From: william.c.roberts@intel.com
To: selinux@tycho.nsa.gov, jwcart2@tycho.nsa.gov,
seandroid-list@tycho.nsa.gov, sds@tycho.nsa.gov
Subject: [PATCH v4 4/7] genfs_read: fix use heap-use-after-free
Date: Tue, 16 Aug 2016 10:28:34 -0700 [thread overview]
Message-ID: <1471368517-20552-5-git-send-email-william.c.roberts@intel.com> (raw)
In-Reply-To: <1471368517-20552-1-git-send-email-william.c.roberts@intel.com>
From: William Roberts <william.c.roberts@intel.com>
The newc variable is calloc'd and assigned to a new
owner during a loop. After the first assignment of newc
to newgenfs->head, the subsequent iteration could fail
before the newc is reseated with a new heap allocation
pointer. When the subsequent iteration fails, the
newc variable is freed. Later, an attempt it made to
free the same pointer assigned to newgenfs->head.
To correct this, clear newc after every loop iteration.
Signed-off-by: William Roberts <william.c.roberts@intel.com>
---
libsepol/src/policydb.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/libsepol/src/policydb.c b/libsepol/src/policydb.c
index 6a80f94..971793d 100644
--- a/libsepol/src/policydb.c
+++ b/libsepol/src/policydb.c
@@ -2812,6 +2812,8 @@ static int genfs_read(policydb_t * p, struct policy_file *fp)
l->next = newc;
else
newgenfs->head = newc;
+ /* clear newc after a new owner has the pointer */
+ newc = NULL;
}
}
--
1.9.1
next prev parent reply other threads:[~2016-08-16 17:28 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-08-16 17:28 Fix AFL Found Bugs in libsepol v4 william.c.roberts
2016-08-16 17:28 ` [PATCH v4 1/7] libsepol: fix invalid access of NULL on type_val_to_struct william.c.roberts
2016-08-16 17:28 ` [PATCH v4 2/7] libsepol: ensure key is valid before doing search william.c.roberts
2016-08-16 17:28 ` [PATCH v4 3/7] ebitmap: detect invalid bitmap william.c.roberts
2016-08-16 17:28 ` william.c.roberts [this message]
2016-08-16 17:28 ` [PATCH v4 5/7] libsepol: bound attr_type_map access by nprim william.c.roberts
2016-08-16 17:28 ` [PATCH v4 6/7] libsepol: fix unitialized jmp and invalid dereference william.c.roberts
2016-08-16 17:28 ` [PATCH v4 7/7] libsepol: fix overflow and 0 length allocations william.c.roberts
2016-08-16 17:45 ` Roberts, William C
2016-08-16 18:40 ` Stephen Smalley
2016-08-17 14:13 ` Fix AFL Found Bugs in libsepol v4 James Carter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1471368517-20552-5-git-send-email-william.c.roberts@intel.com \
--to=william.c.roberts@intel.com \
--cc=jwcart2@tycho.nsa.gov \
--cc=sds@tycho.nsa.gov \
--cc=seandroid-list@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.