All of lore.kernel.org
 help / color / mirror / Atom feed
* Another libsepol USE_AFTER_FREE defects detected
@ 2021-09-09 19:07 Petr Lautrbach
  2021-09-09 19:51 ` James Carter
  0 siblings, 1 reply; 3+ messages in thread
From: Petr Lautrbach @ 2021-09-09 19:07 UTC (permalink / raw)
  To: selinux

Hello,

our internal scanner reports the following defects:

Error: USE_AFTER_FREE (CWE-416): [#def1]
libsepol/cil/src/cil_build_ast.c:473: freed_arg: "cil_gen_node" frees "class".
libsepol/cil/src/cil_build_ast.c:480: deref_after_free: Dereferencing freed pointer "class".
#  478|   	if (parse_current->next->next != NULL) {
#  479|   		perms = parse_current->next->next->cl_head;
#  480|-> 		rc = cil_gen_perm_nodes(db, perms, ast_node, CIL_PERM, &class->num_perms);
#  481|   		if (rc != SEPOL_OK) {
#  482|   			goto exit;

Error: USE_AFTER_FREE (CWE-416): [#def2]
libsepol/cil/src/cil_build_ast.c:942: freed_arg: "cil_gen_node" frees "map".
libsepol/cil/src/cil_build_ast.c:947: deref_after_free: Dereferencing freed pointer "map".
#  945|   	}
#  946|   
#  947|-> 	rc = cil_gen_perm_nodes(db, parse_current->next->next->cl_head, ast_node, CIL_MAP_PERM, &map->num_perms);
#  948|   	if (rc != SEPOL_OK) {
#  949|   		goto exit;

Error: USE_AFTER_FREE (CWE-416): [#def3]
libsepol/cil/src/cil_build_ast.c:1042: freed_arg: "cil_gen_node" frees "common".
libsepol/cil/src/cil_build_ast.c:1047: deref_after_free: Dereferencing freed pointer "common".
# 1045|   	}
# 1046|   
# 1047|-> 	rc = cil_gen_perm_nodes(db, parse_current->next->next->cl_head, ast_node, CIL_PERM, &common->num_perms);
# 1048|   	if (rc != SEPOL_OK) {
# 1049|   		goto exit;


They might be related to commit 0d4e568afe5a28edc5fcdcff8e925d4ec1d0d3d0
("libsepol/cil: Create function cil_add_decl_to_symtab() and refactor")

Please take a look.

Thanks,

Petr


^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: Another libsepol USE_AFTER_FREE defects detected
  2021-09-09 19:07 Another libsepol USE_AFTER_FREE defects detected Petr Lautrbach
@ 2021-09-09 19:51 ` James Carter
  2021-09-10  6:03   ` Petr Lautrbach
  0 siblings, 1 reply; 3+ messages in thread
From: James Carter @ 2021-09-09 19:51 UTC (permalink / raw)
  To: Petr Lautrbach; +Cc: SElinux list

On Thu, Sep 9, 2021 at 3:10 PM Petr Lautrbach <plautrba@redhat.com> wrote:
>
> Hello,
>
> our internal scanner reports the following defects:
>
> Error: USE_AFTER_FREE (CWE-416): [#def1]
> libsepol/cil/src/cil_build_ast.c:473: freed_arg: "cil_gen_node" frees "class".
> libsepol/cil/src/cil_build_ast.c:480: deref_after_free: Dereferencing freed pointer "class".
> #  478|         if (parse_current->next->next != NULL) {
> #  479|                 perms = parse_current->next->next->cl_head;
> #  480|->               rc = cil_gen_perm_nodes(db, perms, ast_node, CIL_PERM, &class->num_perms);
> #  481|                 if (rc != SEPOL_OK) {
> #  482|                         goto exit;
>
> Error: USE_AFTER_FREE (CWE-416): [#def2]
> libsepol/cil/src/cil_build_ast.c:942: freed_arg: "cil_gen_node" frees "map".
> libsepol/cil/src/cil_build_ast.c:947: deref_after_free: Dereferencing freed pointer "map".
> #  945|         }
> #  946|
> #  947|->       rc = cil_gen_perm_nodes(db, parse_current->next->next->cl_head, ast_node, CIL_MAP_PERM, &map->num_perms);
> #  948|         if (rc != SEPOL_OK) {
> #  949|                 goto exit;
>
> Error: USE_AFTER_FREE (CWE-416): [#def3]
> libsepol/cil/src/cil_build_ast.c:1042: freed_arg: "cil_gen_node" frees "common".
> libsepol/cil/src/cil_build_ast.c:1047: deref_after_free: Dereferencing freed pointer "common".
> # 1045|         }
> # 1046|
> # 1047|->       rc = cil_gen_perm_nodes(db, parse_current->next->next->cl_head, ast_node, CIL_PERM, &common->num_perms);
> # 1048|         if (rc != SEPOL_OK) {
> # 1049|                 goto exit;
>
>
> They might be related to commit 0d4e568afe5a28edc5fcdcff8e925d4ec1d0d3d0
> ("libsepol/cil: Create function cil_add_decl_to_symtab() and refactor")
>
> Please take a look.
>

