[PATCH] selinux: fix another double free

From: trix
Date: Thu Jun 11 2020 - 11:58:42 EST

Next message: Marc Zyngier: "Re: [PATCH v8 2/2] PCI: xilinx-cpm: Add Versal CPM Root Port driver"
Previous message: Mark Salyzyn: "[PATCH] lib/vdso: use CLOCK_REALTIME_COARSE for time()"
Next in thread: Stephen Smalley: "Re: [PATCH] selinux: fix another double free"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Tom Rix <trix@xxxxxxxxxx>

Clang static analysis reports this double free error

security/selinux/ss/conditional.c:139:2: warning: Attempt to free released memory [unix.Malloc]
kfree(node->expr.nodes);
^~~~~~~~~~~~~~~~~~~~~~~

When cond_read_node fails, it calls cond_node_destroy which frees the
node but does not poison the entry in the node list. So when it
returns to its caller cond_read_list, cond_read_list deletes the
partial list. The latest entry in the list will be deleted twice.

So instead of freeing the node in cond_read_node, let list freeing in
code_read_list handle the freeing the problem node along with all of the the
earlier nodes.

Signed-off-by: Tom Rix <trix@xxxxxxxxxx>
---
security/selinux/ss/conditional.c | 1 -
1 file changed, 1 deletion(-)

diff --git a/security/selinux/ss/conditional.c b/security/selinux/ss/conditional.c
index da94a1b4bfda..ffb31af22f4f 100644
--- a/security/selinux/ss/conditional.c
+++ b/security/selinux/ss/conditional.c
@@ -411,7 +411,6 @@ static int cond_read_node(struct policydb *p, struct cond_node *node, void *fp)
goto err;
return 0;
err:
- cond_node_destroy(node);
return rc;
}

--
2.18.1

Next message: Marc Zyngier: "Re: [PATCH v8 2/2] PCI: xilinx-cpm: Add Versal CPM Root Port driver"
Previous message: Mark Salyzyn: "[PATCH] lib/vdso: use CLOCK_REALTIME_COARSE for time()"
Next in thread: Stephen Smalley: "Re: [PATCH] selinux: fix another double free"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]