[PATCH v2] selinux: fix double free of cond_list on error paths

From: vbendel
Date: Wed Feb 02 2022 - 06:25:38 EST

Next message: Nikita Yushchenko: "Re: [PATCH] media: rcar-vin: require master VIN only for CSI source"
Previous message: Michael S. Tsirkin: "Re: [PATCH v3] vhost: cache avail index in vhost_enable_notify()"
Next in thread: Paul Moore: "Re: [PATCH v2] selinux: fix double free of cond_list on error paths"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Vratislav Bendel <vbendel@xxxxxxxxxx>

On error path from cond_read_list() and duplicate_policydb_cond_list()
the cond_list_destroy() gets called a second time in caller functions,
resulting in NULL pointer deref.
Fix this by resetting the cond_list_len to 0 in cond_list_destroy(),
making subsequent calls a noop.

Also consistently reset the cond_list pointer to NULL after freeing.

Signed-off-by: Vratislav Bendel <vbendel@xxxxxxxxxx>
---
security/selinux/ss/conditional.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/security/selinux/ss/conditional.c b/security/selinux/ss/conditional.c
index 2ec6e5cd25d9..feb206f3acb4 100644
--- a/security/selinux/ss/conditional.c
+++ b/security/selinux/ss/conditional.c
@@ -152,6 +152,8 @@ static void cond_list_destroy(struct policydb *p)
for (i = 0; i < p->cond_list_len; i++)
cond_node_destroy(&p->cond_list[i]);
kfree(p->cond_list);
+ p->cond_list = NULL;
+ p->cond_list_len = 0;
}

void cond_policydb_destroy(struct policydb *p)
@@ -441,7 +443,6 @@ int cond_read_list(struct policydb *p, void *fp)
return 0;
err:
cond_list_destroy(p);
- p->cond_list = NULL;
return rc;
}

--
2.26.3

Next message: Nikita Yushchenko: "Re: [PATCH] media: rcar-vin: require master VIN only for CSI source"
Previous message: Michael S. Tsirkin: "Re: [PATCH v3] vhost: cache avail index in vhost_enable_notify()"
Next in thread: Paul Moore: "Re: [PATCH v2] selinux: fix double free of cond_list on error paths"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]