* [PATCH 1/5] checkpolicy: fix memory usage in define_bool_tunable()
@ 2016-12-26 21:18 Nicolas Iooss
2016-12-26 21:18 ` [PATCH 2/5] checkpolicy: free id in define_port_context() Nicolas Iooss
` (5 more replies)
0 siblings, 6 replies; 11+ messages in thread
From: Nicolas Iooss @ 2016-12-26 21:18 UTC (permalink / raw)
To: selinux
In an error path of define_bool_tunable(), variable id is freed after
being used by a successful call to declare_symbol(). This may cause
trouble as this pointer may have been used as-is in the policy symtab
hash table.
Moreover bool_value is never freed after being used. Fix this memory
leak too. This leak has been detected with gcc Address Sanitizer.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
---
checkpolicy/policy_define.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c
index 864788992e5c..2ad98c3c851e 100644
--- a/checkpolicy/policy_define.c
+++ b/checkpolicy/policy_define.c
@@ -1704,11 +1704,11 @@ int define_bool_tunable(int is_tunable)
bool_value = (char *)queue_remove(id_queue);
if (!bool_value) {
yyerror("no default value for bool definition?");
- free(id);
return -1;
}
datum->state = (int)(bool_value[0] == 'T') ? 1 : 0;
+ free(bool_value);
return 0;
cleanup:
cond_destroy_bool(id, datum, NULL);
--
2.11.0
^ permalink raw reply related [flat|nested] 11+ messages in thread
* [PATCH 2/5] checkpolicy: free id in define_port_context()
2016-12-26 21:18 [PATCH 1/5] checkpolicy: fix memory usage in define_bool_tunable() Nicolas Iooss
@ 2016-12-26 21:18 ` Nicolas Iooss
2017-01-06 19:26 ` James Carter
2016-12-26 21:18 ` [PATCH 3/5] checkpolicy: fix memory leaks in genfscon statements parsing Nicolas Iooss
` (4 subsequent siblings)
5 siblings, 1 reply; 11+ messages in thread
From: Nicolas Iooss @ 2016-12-26 21:18 UTC (permalink / raw)
To: selinux
Variable id is almost never freed in define_port_context().
This leak has been detected with gcc Address Sanitizer.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
---
checkpolicy/policy_define.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c
index 2ad98c3c851e..ff902787c2aa 100644
--- a/checkpolicy/policy_define.c
+++ b/checkpolicy/policy_define.c
@@ -4899,6 +4899,7 @@ int define_port_context(unsigned int low, unsigned int high)
protocol = IPPROTO_DCCP;
} else {
yyerror2("unrecognized protocol %s", id);
+ free(id);
free(newc);
return -1;
}
@@ -4909,11 +4910,13 @@ int define_port_context(unsigned int low, unsigned int high)
if (low > high) {
yyerror2("low port %d exceeds high port %d", low, high);
+ free(id);
free(newc);
return -1;
}
if (parse_security_context(&newc->context[0])) {
+ free(id);
free(newc);
return -1;
}
@@ -4945,9 +4948,11 @@ int define_port_context(unsigned int low, unsigned int high)
else
policydbp->ocontexts[OCON_PORT] = newc;
+ free(id);
return 0;
bad:
+ free(id);
free(newc);
return -1;
}
--
2.11.0
^ permalink raw reply related [flat|nested] 11+ messages in thread
* [PATCH 3/5] checkpolicy: fix memory leaks in genfscon statements parsing
2016-12-26 21:18 [PATCH 1/5] checkpolicy: fix memory usage in define_bool_tunable() Nicolas Iooss
2016-12-26 21:18 ` [PATCH 2/5] checkpolicy: free id in define_port_context() Nicolas Iooss
@ 2016-12-26 21:18 ` Nicolas Iooss
2017-01-06 19:27 ` James Carter
2016-12-26 21:18 ` [PATCH 4/5] checkpolicy: do not leak queue elements in queue_destroy() Nicolas Iooss
` (3 subsequent siblings)
5 siblings, 1 reply; 11+ messages in thread
From: Nicolas Iooss @ 2016-12-26 21:18 UTC (permalink / raw)
To: selinux
When parsing several genfscon statements for the same filesystem, the
content of local variable "fstype" is never freed. Moreover variable
"type" is never freed when define_genfs_context_helper() succeeds.
Fix these leaks by calling free() appropriately.
