[PATCH 1/5] checkpolicy: fix memory usage in define_bool_tunable()

[PATCH 1/5] checkpolicy: fix memory usage in define_bool_tunable()

[Nicolas Iooss]

In an error path of define_bool_tunable(), variable id is freed after
being used by a successful call to declare_symbol(). This may cause
trouble as this pointer may have been used as-is in the policy symtab
hash table.

Moreover bool_value is never freed after being used. Fix this memory
leak too. This leak has been detected with gcc Address Sanitizer.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
---
 checkpolicy/policy_define.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c
index 864788992e5c..2ad98c3c851e 100644
--- a/checkpolicy/policy_define.c
+++ b/checkpolicy/policy_define.c
@@ -1704,11 +1704,11 @@ int define_bool_tunable(int is_tunable)
 	bool_value = (char *)queue_remove(id_queue);
 	if (!bool_value) {
 		yyerror("no default value for bool definition?");
-		free(id);
 		return -1;
 	}
 
 	datum->state = (int)(bool_value[0] == 'T') ? 1 : 0;
+	free(bool_value);
 	return 0;
       cleanup:
 	cond_destroy_bool(id, datum, NULL);
-- 
2.11.0

[PATCH 2/5] checkpolicy: free id in define_port_context()

[Nicolas Iooss]

Variable id is almost never freed in define_port_context().

This leak has been detected with gcc Address Sanitizer.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
---
 checkpolicy/policy_define.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c
index 2ad98c3c851e..ff902787c2aa 100644
--- a/checkpolicy/policy_define.c
+++ b/checkpolicy/policy_define.c
@@ -4899,6 +4899,7 @@ int define_port_context(unsigned int low, unsigned int high)
 		protocol = IPPROTO_DCCP;
 	} else {
 		yyerror2("unrecognized protocol %s", id);
+		free(id);
 		free(newc);
 		return -1;
 	}
@@ -4909,11 +4910,13 @@ int define_port_context(unsigned int low, unsigned int high)
 
 	if (low > high) {
 		yyerror2("low port %d exceeds high port %d", low, high);
+		free(id);
 		free(newc);
 		return -1;
 	}
 
 	if (parse_security_context(&newc->context[0])) {
+		free(id);
 		free(newc);
 		return -1;
 	}
@@ -4945,9 +4948,11 @@ int define_port_context(unsigned int low, unsigned int high)
 	else
 		policydbp->ocontexts[OCON_PORT] = newc;
 
+	free(id);
 	return 0;
 
       bad:
+	free(id);
 	free(newc);
 	return -1;
 }
-- 
2.11.0

[PATCH 3/5] checkpolicy: fix memory leaks in genfscon statements parsing

[Nicolas Iooss]

When parsing several genfscon statements for the same filesystem, the
content of local variable "fstype" is never freed. Moreover variable
"type" is never freed when define_genfs_context_helper() succeeds.

Fix these leaks by calling free() appropriately.

These leaks have been detected with gcc Address Sanitizer.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
---
 checkpolicy/policy_define.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c
index ff902787c2aa..780e325af65d 100644
--- a/checkpolicy/policy_define.c
+++ b/checkpolicy/policy_define.c
@@ -5288,6 +5288,9 @@ int define_genfs_context_helper(char *fstype, int has_type)
 		else
 			policydbp->genfs = newgenfs;
 		genfs = newgenfs;
+	} else {
+		free(fstype);
+		fstype = NULL;
 	}
 
 	newc = (ocontext_t *) malloc(sizeof(ocontext_t));
@@ -5345,7 +5348,7 @@ int define_genfs_context_helper(char *fstype, int has_type)
 		    (!newc->v.sclass || !c->v.sclass
 		     || newc->v.sclass == c->v.sclass)) {
 			yyerror2("duplicate entry for genfs entry (%s, %s)",
-				 fstype, newc->u.name);
+				 genfs->fstype, newc->u.name);
 			goto fail;
 		}
 		len = strlen(newc->u.name);
@@ -5359,6 +5362,7 @@ int define_genfs_context_helper(char *fstype, int has_type)
 		p->next = newc;
 	else
 		genfs->head = newc;
+	free(type);
 	return 0;
       fail:
 	if (type)
-- 
2.11.0

