[PATCH 2/3] selinux: fix double free of cond_list on error paths

From: vbendel
Date: Fri Jan 28 2022 - 15:29:24 EST

Next message: vbendel: "[PATCH 3/3] selinux: remove duplicate cond_list clean up calls"
Previous message: vbendel: "[PATCH 1/3] selinux: consistently clear cond_list on error paths"
In reply to: vbendel: "[PATCH 1/3] selinux: consistently clear cond_list on error paths"
Next in thread: vbendel: "[PATCH 3/3] selinux: remove duplicate cond_list clean up calls"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Vratislav Bendel <vbendel@xxxxxxxxxx>

On error path from cond_read_list() and duplicate_policydb_cond_list()
the cond_list_destroy() gets called a second time in caller functions,
resulting in NULL pointer deref.
Fix this by resetting the cond_list_len to 0 in cond_list_destroy(),
making subsequent calls a noop.

Signed-off-by: Vratislav Bendel <vbendel@xxxxxxxxxx>
---
security/selinux/ss/conditional.c | 2 ++
1 file changed, 2 insertions(+)

diff --git a/security/selinux/ss/conditional.c b/security/selinux/ss/conditional.c
index 1d0e5f326b62..8bc16ad3af9e 100644
--- a/security/selinux/ss/conditional.c
+++ b/security/selinux/ss/conditional.c
@@ -151,6 +151,8 @@ static void cond_list_destroy(struct policydb *p)

for (i = 0; i < p->cond_list_len; i++)
cond_node_destroy(&p->cond_list[i]);
+ p->cond_list_len = 0;
+
kfree(p->cond_list);
p->cond_list = NULL;
}
--
2.26.3

Next message: vbendel: "[PATCH 3/3] selinux: remove duplicate cond_list clean up calls"
Previous message: vbendel: "[PATCH 1/3] selinux: consistently clear cond_list on error paths"
In reply to: vbendel: "[PATCH 1/3] selinux: consistently clear cond_list on error paths"
Next in thread: vbendel: "[PATCH 3/3] selinux: remove duplicate cond_list clean up calls"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]