These leaks have been detected with gcc Address Sanitizer.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
---
checkpolicy/policy_define.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c
index ff902787c2aa..780e325af65d 100644
--- a/checkpolicy/policy_define.c
+++ b/checkpolicy/policy_define.c
@@ -5288,6 +5288,9 @@ int define_genfs_context_helper(char *fstype, int has_type)
else
policydbp->genfs = newgenfs;
genfs = newgenfs;
+ } else {
+ free(fstype);
+ fstype = NULL;
}
newc = (ocontext_t *) malloc(sizeof(ocontext_t));
@@ -5345,7 +5348,7 @@ int define_genfs_context_helper(char *fstype, int has_type)
(!newc->v.sclass || !c->v.sclass
|| newc->v.sclass == c->v.sclass)) {
yyerror2("duplicate entry for genfs entry (%s, %s)",
- fstype, newc->u.name);
+ genfs->fstype, newc->u.name);
goto fail;
}
len = strlen(newc->u.name);
@@ -5359,6 +5362,7 @@ int define_genfs_context_helper(char *fstype, int has_type)
p->next = newc;
else
genfs->head = newc;
+ free(type);
return 0;
fail:
if (type)
--
2.11.0
^ permalink raw reply related [flat|nested] 11+ messages in thread
* [PATCH 4/5] checkpolicy: do not leak queue elements in queue_destroy()
2016-12-26 21:18 [PATCH 1/5] checkpolicy: fix memory usage in define_bool_tunable() Nicolas Iooss
2016-12-26 21:18 ` [PATCH 2/5] checkpolicy: free id in define_port_context() Nicolas Iooss
2016-12-26 21:18 ` [PATCH 3/5] checkpolicy: fix memory leaks in genfscon statements parsing Nicolas Iooss
@ 2016-12-26 21:18 ` Nicolas Iooss
2017-01-06 19:27 ` James Carter
2016-12-26 21:18 ` [PATCH 5/5] checkpolicy: free id where it was leaked Nicolas Iooss
` (2 subsequent siblings)
5 siblings, 1 reply; 11+ messages in thread
From: Nicolas Iooss @ 2016-12-26 21:18 UTC (permalink / raw)
To: selinux
Elements which are inserted into a queue_t object are either NULL (from
insert_separator()) or strings allocated with malloc() in insert_id().
They would be freed if there are still present in the queue when it is
destroyed. Otherwise the memory allocated for these elements would be
leaked.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
---
checkpolicy/queue.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/checkpolicy/queue.c b/checkpolicy/queue.c
index 272079c0debe..acc991c63303 100644
--- a/checkpolicy/queue.c
+++ b/checkpolicy/queue.c
@@ -113,6 +113,7 @@ void queue_destroy(queue_t q)
p = q->head;
while (p != NULL) {
+ free(p->element);
temp = p;
p = p->next;
free(temp);
--
2.11.0
^ permalink raw reply related [flat|nested] 11+ messages in thread
* [PATCH 5/5] checkpolicy: free id where it was leaked
2016-12-26 21:18 [PATCH 1/5] checkpolicy: fix memory usage in define_bool_tunable() Nicolas Iooss
` (2 preceding siblings ...)
2016-12-26 21:18 ` [PATCH 4/5] checkpolicy: do not leak queue elements in queue_destroy() Nicolas Iooss
@ 2016-12-26 21:18 ` Nicolas Iooss
2017-01-06 19:29 ` James Carter
2017-01-06 19:23 ` [PATCH 1/5] checkpolicy: fix memory usage in define_bool_tunable() James Carter
2017-01-09 20:02 ` Stephen Smalley
5 siblings, 1 reply; 11+ messages in thread
From: Nicolas Iooss @ 2016-12-26 21:18 UTC (permalink / raw)
To: selinux
Several functions in policy_define.c do not free id after handling it.
Add the missing free(id) statements.