[PATCH 4/5] checkpolicy: do not leak queue elements in queue_destroy()

[Nicolas Iooss]

Elements which are inserted into a queue_t object are either NULL (from
insert_separator()) or strings allocated with malloc() in insert_id().
They would be freed if there are still present in the queue when it is
destroyed. Otherwise the memory allocated for these elements would be
leaked.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
---
 checkpolicy/queue.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/checkpolicy/queue.c b/checkpolicy/queue.c
index 272079c0debe..acc991c63303 100644
--- a/checkpolicy/queue.c
+++ b/checkpolicy/queue.c
@@ -113,6 +113,7 @@ void queue_destroy(queue_t q)
 
 	p = q->head;
 	while (p != NULL) {
+		free(p->element);
 		temp = p;
 		p = p->next;
 		free(temp);
-- 
2.11.0

[PATCH 5/5] checkpolicy: free id where it was leaked

[Nicolas Iooss]

Several functions in policy_define.c do not free id after handling it.
Add the missing free(id) statements.

The places where free(id) was missing were found both with gcc Address
Sanitizer and manual code inspection.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
---
 checkpolicy/policy_define.c | 16 +++++++++++++---
 1 file changed, 13 insertions(+), 3 deletions(-)

diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c
index 780e325af65d..19f3a5631465 100644
--- a/checkpolicy/policy_define.c
+++ b/checkpolicy/policy_define.c
@@ -1232,6 +1232,7 @@ int define_typealias(void)
 		free(id);
 		return -1;
 	}
+	free(id);
 	return add_aliases_to_type(t);
 }
 
@@ -1263,6 +1264,7 @@ int define_typeattribute(void)
 		free(id);
 		return -1;
 	}
+	free(id);
 
 	while ((id = queue_remove(id_queue))) {
 		if (!is_id_in_scope(SYM_TYPES, id)) {
@@ -1459,25 +1461,25 @@ static int set_types(type_set_t * set, char *id, int *add, char starallowed)
 	type_datum_t *t;
 
 	if (strcmp(id, "*") == 0) {
+		free(id);
 		if (!starallowed) {
 			yyerror("* not allowed in this type of rule");
 			return -1;
 		}
 		/* set TYPE_STAR flag */
 		set->flags = TYPE_STAR;
-		free(id);
 		*add = 1;
 		return 0;
 	}
 
 	if (strcmp(id, "~") == 0) {
+		free(id);
 		if (!starallowed) {
 			yyerror("~ not allowed in this type of rule");
 			return -1;
 		}
 		/* complement the set */
 		set->flags = TYPE_COMP;
-		free(id);
 		*add = 1;
 		return 0;
 	}
@@ -1570,8 +1572,10 @@ int define_compute_type_helper(int which, avrule_t ** rule)
 						(hashtab_key_t) id);
 	if (!datum || datum->flavor == TYPE_ATTRIB) {
 		yyerror2("unknown type %s", id);
+		free(id);
 		goto bad;
 	}
+	free(id);
 
 	ebitmap_for_each_bit(&tclasses, node, i) {
 		if (ebitmap_node_get_bit(node, i)) {
@@ -2008,6 +2012,7 @@ int define_te_avtab_xperms_helper(int which, avrule_t ** rule)
 		    (class_perm_node_t *) malloc(sizeof(class_perm_node_t));
 		if (!cur_perms) {
 			yyerror("out of memory");
+			free(id);
 			ret = -1;
 			goto out;
 		}
@@ -2043,6 +2048,7 @@ int define_te_avtab_xperms_helper(int which, avrule_t ** rule)
 		}
 	}
 
+	free(id);
 	ebitmap_destroy(&tclasses);
 
 	avrule->perms = perms;
@@ -2389,11 +2395,12 @@ int define_te_avtab_extended_perms(int which)
 
 	id = queue_remove(id_queue);
 	if (strcmp(id,"ioctl") == 0) {
+		free(id);
 		if (define_te_avtab_ioctl(avrule_template))
 			return -1;
-		free(id);
 	} else {
 		yyerror("only ioctl extended permissions are supported");
+		free(id);
 		return -1;
 	}
 	return 0;
@@ -3090,13 +3097,16 @@ int define_role_trans(int class_specified)
 	role = hashtab_search(policydbp->p_roles.table, id);
 	if (!role) {
 		yyerror2("unknown role %s used in transition definition", id);
+		free(id);
 		goto bad;
 	}
 
 	if (role->flavor != ROLE_ROLE) {
 		yyerror2("the new role %s must be a regular role", id);
+		free(id);
 		goto bad;
 	}
+	free(id);
 
