* [PATCH] selinux: free str on error in str_read()
@ 2020-04-14 14:23 Ondrej Mosnacek
2020-04-14 15:37 ` Kees Cook
2020-04-15 22:04 ` Paul Moore
0 siblings, 2 replies; 5+ messages in thread
From: Ondrej Mosnacek @ 2020-04-14 14:23 UTC (permalink / raw)
To: selinux, Paul Moore; +Cc: coverity-bot
In [see "Fixes:"] I missed the fact that str_read() may give back an
allocated pointer even if it returns an error, causing a potential
memory leak in filename_trans_read_one(). Fix this by making the
function free the allocated string whenever it returns a non-zero value,
which also makes its behavior more obvious and prevents repeating the
same mistake in the future.
Reported-by: coverity-bot <keescook+coverity-bot@chromium.org>
Addresses-Coverity-ID: 1461665 ("Resource leaks")
Fixes: c3a276111ea2 ("selinux: optimize storage of filename transitions")
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
---
security/selinux/ss/policydb.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c
index 70ecdc78efbd..c21b922e5ebe 100644
--- a/security/selinux/ss/policydb.c
+++ b/security/selinux/ss/policydb.c
@@ -1035,14 +1035,14 @@ static int str_read(char **strp, gfp_t flags, void *fp, u32 len)
if (!str)
return -ENOMEM;
- /* it's expected the caller should free the str */
- *strp = str;
-
rc = next_entry(str, fp, len);
- if (rc)
+ if (rc) {
+ kfree(str);
return rc;
+ }
str[len] = '\0';
+ *strp = str;
return 0;
}
--
2.25.2
^ permalink raw reply related [flat|nested] 5+ messages in thread* Re: [PATCH] selinux: free str on error in str_read()
2020-04-14 14:23 [PATCH] selinux: free str on error in str_read() Ondrej Mosnacek
@ 2020-04-14 15:37 ` Kees Cook
2020-04-15 22:04 ` Paul Moore
1 sibling, 0 replies; 5+ messages in thread
From: Kees Cook @ 2020-04-14 15:37 UTC (permalink / raw)
To: Ondrej Mosnacek; +Cc: selinux, Paul Moore
On Tue, Apr 14, 2020 at 04:23:51PM +0200, Ondrej Mosnacek wrote:
> In [see "Fixes:"] I missed the fact that str_read() may give back an
> allocated pointer even if it returns an error, causing a potential
> memory leak in filename_trans_read_one(). Fix this by making the
> function free the allocated string whenever it returns a non-zero value,
> which also makes its behavior more obvious and prevents repeating the
> same mistake in the future.
>
> Reported-by: coverity-bot <keescook+coverity-bot@chromium.org>
> Addresses-Coverity-ID: 1461665 ("Resource leaks")
> Fixes: c3a276111ea2 ("selinux: optimize storage of filename transitions")
> Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
-Kees
> ---
> security/selinux/ss/policydb.c | 8 ++++----
> 1 file changed, 4 insertions(+), 4 deletions(-)
>
> diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c
> index 70ecdc78efbd..c21b922e5ebe 100644
> --- a/security/selinux/ss/policydb.c
> +++ b/security/selinux/ss/policydb.c
> @@ -1035,14 +1035,14 @@ static int str_read(char **strp, gfp_t flags, void *fp, u32 len)
> if (!str)
> return -ENOMEM;
>
> - /* it's expected the caller should free the str */
> - *strp = str;
> -
> rc = next_entry(str, fp, len);
> - if (rc)
> + if (rc) {
> + kfree(str);
> return rc;
> + }
>
> str[len] = '\0';
> + *strp = str;
> return 0;
> }
>
> --
> 2.25.2
>
--
Kees Cook
^ permalink raw reply [flat|nested] 5+ messages in thread* Re: [PATCH] selinux: free str on error in str_read()
2020-04-14 14:23 [PATCH] selinux: free str on error in str_read() Ondrej Mosnacek
2020-04-14 15:37 ` Kees Cook
@ 2020-04-15 22:04 ` Paul Moore
2020-04-17 21:47 ` Kees Cook
1 sibling, 1 reply; 5+ messages in thread
From: Paul Moore @ 2020-04-15 22:04 UTC (permalink / raw)
To: Ondrej Mosnacek, Kees Cook; +Cc: selinux, coverity-bot
On Tue, Apr 14, 2020 at 10:25 AM Ondrej Mosnacek <omosnace@redhat.com> wrote:
>
> In [see "Fixes:"] I missed the fact that str_read() may give back an
> allocated pointer even if it returns an error, causing a potential
> memory leak in filename_trans_read_one(). Fix this by making the
> function free the allocated string whenever it returns a non-zero value,
> which also makes its behavior more obvious and prevents repeating the
> same mistake in the future.
>
> Reported-by: coverity-bot <keescook+coverity-bot@chromium.org>
> Addresses-Coverity-ID: 1461665 ("Resource leaks")
> Fixes: c3a276111ea2 ("selinux: optimize storage of filename transitions")
> Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
> ---
> security/selinux/ss/policydb.c | 8 ++++----
> 1 file changed, 4 insertions(+), 4 deletions(-)
I just merged this into selinux/stable-5.7 and assuming all goes well
in testing I'll send this up to Linus later this week. Thanks Ondrej.