The places where free(id) was missing were found both with gcc Address
Sanitizer and manual code inspection.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
---
checkpolicy/policy_define.c | 16 +++++++++++++---
1 file changed, 13 insertions(+), 3 deletions(-)
diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c
index 780e325af65d..19f3a5631465 100644
--- a/checkpolicy/policy_define.c
+++ b/checkpolicy/policy_define.c
@@ -1232,6 +1232,7 @@ int define_typealias(void)
free(id);
return -1;
}
+ free(id);
return add_aliases_to_type(t);
}
@@ -1263,6 +1264,7 @@ int define_typeattribute(void)
free(id);
return -1;
}
+ free(id);
while ((id = queue_remove(id_queue))) {
if (!is_id_in_scope(SYM_TYPES, id)) {
@@ -1459,25 +1461,25 @@ static int set_types(type_set_t * set, char *id, int *add, char starallowed)
type_datum_t *t;
if (strcmp(id, "*") == 0) {
+ free(id);
if (!starallowed) {
yyerror("* not allowed in this type of rule");
return -1;
}
/* set TYPE_STAR flag */
set->flags = TYPE_STAR;
- free(id);
*add = 1;
return 0;
}
if (strcmp(id, "~") == 0) {
+ free(id);
if (!starallowed) {
yyerror("~ not allowed in this type of rule");
return -1;
}
/* complement the set */
set->flags = TYPE_COMP;
- free(id);
*add = 1;
return 0;
}
@@ -1570,8 +1572,10 @@ int define_compute_type_helper(int which, avrule_t ** rule)
(hashtab_key_t) id);
if (!datum || datum->flavor == TYPE_ATTRIB) {
yyerror2("unknown type %s", id);
+ free(id);
goto bad;
}
+ free(id);
ebitmap_for_each_bit(&tclasses, node, i) {
if (ebitmap_node_get_bit(node, i)) {
@@ -2008,6 +2012,7 @@ int define_te_avtab_xperms_helper(int which, avrule_t ** rule)
(class_perm_node_t *) malloc(sizeof(class_perm_node_t));
if (!cur_perms) {
yyerror("out of memory");
+ free(id);
ret = -1;
goto out;
}
@@ -2043,6 +2048,7 @@ int define_te_avtab_xperms_helper(int which, avrule_t ** rule)
}
}
+ free(id);
ebitmap_destroy(&tclasses);
avrule->perms = perms;
@@ -2389,11 +2395,12 @@ int define_te_avtab_extended_perms(int which)
id = queue_remove(id_queue);
if (strcmp(id,"ioctl") == 0) {
+ free(id);
if (define_te_avtab_ioctl(avrule_template))
return -1;
- free(id);
} else {
yyerror("only ioctl extended permissions are supported");
+ free(id);
return -1;
}
return 0;
@@ -3090,13 +3097,16 @@ int define_role_trans(int class_specified)
role = hashtab_search(policydbp->p_roles.table, id);
if (!role) {
yyerror2("unknown role %s used in transition definition", id);
+ free(id);
goto bad;
}
if (role->flavor != ROLE_ROLE) {
yyerror2("the new role %s must be a regular role", id);
+ free(id);
goto bad;
}
+ free(id);
/* This ebitmap business is just to ensure that there are not conflicting role_trans rules */
if (role_set_expand(&roles, &e_roles, policydbp, NULL, NULL))
--
2.11.0
^ permalink raw reply related [flat|nested] 11+ messages in thread
* Re: [PATCH 1/5] checkpolicy: fix memory usage in define_bool_tunable()
2016-12-26 21:18 [PATCH 1/5] checkpolicy: fix memory usage in define_bool_tunable() Nicolas Iooss
` (3 preceding siblings ...)
2016-12-26 21:18 ` [PATCH 5/5] checkpolicy: free id where it was leaked Nicolas Iooss
@ 2017-01-06 19:23 ` James Carter
2017-01-09 20:02 ` Stephen Smalley
5 siblings, 0 replies; 11+ messages in thread
From: James Carter @ 2017-01-06 19:23 UTC (permalink / raw)
To: Nicolas Iooss, selinux
On 12/26/2016 04:18 PM, Nicolas Iooss wrote:
> In an error path of define_bool_tunable(), variable id is freed after
> being used by a successful call to declare_symbol(). This may cause
> trouble as this pointer may have been used as-is in the policy symtab
> hash table.
>
> Moreover bool_value is never freed after being used. Fix this memory
> leak too. This leak has been detected with gcc Address Sanitizer.
>
> Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Applied.