 	/* This ebitmap business is just to ensure that there are not conflicting role_trans rules */
 	if (role_set_expand(&roles, &e_roles, policydbp, NULL, NULL))
-- 
2.11.0

Re: [PATCH 1/5] checkpolicy: fix memory usage in define_bool_tunable()

[James Carter]

On 12/26/2016 04:18 PM, Nicolas Iooss wrote:
> In an error path of define_bool_tunable(), variable id is freed after
> being used by a successful call to declare_symbol(). This may cause
> trouble as this pointer may have been used as-is in the policy symtab
> hash table.
>
> Moreover bool_value is never freed after being used. Fix this memory
> leak too. This leak has been detected with gcc Address Sanitizer.
>
> Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>

Applied.

Thanks,

> ---
>  checkpolicy/policy_define.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c
> index 864788992e5c..2ad98c3c851e 100644
> --- a/checkpolicy/policy_define.c
> +++ b/checkpolicy/policy_define.c
> @@ -1704,11 +1704,11 @@ int define_bool_tunable(int is_tunable)
>  	bool_value = (char *)queue_remove(id_queue);
>  	if (!bool_value) {
>  		yyerror("no default value for bool definition?");
> -		free(id);
>  		return -1;
>  	}
>
>  	datum->state = (int)(bool_value[0] == 'T') ? 1 : 0;
> +	free(bool_value);
>  	return 0;
>        cleanup:
>  	cond_destroy_bool(id, datum, NULL);
>


-- 
James Carter <jwcart2@tycho.nsa.gov>
National Security Agency

Re: [PATCH 2/5] checkpolicy: free id in define_port_context()

[James Carter]

On 12/26/2016 04:18 PM, Nicolas Iooss wrote:
> Variable id is almost never freed in define_port_context().
>
> This leak has been detected with gcc Address Sanitizer.
>
> Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
> ---
>  checkpolicy/policy_define.c | 5 +++++
>  1 file changed, 5 insertions(+)
>
> diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c
> index 2ad98c3c851e..ff902787c2aa 100644
> --- a/checkpolicy/policy_define.c
> +++ b/checkpolicy/policy_define.c
> @@ -4899,6 +4899,7 @@ int define_port_context(unsigned int low, unsigned int high)
>  		protocol = IPPROTO_DCCP;
>  	} else {
>  		yyerror2("unrecognized protocol %s", id);
> +		free(id);
>  		free(newc);
>  		return -1;
>  	}
> @@ -4909,11 +4910,13 @@ int define_port_context(unsigned int low, unsigned int high)
>
>  	if (low > high) {
>  		yyerror2("low port %d exceeds high port %d", low, high);
> +		free(id);
>  		free(newc);
>  		return -1;
>  	}
>
>  	if (parse_security_context(&newc->context[0])) {
> +		free(id);
>  		free(newc);
>  		return -1;
>  	}

Applied, but for the three above I changed it to "goto bad;" which has both 
frees and returns -1.

Thanks,

> @@ -4945,9 +4948,11 @@ int define_port_context(unsigned int low, unsigned int high)
>  	else
>  		policydbp->ocontexts[OCON_PORT] = newc;
>
> +	free(id);
>  	return 0;
>
>        bad:
> +	free(id);
>  	free(newc);
>  	return -1;
>  }
>


-- 
James Carter <jwcart2@tycho.nsa.gov>
National Security Agency

Re: [PATCH 3/5] checkpolicy: fix memory leaks in genfscon statements parsing

[James Carter]

On 12/26/2016 04:18 PM, Nicolas Iooss wrote:
> When parsing several genfscon statements for the same filesystem, the
> content of local variable "fstype" is never freed. Moreover variable
> "type" is never freed when define_genfs_context_helper() succeeds.
>
> Fix these leaks by calling free() appropriately.
>
> These leaks have been detected with gcc Address Sanitizer.
>
> Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>

Applied.

