| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAEjxPJ4nz=1-eeQtU+V5r_ULvpT9Thh6TB4G=2gu2fivyo6KaA@mail.gmail.com>
Date: Thu, 11 Jun 2020 12:36:08 -0400
From: Stephen Smalley <stephen.smalley.work@...il.com>
To: trix@...hat.com
Cc: Paul Moore <paul@...l-moore.com>,
Eric Paris <eparis@...isplace.org>,
Ondrej Mosnacek <omosnace@...hat.com>, weiyongjun1@...wei.com,
SElinux list <selinux@...r.kernel.org>,
linux-kernel <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH] selinux: fix another double free
On Thu, Jun 11, 2020 at 11:58 AM <trix@...hat.com> wrote:
>
> From: Tom Rix <trix@...hat.com>
>
> Clang static analysis reports this double free error
>
> security/selinux/ss/conditional.c:139:2: warning: Attempt to free released memory [unix.Malloc]
> kfree(node->expr.nodes);
> ^~~~~~~~~~~~~~~~~~~~~~~
>
> When cond_read_node fails, it calls cond_node_destroy which frees the
> node but does not poison the entry in the node list. So when it
> returns to its caller cond_read_list, cond_read_list deletes the
> partial list. The latest entry in the list will be deleted twice.
>
> So instead of freeing the node in cond_read_node, let list freeing in
> code_read_list handle the freeing the problem node along with all of the the
> earlier nodes.
>
> Signed-off-by: Tom Rix <trix@...hat.com>
Looks like this was introduced by
60abd3181db29ea81742106cc0ac2e27fd05b418 ("selinux: convert cond_list
to array").
Acked-by: Stephen Smalley <stephen.smalley.work@...il.com>
Powered by blists - more mailing lists