {
> -					return -1;
> +					goto err_neg;
>  				}
>  			}
>  		}
> @@ -2562,7 +2563,7 @@ int type_set_expand(type_set_t * set, ebitmap_t * t,
> policydb_t * p,
>  			    p->type_val_to_struct[i]->flavor == TYPE_ATTRIB)
>  				continue;
>  			if (ebitmap_set_bit(t, i, 1))
> -				return -1;
> +				goto err_neg;
>  		}
>  		goto out;
>  	}
> @@ -2571,7 +2572,7 @@ int type_set_expand(type_set_t * set, ebitmap_t * t,
> policydb_t * p,
>  		if (ebitmap_node_get_bit(tnode, i)
>  		    && (!ebitmap_get_bit(&neg_types, i)))
>  			if (ebitmap_set_bit(t, i, 1))
> -				return -1;
> +				goto err_neg;
>  	}
> 
>  	if (set->flags & TYPE_COMP) {
> @@ -2583,20 +2584,23 @@ int type_set_expand(type_set_t * set, ebitmap_t *
> t, policydb_t * p,
>  			}
>  			if (ebitmap_get_bit(t, i)) {
>  				if (ebitmap_set_bit(t, i, 0))
> -					return -1;
> +					goto err_neg;
>  			} else {
>  				if (ebitmap_set_bit(t, i, 1))
> -					return -1;
> +					goto err_neg;
>  			}
>  		}
>  	}
> 
> -      out:
> +	  out:
> +	rc = 0;
> 
> -	ebitmap_destroy(&types);
> +	  err_neg:
>  	ebitmap_destroy(&neg_types);
> +	  err_types:
> +	ebitmap_destroy(&types);
> 
> -	return 0;
> +	return rc;
>  }
> 
>  static int copy_neverallow(policydb_t * dest_pol, uint32_t * typemap,
> --
> 1.9.1

Sorry for the disorganization in not sending these out as a series, I didn't see the memory leak, but this applies on-top of:
[PATCH] libsepol: fix invalid read when policy file is corrupt

Bill

  reply	other threads:[~2016-08-08 17:29 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-08-08 17:28 [PATCH] libsepol: fix memory leak in expand.c william.c.roberts
2016-08-08 17:29 ` Roberts, William C [this message]
2016-08-09 16:12   ` Roberts, William C
2016-08-09 20:26     ` James Carter

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=476DC76E7D1DF2438D32BFADF679FC56012805C4@ORSMSX103.amr.corp.intel.com \
    --to=william.c.roberts@intel.com \
    --cc=sds@tycho.nsa.gov \
    --cc=seandroid-list@tycho.nsa.gov \
    --cc=selinux@tycho.nsa.gov \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.