Thanks,

> ---
>  checkpolicy/policy_define.c | 6 +++++-
>  1 file changed, 5 insertions(+), 1 deletion(-)
>
> diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c
> index ff902787c2aa..780e325af65d 100644
> --- a/checkpolicy/policy_define.c
> +++ b/checkpolicy/policy_define.c
> @@ -5288,6 +5288,9 @@ int define_genfs_context_helper(char *fstype, int has_type)
>  		else
>  			policydbp->genfs = newgenfs;
>  		genfs = newgenfs;
> +	} else {
> +		free(fstype);
> +		fstype = NULL;
>  	}
>
>  	newc = (ocontext_t *) malloc(sizeof(ocontext_t));
> @@ -5345,7 +5348,7 @@ int define_genfs_context_helper(char *fstype, int has_type)
>  		    (!newc->v.sclass || !c->v.sclass
>  		     || newc->v.sclass == c->v.sclass)) {
>  			yyerror2("duplicate entry for genfs entry (%s, %s)",
> -				 fstype, newc->u.name);
> +				 genfs->fstype, newc->u.name);
>  			goto fail;
>  		}
>  		len = strlen(newc->u.name);
> @@ -5359,6 +5362,7 @@ int define_genfs_context_helper(char *fstype, int has_type)
>  		p->next = newc;
>  	else
>  		genfs->head = newc;
> +	free(type);
>  	return 0;
>        fail:
>  	if (type)
>


-- 
James Carter <jwcart2@tycho.nsa.gov>
National Security Agency

Re: [PATCH 4/5] checkpolicy: do not leak queue elements in queue_destroy()

[James Carter]

On 12/26/2016 04:18 PM, Nicolas Iooss wrote:
> Elements which are inserted into a queue_t object are either NULL (from
> insert_separator()) or strings allocated with malloc() in insert_id().
> They would be freed if there are still present in the queue when it is
> destroyed. Otherwise the memory allocated for these elements would be
> leaked.
>
> Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>

Applied.

Thanks,

> ---
>  checkpolicy/queue.c | 1 +
>  1 file changed, 1 insertion(+)
>
> diff --git a/checkpolicy/queue.c b/checkpolicy/queue.c
> index 272079c0debe..acc991c63303 100644
> --- a/checkpolicy/queue.c
> +++ b/checkpolicy/queue.c
> @@ -113,6 +113,7 @@ void queue_destroy(queue_t q)
>
>  	p = q->head;
>  	while (p != NULL) {
> +		free(p->element);
>  		temp = p;
>  		p = p->next;
>  		free(temp);
>


-- 
James Carter <jwcart2@tycho.nsa.gov>
National Security Agency

Re: [PATCH 5/5] checkpolicy: free id where it was leaked

[James Carter]

On 12/26/2016 04:18 PM, Nicolas Iooss wrote:
> Several functions in policy_define.c do not free id after handling it.
> Add the missing free(id) statements.
>
> The places where free(id) was missing were found both with gcc Address
> Sanitizer and manual code inspection.
>
> Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>

Applied.

