| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20200611155830.8941-1-trix@redhat.com>
Date: Thu, 11 Jun 2020 08:58:30 -0700
From: trix@...hat.com
To: paul@...l-moore.com, stephen.smalley.work@...il.com,
eparis@...isplace.org, omosnace@...hat.com, weiyongjun1@...wei.com
Cc: selinux@...r.kernel.org, linux-kernel@...r.kernel.org,
Tom Rix <trix@...hat.com>
Subject: [PATCH] selinux: fix another double free
From: Tom Rix <trix@...hat.com>
Clang static analysis reports this double free error
security/selinux/ss/conditional.c:139:2: warning: Attempt to free released memory [unix.Malloc]
kfree(node->expr.nodes);
^~~~~~~~~~~~~~~~~~~~~~~
When cond_read_node fails, it calls cond_node_destroy which frees the
node but does not poison the entry in the node list. So when it
returns to its caller cond_read_list, cond_read_list deletes the
partial list. The latest entry in the list will be deleted twice.
So instead of freeing the node in cond_read_node, let list freeing in
code_read_list handle the freeing the problem node along with all of the the
earlier nodes.
Signed-off-by: Tom Rix <trix@...hat.com>
---
security/selinux/ss/conditional.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/security/selinux/ss/conditional.c b/security/selinux/ss/conditional.c
index da94a1b4bfda..ffb31af22f4f 100644
--- a/security/selinux/ss/conditional.c
+++ b/security/selinux/ss/conditional.c
@@ -411,7 +411,6 @@ static int cond_read_node(struct policydb *p, struct cond_node *node, void *fp)
goto err;
return 0;
err:
- cond_node_destroy(node);
return rc;
}
--
2.18.1
Powered by blists - more mailing lists