Thanks,
> ---
> checkpolicy/policy_define.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c
> index 864788992e5c..2ad98c3c851e 100644
> --- a/checkpolicy/policy_define.c
> +++ b/checkpolicy/policy_define.c
> @@ -1704,11 +1704,11 @@ int define_bool_tunable(int is_tunable)
> bool_value = (char *)queue_remove(id_queue);
> if (!bool_value) {
> yyerror("no default value for bool definition?");
> - free(id);
> return -1;
> }
>
> datum->state = (int)(bool_value[0] == 'T') ? 1 : 0;
> + free(bool_value);
> return 0;
> cleanup:
> cond_destroy_bool(id, datum, NULL);
>
--
James Carter <jwcart2@tycho.nsa.gov>
National Security Agency
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH 2/5] checkpolicy: free id in define_port_context()
2016-12-26 21:18 ` [PATCH 2/5] checkpolicy: free id in define_port_context() Nicolas Iooss
@ 2017-01-06 19:26 ` James Carter
0 siblings, 0 replies; 11+ messages in thread
From: James Carter @ 2017-01-06 19:26 UTC (permalink / raw)
To: Nicolas Iooss, selinux
On 12/26/2016 04:18 PM, Nicolas Iooss wrote:
> Variable id is almost never freed in define_port_context().
>
> This leak has been detected with gcc Address Sanitizer.
>
> Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
> ---
> checkpolicy/policy_define.c | 5 +++++
> 1 file changed, 5 insertions(+)
>
> diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c
> index 2ad98c3c851e..ff902787c2aa 100644
> --- a/checkpolicy/policy_define.c
> +++ b/checkpolicy/policy_define.c
> @@ -4899,6 +4899,7 @@ int define_port_context(unsigned int low, unsigned int high)
> protocol = IPPROTO_DCCP;
> } else {
> yyerror2("unrecognized protocol %s", id);
> + free(id);
> free(newc);
> return -1;
> }
> @@ -4909,11 +4910,13 @@ int define_port_context(unsigned int low, unsigned int high)
>
> if (low > high) {
> yyerror2("low port %d exceeds high port %d", low, high);
> + free(id);
> free(newc);
> return -1;
> }
>
> if (parse_security_context(&newc->context[0])) {
> + free(id);
> free(newc);
> return -1;
> }
Applied, but for the three above I changed it to "goto bad;" which has both
frees and returns -1.
Thanks,
> @@ -4945,9 +4948,11 @@ int define_port_context(unsigned int low, unsigned int high)
> else
> policydbp->ocontexts[OCON_PORT] = newc;
>
> + free(id);
> return 0;
>
> bad:
> + free(id);
> free(newc);
> return -1;
> }
>
--
James Carter <jwcart2@tycho.nsa.gov>
National Security Agency
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH 3/5] checkpolicy: fix memory leaks in genfscon statements parsing
2016-12-26 21:18 ` [PATCH 3/5] checkpolicy: fix memory leaks in genfscon statements parsing Nicolas Iooss
@ 2017-01-06 19:27 ` James Carter
0 siblings, 0 replies; 11+ messages in thread
From: James Carter @ 2017-01-06 19:27 UTC (permalink / raw)
To: Nicolas Iooss, selinux
On 12/26/2016 04:18 PM, Nicolas Iooss wrote:
> When parsing several genfscon statements for the same filesystem, the
> content of local variable "fstype" is never freed. Moreover variable
> "type" is never freed when define_genfs_context_helper() succeeds.
>
> Fix these leaks by calling free() appropriately.
>
> These leaks have been detected with gcc Address Sanitizer.
>
> Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Applied.
Thanks,
> ---
> checkpolicy/policy_define.c | 6 +++++-
> 1 file changed, 5 insertions(+), 1 deletion(-)
>
> diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c
> index ff902787c2aa..780e325af65d 100644
> --- a/checkpolicy/policy_define.c
> +++ b/checkpolicy/policy_define.c
> @@ -5288,6 +5288,9 @@ int define_genfs_context_helper(char *fstype, int has_type)
> else
> policydbp->genfs = newgenfs;
> genfs = newgenfs;
> + } else {
> + free(fstype);
> + fstype = NULL;
> }
>
> newc = (ocontext_t *) malloc(sizeof(ocontext_t));
> @@ -5345,7 +5348,7 @@ int define_genfs_context_helper(char *fstype, int has_type)
> (!newc->v.sclass || !c->v.sclass
> || newc->v.sclass == c->v.sclass)) {
> yyerror2("duplicate entry for genfs entry (%s, %s)",
> - fstype, newc->u.name);
> + genfs->fstype, newc->u.name);
> goto fail;
> }
> len = strlen(newc->u.name);
> @@ -5359,6 +5362,7 @@ int define_genfs_context_helper(char *fstype, int has_type)
> p->next = newc;
> else
> genfs->head = newc;
> + free(type);
> return 0;
> fail:
> if (type)
>
--
James Carter <jwcart2@tycho.nsa.gov>
National Security Agency
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH 4/5] checkpolicy: do not leak queue elements in queue_destroy()
2016-12-26 21:18 ` [PATCH 4/5] checkpolicy: do not leak queue elements in queue_destroy() Nicolas Iooss
@ 2017-01-06 19:27 ` James Carter
0 siblings, 0 replies; 11+ messages in thread
From: James Carter @ 2017-01-06 19:27 UTC (permalink / raw)
To: Nicolas Iooss, selinux
On 12/26/2016 04:18 PM, Nicolas Iooss wrote:
> Elements which are inserted into a queue_t object are either NULL (from
> insert_separator()) or strings allocated with malloc() in insert_id().