I also want to add my thanks to the "coverity bot", thanks Kees. Are
you only running this only on Linus tree? If it's open to other trees
it might be nice to get the selinux/next branch into the automated
testing.
--
paul moore
www.paul-moore.com
^ permalink raw reply [flat|nested] 5+ messages in thread* Re: [PATCH] selinux: free str on error in str_read()
2020-04-15 22:04 ` Paul Moore
@ 2020-04-17 21:47 ` Kees Cook
2020-04-17 22:23 ` Paul Moore
0 siblings, 1 reply; 5+ messages in thread
From: Kees Cook @ 2020-04-17 21:47 UTC (permalink / raw)
To: Paul Moore; +Cc: Ondrej Mosnacek, selinux
On Wed, Apr 15, 2020 at 06:04:53PM -0400, Paul Moore wrote:
> On Tue, Apr 14, 2020 at 10:25 AM Ondrej Mosnacek <omosnace@redhat.com> wrote:
> >
> > In [see "Fixes:"] I missed the fact that str_read() may give back an
> > allocated pointer even if it returns an error, causing a potential
> > memory leak in filename_trans_read_one(). Fix this by making the
> > function free the allocated string whenever it returns a non-zero value,
> > which also makes its behavior more obvious and prevents repeating the
> > same mistake in the future.
> >
> > Reported-by: coverity-bot <keescook+coverity-bot@chromium.org>
> > Addresses-Coverity-ID: 1461665 ("Resource leaks")
> > Fixes: c3a276111ea2 ("selinux: optimize storage of filename transitions")
> > Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
> > ---
> > security/selinux/ss/policydb.c | 8 ++++----
> > 1 file changed, 4 insertions(+), 4 deletions(-)
>
> I just merged this into selinux/stable-5.7 and assuming all goes well
> in testing I'll send this up to Linus later this week. Thanks Ondrej.
>
> I also want to add my thanks to the "coverity bot", thanks Kees. Are
> you only running this only on Linus tree? If it's open to other trees
> it might be nice to get the selinux/next branch into the automated
> testing.
It's being run on linux-next. The free coverity scanner barely has the
resources is keep up with one tree, so I just feed it -next. They were
kind enough to let us upload daily now, so I've been trying to feed the
emailed reports back. It's all just the tip of the iceberg, of course.
--
Kees Cook
^ permalink raw reply [flat|nested] 5+ messages in thread* Re: [PATCH] selinux: free str on error in str_read()
2020-04-17 21:47 ` Kees Cook
@ 2020-04-17 22:23 ` Paul Moore
0 siblings, 0 replies; 5+ messages in thread
From: Paul Moore @ 2020-04-17 22:23 UTC (permalink / raw)
To: Kees Cook; +Cc: Ondrej Mosnacek, selinux
On Fri, Apr 17, 2020 at 5:47 PM Kees Cook <keescook@chromium.org> wrote:
> On Wed, Apr 15, 2020 at 06:04:53PM -0400, Paul Moore wrote:
> > On Tue, Apr 14, 2020 at 10:25 AM Ondrej Mosnacek <omosnace@redhat.com> wrote:
> > >
> > > In [see "Fixes:"] I missed the fact that str_read() may give back an
> > > allocated pointer even if it returns an error, causing a potential
> > > memory leak in filename_trans_read_one(). Fix this by making the
> > > function free the allocated string whenever it returns a non-zero value,
> > > which also makes its behavior more obvious and prevents repeating the
> > > same mistake in the future.
> > >
> > > Reported-by: coverity-bot <keescook+coverity-bot@chromium.org>
> > > Addresses-Coverity-ID: 1461665 ("Resource leaks")
> > > Fixes: c3a276111ea2 ("selinux: optimize storage of filename transitions")
> > > Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
> > > ---
> > > security/selinux/ss/policydb.c | 8 ++++----
> > > 1 file changed, 4 insertions(+), 4 deletions(-)
> >
> > I just merged this into selinux/stable-5.7 and assuming all goes well
> > in testing I'll send this up to Linus later this week. Thanks Ondrej.
> >
> > I also want to add my thanks to the "coverity bot", thanks Kees. Are
> > you only running this only on Linus tree? If it's open to other trees
> > it might be nice to get the selinux/next branch into the automated
> > testing.
>
> It's being run on linux-next. The free coverity scanner barely has the
> resources is keep up with one tree, so I just feed it -next. They were
> kind enough to let us upload daily now, so I've been trying to feed the
> emailed reports back. It's all just the tip of the iceberg, of course.
Ah, okay, thanks. I had wondered about doing regular coverity runs
for the SELinux/audit kernel code but was scared off by the limits; it
looks like that wasn't an unwarranted fear.
Regardless, thanks for setting this up and running it on linux-next.
--
paul moore
www.paul-moore.com
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2020-04-17 22:23 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-04-14 14:23 [PATCH] selinux: free str on error in str_read() Ondrej Mosnacek
2020-04-14 15:37 ` Kees Cook
2020-04-15 22:04 ` Paul Moore
2020-04-17 21:47 ` Kees Cook
2020-04-17 22:23 ` Paul Moore
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).