Thanks,

> ---
>  checkpolicy/policy_define.c | 16 +++++++++++++---
>  1 file changed, 13 insertions(+), 3 deletions(-)
>
> diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c
> index 780e325af65d..19f3a5631465 100644
> --- a/checkpolicy/policy_define.c
> +++ b/checkpolicy/policy_define.c
> @@ -1232,6 +1232,7 @@ int define_typealias(void)
>  		free(id);
>  		return -1;
>  	}
> +	free(id);
>  	return add_aliases_to_type(t);
>  }
>
> @@ -1263,6 +1264,7 @@ int define_typeattribute(void)
>  		free(id);
>  		return -1;
>  	}
> +	free(id);
>
>  	while ((id = queue_remove(id_queue))) {
>  		if (!is_id_in_scope(SYM_TYPES, id)) {
> @@ -1459,25 +1461,25 @@ static int set_types(type_set_t * set, char *id, int *add, char starallowed)
>  	type_datum_t *t;
>
>  	if (strcmp(id, "*") == 0) {
> +		free(id);
>  		if (!starallowed) {
>  			yyerror("* not allowed in this type of rule");
>  			return -1;
>  		}
>  		/* set TYPE_STAR flag */
>  		set->flags = TYPE_STAR;
> -		free(id);
>  		*add = 1;
>  		return 0;
>  	}
>
>  	if (strcmp(id, "~") == 0) {
> +		free(id);
>  		if (!starallowed) {
>  			yyerror("~ not allowed in this type of rule");
>  			return -1;
>  		}
>  		/* complement the set */
>  		set->flags = TYPE_COMP;
> -		free(id);
>  		*add = 1;
>  		return 0;
>  	}
> @@ -1570,8 +1572,10 @@ int define_compute_type_helper(int which, avrule_t ** rule)
>  						(hashtab_key_t) id);
>  	if (!datum || datum->flavor == TYPE_ATTRIB) {
>  		yyerror2("unknown type %s", id);
> +		free(id);
>  		goto bad;
>  	}
> +	free(id);
>
>  	ebitmap_for_each_bit(&tclasses, node, i) {
>  		if (ebitmap_node_get_bit(node, i)) {
> @@ -2008,6 +2012,7 @@ int define_te_avtab_xperms_helper(int which, avrule_t ** rule)
>  		    (class_perm_node_t *) malloc(sizeof(class_perm_node_t));
>  		if (!cur_perms) {
>  			yyerror("out of memory");
> +			free(id);
>  			ret = -1;
>  			goto out;
>  		}
> @@ -2043,6 +2048,7 @@ int define_te_avtab_xperms_helper(int which, avrule_t ** rule)
>  		}
>  	}
>
> +	free(id);
>  	ebitmap_destroy(&tclasses);
>
>  	avrule->perms = perms;
> @@ -2389,11 +2395,12 @@ int define_te_avtab_extended_perms(int which)
>
>  	id = queue_remove(id_queue);
>  	if (strcmp(id,"ioctl") == 0) {
> +		free(id);
>  		if (define_te_avtab_ioctl(avrule_template))
>  			return -1;
> -		free(id);
>  	} else {
>  		yyerror("only ioctl extended permissions are supported");
> +		free(id);
>  		return -1;
>  	}
>  	return 0;
> @@ -3090,13 +3097,16 @@ int define_role_trans(int class_specified)
>  	role = hashtab_search(policydbp->p_roles.table, id);
>  	if (!role) {
>  		yyerror2("unknown role %s used in transition definition", id);
> +		free(id);
>  		goto bad;
>  	}
>
>  	if (role->flavor != ROLE_ROLE) {
>  		yyerror2("the new role %s must be a regular role", id);
> +		free(id);
>  		goto bad;
>  	}
> +	free(id);
>
>  	/* This ebitmap business is just to ensure that there are not conflicting role_trans rules */
>  	if (role_set_expand(&roles, &e_roles, policydbp, NULL, NULL))
>


-- 
James Carter <jwcart2@tycho.nsa.gov>
National Security Agency

Re: [PATCH 1/5] checkpolicy: fix memory usage in define_bool_tunable()

[Stephen Smalley]

On Mon, 2016-12-26 at 22:18 +0100, Nicolas Iooss wrote:
> In an error path of define_bool_tunable(), variable id is freed after
> being used by a successful call to declare_symbol(). This may cause
> trouble as this pointer may have been used as-is in the policy symtab
> hash table.
> 
> Moreover bool_value is never freed after being used. Fix this memory
> leak too. This leak has been detected with gcc Address Sanitizer.
> 
> Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>

Thanks, applied.

> ---
>  checkpolicy/policy_define.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/checkpolicy/policy_define.c
> b/checkpolicy/policy_define.c
> index 864788992e5c..2ad98c3c851e 100644
> --- a/checkpolicy/policy_define.c
> +++ b/checkpolicy/policy_define.c
> @@ -1704,11 +1704,11 @@ int define_bool_tunable(int is_tunable)
>  	bool_value = (char *)queue_remove(id_queue);
>  	if (!bool_value) {
>  		yyerror("no default value for bool definition?");
> -		free(id);
>  		return -1;
>  	}
>  
>  	datum->state = (int)(bool_value[0] == 'T') ? 1 : 0;
> +	free(bool_value);
>  	return 0;
>        cleanup:
>  	cond_destroy_bool(id, datum, NULL);