> They would be freed if there are still present in the queue when it is
> destroyed. Otherwise the memory allocated for these elements would be
> leaked.
>
> Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Applied.
Thanks,
> ---
> checkpolicy/queue.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/checkpolicy/queue.c b/checkpolicy/queue.c
> index 272079c0debe..acc991c63303 100644
> --- a/checkpolicy/queue.c
> +++ b/checkpolicy/queue.c
> @@ -113,6 +113,7 @@ void queue_destroy(queue_t q)
>
> p = q->head;
> while (p != NULL) {
> + free(p->element);
> temp = p;
> p = p->next;
> free(temp);
>
--
James Carter <jwcart2@tycho.nsa.gov>
National Security Agency
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH 5/5] checkpolicy: free id where it was leaked
2016-12-26 21:18 ` [PATCH 5/5] checkpolicy: free id where it was leaked Nicolas Iooss
@ 2017-01-06 19:29 ` James Carter
0 siblings, 0 replies; 11+ messages in thread
From: James Carter @ 2017-01-06 19:29 UTC (permalink / raw)
To: Nicolas Iooss, selinux
On 12/26/2016 04:18 PM, Nicolas Iooss wrote:
> Several functions in policy_define.c do not free id after handling it.
> Add the missing free(id) statements.
>
> The places where free(id) was missing were found both with gcc Address
> Sanitizer and manual code inspection.
>
> Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Applied.
Thanks,
> ---
> checkpolicy/policy_define.c | 16 +++++++++++++---
> 1 file changed, 13 insertions(+), 3 deletions(-)
>
> diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c
> index 780e325af65d..19f3a5631465 100644
> --- a/checkpolicy/policy_define.c
> +++ b/checkpolicy/policy_define.c
> @@ -1232,6 +1232,7 @@ int define_typealias(void)
> free(id);
> return -1;
> }
> + free(id);
> return add_aliases_to_type(t);
> }
>
> @@ -1263,6 +1264,7 @@ int define_typeattribute(void)
> free(id);
> return -1;
> }
> + free(id);
>
> while ((id = queue_remove(id_queue))) {
> if (!is_id_in_scope(SYM_TYPES, id)) {
> @@ -1459,25 +1461,25 @@ static int set_types(type_set_t * set, char *id, int *add, char starallowed)
> type_datum_t *t;
>
> if (strcmp(id, "*") == 0) {
> + free(id);
> if (!starallowed) {
> yyerror("* not allowed in this type of rule");
> return -1;
> }
> /* set TYPE_STAR flag */
> set->flags = TYPE_STAR;
> - free(id);
> *add = 1;
> return 0;
> }
>
> if (strcmp(id, "~") == 0) {
> + free(id);
> if (!starallowed) {
> yyerror("~ not allowed in this type of rule");
> return -1;
> }
> /* complement the set */
> set->flags = TYPE_COMP;
> - free(id);
> *add = 1;
> return 0;
> }
> @@ -1570,8 +1572,10 @@ int define_compute_type_helper(int which, avrule_t ** rule)
> (hashtab_key_t) id);
> if (!datum || datum->flavor == TYPE_ATTRIB) {
> yyerror2("unknown type %s", id);
> + free(id);
> goto bad;
> }
> + free(id);
>
> ebitmap_for_each_bit(&tclasses, node, i) {
> if (ebitmap_node_get_bit(node, i)) {
> @@ -2008,6 +2012,7 @@ int define_te_avtab_xperms_helper(int which, avrule_t ** rule)
> (class_perm_node_t *) malloc(sizeof(class_perm_node_t));
> if (!cur_perms) {
> yyerror("out of memory");
> + free(id);
> ret = -1;
> goto out;
> }
> @@ -2043,6 +2048,7 @@ int define_te_avtab_xperms_helper(int which, avrule_t ** rule)
> }
> }
>
> + free(id);
> ebitmap_destroy(&tclasses);
>
> avrule->perms = perms;
> @@ -2389,11 +2395,12 @@ int define_te_avtab_extended_perms(int which)
>
> id = queue_remove(id_queue);
> if (strcmp(id,"ioctl") == 0) {
> + free(id);
