From: James Carter <jwcart2@gmail.com>
To: Nicolas Iooss <nicolas.iooss@m4x.org>
Cc: SElinux list <selinux@vger.kernel.org>
Subject: Re: [PATCH 1/1] libsepol/cil: unlink blockinherit->block link when destroying a block
Date: Tue, 2 Feb 2021 15:36:08 -0500 [thread overview]
Message-ID: <CAP+JOzROBnb0fRSFM3NVHbqxSk5n7tmvx6pqc7FgzPj0qadFFQ@mail.gmail.com> (raw)
In-Reply-To: <20210201221758.13349-1-nicolas.iooss@m4x.org>
On Mon, Feb 1, 2021 at 5:20 PM Nicolas Iooss <nicolas.iooss@m4x.org> wrote:
>
> The following CIL policy triggers a heap use-after-free in secilc
> because when the blockinherit node is destroyed, the block node was
> already destroyed:
>
> (block b2a)
> (blockinherit b2a)
>
> Fix this by setting blockinherit->block to NULL when destroying block.
>
> Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Acked-by: James Carter <jwcart2@gmail.com>
> ---
> libsepol/cil/src/cil_build_ast.c | 19 ++++++++++++++++++-
> 1 file changed, 18 insertions(+), 1 deletion(-)
>
> diff --git a/libsepol/cil/src/cil_build_ast.c b/libsepol/cil/src/cil_build_ast.c
> index 02481558ad11..c6edcde6bc5d 100644
> --- a/libsepol/cil/src/cil_build_ast.c
> +++ b/libsepol/cil/src/cil_build_ast.c
> @@ -231,13 +231,30 @@ exit:
>
> void cil_destroy_block(struct cil_block *block)
> {
> + struct cil_list_item *item;
> + struct cil_tree_node *bi_node;
> + struct cil_blockinherit *inherit;
> +
> if (block == NULL) {
> return;
> }
>
> cil_symtab_datum_destroy(&block->datum);
> cil_symtab_array_destroy(block->symtab);
> - cil_list_destroy(&block->bi_nodes, CIL_FALSE);
> + if (block->bi_nodes != NULL) {
> + /* unlink blockinherit->block */
> + cil_list_for_each(item, block->bi_nodes) {
> + bi_node = item->data;
> + /* the conditions should always be true, but better be sure */
> + if (bi_node->flavor == CIL_BLOCKINHERIT) {
> + inherit = bi_node->data;
> + if (inherit->block == block) {
> + inherit->block = NULL;
> + }
> + }
> + }
> + cil_list_destroy(&block->bi_nodes, CIL_FALSE);
> + }
>
> free(block);
> }
> --
> 2.30.0
>
next prev parent reply other threads:[~2021-02-02 20:37 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-02-01 22:17 [PATCH 1/1] libsepol/cil: unlink blockinherit->block link when destroying a block Nicolas Iooss
2021-02-02 20:36 ` James Carter [this message]
2021-02-03 8:35 ` Petr Lautrbach
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAP+JOzROBnb0fRSFM3NVHbqxSk5n7tmvx6pqc7FgzPj0qadFFQ@mail.gmail.com \
--to=jwcart2@gmail.com \
--cc=nicolas.iooss@m4x.org \
--cc=selinux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.