* [PATCH] libsepol: invalidate the pointer to the policydb if policydb_init fails
@ 2021-02-28 8:48 Nicolas Iooss
2021-03-01 14:55 ` James Carter
0 siblings, 1 reply; 3+ messages in thread
From: Nicolas Iooss @ 2021-02-28 8:48 UTC (permalink / raw)
To: selinux
Facebook's Infer static analyzer warns about a use-after-free issue in
libsemanage:
int semanage_direct_mls_enabled(semanage_handle_t * sh)
{
sepol_policydb_t *p = NULL;
int retval;
retval = sepol_policydb_create(&p);
if (retval < 0)
goto cleanup;
/* ... */
cleanup:
sepol_policydb_free(p);
return retval;
}
When sepol_policydb_create() is called, p is allocated and
policydb_init() is called. If this second call fails, p is freed
andsepol_policydb_create() returns -1, but p still stores a pointer to
freed memory. This pointer is then freed again in the cleanup part of
semanage_direct_mls_enabled().
Fix this by setting p to NULL in sepol_policydb_create() after freeing
it.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
---
libsepol/src/policydb_public.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/libsepol/src/policydb_public.c b/libsepol/src/policydb_public.c
index e5def7078eb0..0218c9403856 100644
--- a/libsepol/src/policydb_public.c
+++ b/libsepol/src/policydb_public.c
@@ -68,6 +68,7 @@ int sepol_policydb_create(sepol_policydb_t ** sp)
p = &(*sp)->p;
if (policydb_init(p)) {
free(*sp);
+ *sp = NULL;
return -1;
}
return 0;
--
2.30.0
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH] libsepol: invalidate the pointer to the policydb if policydb_init fails
2021-02-28 8:48 [PATCH] libsepol: invalidate the pointer to the policydb if policydb_init fails Nicolas Iooss
@ 2021-03-01 14:55 ` James Carter
2021-03-03 7:45 ` Nicolas Iooss
0 siblings, 1 reply; 3+ messages in thread
From: James Carter @ 2021-03-01 14:55 UTC (permalink / raw)
To: Nicolas Iooss; +Cc: SElinux list
On Sun, Feb 28, 2021 at 3:51 AM Nicolas Iooss <nicolas.iooss@m4x.org> wrote:
>
> Facebook's Infer static analyzer warns about a use-after-free issue in
> libsemanage:
>
> int semanage_direct_mls_enabled(semanage_handle_t * sh)
> {
> sepol_policydb_t *p = NULL;
> int retval;
>
> retval = sepol_policydb_create(&p);
> if (retval < 0)
> goto cleanup;
>
> /* ... */
> cleanup:
> sepol_policydb_free(p);
> return retval;
> }
>
> When sepol_policydb_create() is called, p is allocated and
> policydb_init() is called. If this second call fails, p is freed
> andsepol_policydb_create() returns -1, but p still stores a pointer to
> freed memory. This pointer is then freed again in the cleanup part of
> semanage_direct_mls_enabled().
>
> Fix this by setting p to NULL in sepol_policydb_create() after freeing
> it.
>
> Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Acked-by: James Carter <jwcart2@gmail.com>
> ---
> libsepol/src/policydb_public.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/libsepol/src/policydb_public.c b/libsepol/src/policydb_public.c
> index e5def7078eb0..0218c9403856 100644
> --- a/libsepol/src/policydb_public.c
> +++ b/libsepol/src/policydb_public.c
> @@ -68,6 +68,7 @@ int sepol_policydb_create(sepol_policydb_t ** sp)
> p = &(*sp)->p;
> if (policydb_init(p)) {
> free(*sp);
> + *sp = NULL;
> return -1;
> }
> return 0;
> --
> 2.30.0
>
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] libsepol: invalidate the pointer to the policydb if policydb_init fails
2021-03-01 14:55 ` James Carter
@ 2021-03-03 7:45 ` Nicolas Iooss
0 siblings, 0 replies; 3+ messages in thread
From: Nicolas Iooss @ 2021-03-03 7:45 UTC (permalink / raw)
To: James Carter; +Cc: SElinux list
On Mon, Mar 1, 2021 at 3:55 PM James Carter <jwcart2@gmail.com> wrote:
>
> On Sun, Feb 28, 2021 at 3:51 AM Nicolas Iooss <nicolas.iooss@m4x.org> wrote:
> >
> > Facebook's Infer static analyzer warns about a use-after-free issue in
> > libsemanage:
> >
> > int semanage_direct_mls_enabled(semanage_handle_t * sh)
> > {
> > sepol_policydb_t *p = NULL;
> > int retval;
> >
> > retval = sepol_policydb_create(&p);
> > if (retval < 0)
> > goto cleanup;
> >
> > /* ... */
> > cleanup:
> > sepol_policydb_free(p);
> > return retval;
> > }
> >
> > When sepol_policydb_create() is called, p is allocated and
> > policydb_init() is called. If this second call fails, p is freed
> > andsepol_policydb_create() returns -1, but p still stores a pointer to
> > freed memory. This pointer is then freed again in the cleanup part of
> > semanage_direct_mls_enabled().
> >
> > Fix this by setting p to NULL in sepol_policydb_create() after freeing
> > it.
> >
> > Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
>
> Acked-by: James Carter <jwcart2@gmail.com>
Merged.
Nicolas
> > ---
> > libsepol/src/policydb_public.c | 1 +
> > 1 file changed, 1 insertion(+)
> >
> > diff --git a/libsepol/src/policydb_public.c b/libsepol/src/policydb_public.c
> > index e5def7078eb0..0218c9403856 100644
> > --- a/libsepol/src/policydb_public.c
> > +++ b/libsepol/src/policydb_public.c
> > @@ -68,6 +68,7 @@ int sepol_policydb_create(sepol_policydb_t ** sp)
> > p = &(*sp)->p;
> > if (policydb_init(p)) {
> > free(*sp);
> > + *sp = NULL;
> > return -1;
> > }
> > return 0;
> > --
> > 2.30.0
> >
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-03-04 0:24 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-02-28 8:48 [PATCH] libsepol: invalidate the pointer to the policydb if policydb_init fails Nicolas Iooss
2021-03-01 14:55 ` James Carter
2021-03-03 7:45 ` Nicolas Iooss
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).