> if (define_te_avtab_ioctl(avrule_template))
> return -1;
> - free(id);
> } else {
> yyerror("only ioctl extended permissions are supported");
> + free(id);
> return -1;
> }
> return 0;
> @@ -3090,13 +3097,16 @@ int define_role_trans(int class_specified)
> role = hashtab_search(policydbp->p_roles.table, id);
> if (!role) {
> yyerror2("unknown role %s used in transition definition", id);
> + free(id);
> goto bad;
> }
>
> if (role->flavor != ROLE_ROLE) {
> yyerror2("the new role %s must be a regular role", id);
> + free(id);
> goto bad;
> }
> + free(id);
>
> /* This ebitmap business is just to ensure that there are not conflicting role_trans rules */
> if (role_set_expand(&roles, &e_roles, policydbp, NULL, NULL))
>
--
James Carter <jwcart2@tycho.nsa.gov>
National Security Agency
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH 1/5] checkpolicy: fix memory usage in define_bool_tunable()
2016-12-26 21:18 [PATCH 1/5] checkpolicy: fix memory usage in define_bool_tunable() Nicolas Iooss
` (4 preceding siblings ...)
2017-01-06 19:23 ` [PATCH 1/5] checkpolicy: fix memory usage in define_bool_tunable() James Carter
@ 2017-01-09 20:02 ` Stephen Smalley
5 siblings, 0 replies; 11+ messages in thread
From: Stephen Smalley @ 2017-01-09 20:02 UTC (permalink / raw)
To: Nicolas Iooss, selinux
On Mon, 2016-12-26 at 22:18 +0100, Nicolas Iooss wrote:
> In an error path of define_bool_tunable(), variable id is freed after
> being used by a successful call to declare_symbol(). This may cause
> trouble as this pointer may have been used as-is in the policy symtab
> hash table.
>
> Moreover bool_value is never freed after being used. Fix this memory
> leak too. This leak has been detected with gcc Address Sanitizer.
>
> Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Thanks, applied.
> ---
> checkpolicy/policy_define.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/checkpolicy/policy_define.c
> b/checkpolicy/policy_define.c
> index 864788992e5c..2ad98c3c851e 100644
> --- a/checkpolicy/policy_define.c
> +++ b/checkpolicy/policy_define.c
> @@ -1704,11 +1704,11 @@ int define_bool_tunable(int is_tunable)
> bool_value = (char *)queue_remove(id_queue);
> if (!bool_value) {
> yyerror("no default value for bool definition?");
> - free(id);
> return -1;
> }
>
> datum->state = (int)(bool_value[0] == 'T') ? 1 : 0;
> + free(bool_value);
> return 0;
> cleanup:
> cond_destroy_bool(id, datum, NULL);
^ permalink raw reply [flat|nested] 11+ messages in thread
end of thread, other threads:[~2017-01-09 20:02 UTC | newest]
Thread overview: 11+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-12-26 21:18 [PATCH 1/5] checkpolicy: fix memory usage in define_bool_tunable() Nicolas Iooss
2016-12-26 21:18 ` [PATCH 2/5] checkpolicy: free id in define_port_context() Nicolas Iooss
2017-01-06 19:26 ` James Carter
2016-12-26 21:18 ` [PATCH 3/5] checkpolicy: fix memory leaks in genfscon statements parsing Nicolas Iooss
2017-01-06 19:27 ` James Carter
2016-12-26 21:18 ` [PATCH 4/5] checkpolicy: do not leak queue elements in queue_destroy() Nicolas Iooss
2017-01-06 19:27 ` James Carter
2016-12-26 21:18 ` [PATCH 5/5] checkpolicy: free id where it was leaked Nicolas Iooss
2017-01-06 19:29 ` James Carter
2017-01-06 19:23 ` [PATCH 1/5] checkpolicy: fix memory usage in define_bool_tunable() James Carter
2017-01-09 20:02 ` Stephen Smalley
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).