These are false positives. The only time the datum passed to
cil_gen_node() gets freed is when the declaration is a duplicate and
duplicate declarations are allowed and the datum is a type, type
attribute, or an optional.

It would probably be better, however, to pass the SEPOL_EEXIST back to
the calling function and to free the datum there.

Jim


> Thanks,
>
> Petr
>

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: Another libsepol USE_AFTER_FREE defects detected
  2021-09-09 19:51 ` James Carter
@ 2021-09-10  6:03   ` Petr Lautrbach
  0 siblings, 0 replies; 3+ messages in thread
From: Petr Lautrbach @ 2021-09-10  6:03 UTC (permalink / raw)
  To: SElinux list; +Cc: James Carter

James Carter <jwcart2@gmail.com> writes:

> On Thu, Sep 9, 2021 at 3:10 PM Petr Lautrbach <plautrba@redhat.com> wrote:
>>
>> Hello,
>>
>> our internal scanner reports the following defects:
>>
>> Error: USE_AFTER_FREE (CWE-416): [#def1]
>> libsepol/cil/src/cil_build_ast.c:473: freed_arg: "cil_gen_node" frees "class".
>> libsepol/cil/src/cil_build_ast.c:480: deref_after_free: Dereferencing freed pointer "class".
>> #  478|         if (parse_current->next->next != NULL) {
>> #  479|                 perms = parse_current->next->next->cl_head;
>> #  480|->               rc = cil_gen_perm_nodes(db, perms, ast_node, CIL_PERM, &class->num_perms);
>> #  481|                 if (rc != SEPOL_OK) {
>> #  482|                         goto exit;
>>
>> Error: USE_AFTER_FREE (CWE-416): [#def2]
>> libsepol/cil/src/cil_build_ast.c:942: freed_arg: "cil_gen_node" frees "map".
>> libsepol/cil/src/cil_build_ast.c:947: deref_after_free: Dereferencing freed pointer "map".
>> #  945|         }
>> #  946|
>> #  947|->       rc = cil_gen_perm_nodes(db, parse_current->next->next->cl_head, ast_node, CIL_MAP_PERM, &map->num_perms);
>> #  948|         if (rc != SEPOL_OK) {
>> #  949|                 goto exit;
>>
>> Error: USE_AFTER_FREE (CWE-416): [#def3]
>> libsepol/cil/src/cil_build_ast.c:1042: freed_arg: "cil_gen_node" frees "common".
>> libsepol/cil/src/cil_build_ast.c:1047: deref_after_free: Dereferencing freed pointer "common".
>> # 1045|         }
>> # 1046|
>> # 1047|->       rc = cil_gen_perm_nodes(db, parse_current->next->next->cl_head, ast_node, CIL_PERM, &common->num_perms);
>> # 1048|         if (rc != SEPOL_OK) {
>> # 1049|                 goto exit;
>>
>>
>> They might be related to commit 0d4e568afe5a28edc5fcdcff8e925d4ec1d0d3d0
>> ("libsepol/cil: Create function cil_add_decl_to_symtab() and refactor")
>>
>> Please take a look.
>>
>
> These are false positives. The only time the datum passed to
> cil_gen_node() gets freed is when the declaration is a duplicate and
> duplicate declarations are allowed and the datum is a type, type
> attribute, or an optional.
>
> It would probably be better, however, to pass the SEPOL_EEXIST back to
> the calling function and to free the datum there.
>
> Jim
>

Thanks!

Petr


^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-09-10  6:03 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-09-09 19:07 Another libsepol USE_AFTER_FREE defects detected Petr Lautrbach
2021-09-09 19:51 ` James Carter
2021-09-10  6:03   ` Petr Lautrbach

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.