From patchwork Wed Aug 10 22:35:59 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: "Roberts, William C" <william.c.roberts@intel.com>
X-Patchwork-Id: 9274325
Return-Path: <selinux-bounces@tycho.nsa.gov>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	7942D600CB for <patchwork-selinux@patchwork.kernel.org>;
	Wed, 10 Aug 2016 22:38:07 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 6830A283E7
	for <patchwork-selinux@patchwork.kernel.org>;
	Wed, 10 Aug 2016 22:38:07 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 5CFCD2840C; Wed, 10 Aug 2016 22:38:07 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.2 required=2.0 tests=BAYES_00, RCVD_IN_DNSWL_MED
	autolearn=ham version=3.3.1
Received: from emsm-gh1-uea11.nsa.gov (smtp.nsa.gov [8.44.101.9])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id B5EA2283E7
	for <patchwork-selinux@patchwork.kernel.org>;
	Wed, 10 Aug 2016 22:38:06 +0000 (UTC)
X-IronPort-AV: E=Sophos;i="5.28,502,1464652800"; d="scan'208";a="18384876"
IronPort-PHdr: =?us-ascii?q?9a23=3AQV2SdBJ9TsYJvNW8/9mcpTZWNBhigK39O0sv0rFi?=
	=?us-ascii?q?tYgVKfvxwZ3uMQTl6Ol3ixeRBMOAuqsC07Sd6v+oGTRZp83Q6DZaKN0EfiRGoP?=
	=?us-ascii?q?1epxYnDs+BBB+zB9/RRAt+Iv5/UkR49WqwK0lfFZW2TVTTpnqv8WxaQU2nZkJL?=
	=?us-ascii?q?L+j4UrTfk96wn7jrvcaCOkMQ2nHkPvsydEzw9lSJ8JFOwMNLEeUY8lPxuHxGeu?=
	=?us-ascii?q?BblytDBGm4uFLC3Pq254Np6C9KuvgspIZqWKT+eLkkH/QDVGx1e10v4IXXkTWL?=
	=?us-ascii?q?DU7WvjpPGlkRxwFFBwnD8QHSQob6siy8sPF0niadI4m+T68/UC6+tY93WRToj2?=
	=?us-ascii?q?EBLDd//2bJzoRrgatdrAimphA6x4/PfKmJJfF+eeXbZtpcSm1fGo5KWzdpHpK3?=
	=?us-ascii?q?b4xJCfEIe+lfsdrTvVwL+AS/AQ2tDeapwXlSgXX7x7Eh++UnDQzCmgcnGoFd+E?=
	=?us-ascii?q?/Ipcn4Yf9BGdu+y7PFmHCaN/4=3D?=
X-IPAS-Result: =?us-ascii?q?A2HIBACFq6tX/wHyM5BdGwEBAYMngVKnCZQTI4dlTAEBAQE?=
	=?us-ascii?q?BAQICWieCMgQDEYIVAgQBAiQTFCAOAwkBARcIIQgIAwEtFREHBwsFGASIEMIyA?=
	=?us-ascii?q?QoBAQEjiCqGXxEBhXcFjw6KLo8SAolqhVdIj2RUhBpOAYYagTYBAQE?=
Received: from unknown (HELO tarius.tycho.ncsc.mil) ([144.51.242.1])
	by emsm-gh1-uea11.nsa.gov with ESMTP; 10 Aug 2016 22:38:04 +0000
Received: from prometheus.infosec.tycho.ncsc.mil (prometheus [192.168.25.40])
	by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u7AMc4I9032508;
	Wed, 10 Aug 2016 18:38:04 -0400
Received: from tarius.tycho.ncsc.mil (tarius.infosec.tycho.ncsc.mil
	[144.51.242.1])
	by prometheus.infosec.tycho.ncsc.mil (8.15.2/8.15.2) with ESMTP id
	u7AMaBLw107145 for <selinux@prometheus.infosec.tycho.ncsc.mil>;
	Wed, 10 Aug 2016 18:36:11 -0400
Received: from goalie.tycho.ncsc.mil (goalie [144.51.242.250])
	by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u7AMaARx032130;
	Wed, 10 Aug 2016 18:36:11 -0400
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: 
 A1B2BAABq6tX/yNjr8ZdGwEBAYMngVK3GoQMhh0CgV9MAQEBAQEBXoUGAgQnUhAgMVcHEogxwi4BAQEBAQEEAQEBASOIKoxoBY8Oii6PEgKPQUiPZFSEGhwyAYdQAQEB
X-IPAS-Result: 
 A1B2BAABq6tX/yNjr8ZdGwEBAYMngVK3GoQMhh0CgV9MAQEBAQEBXoUGAgQnUhAgMVcHEogxwi4BAQEBAQEEAQEBASOIKoxoBY8Oii6PEgKPQUiPZFSEGhwyAYdQAQEB
X-IronPort-AV: E=Sophos;i="5.28,502,1464667200"; d="scan'208";a="5637774"
Received: from emsm-gh1-uea11.corp.nsa.gov (HELO emsm-gh1-uea11.nsa.gov)
	([10.208.41.37])
	by goalie.tycho.ncsc.mil with ESMTP; 10 Aug 2016 18:36:09 -0400
IronPort-PHdr: =?us-ascii?q?9a23=3An7+1QhW6bnxCTn3Xt0LVapiSdHvV8LGtZVwlr6E/?=
	=?us-ascii?q?grcLSJyIuqrYZxCDt8tkgFKBZ4jH8fUM07OQ6PG5HzReqs/e+DBaKdoXBkdD0Z?=
	=?us-ascii?q?1X1yUbQ+e9QXXhK/DrayFoVO9jb3RCu0+BDE5OBczlbEfTqHDhpRQbGxH4KBYn?=
	=?us-ascii?q?br+tQt2asc272qiI9oHJZE0Q3XzmMOo0dEv99FqZ9pFPx9AzcuBpklqBi0ALUt?=
	=?us-ascii?q?we/XlvK1OXkkS0zeaL17knzR5tvek8/dVLS6TwcvdwZ7VZCDM7LzJ9v5Wz5lHr?=
	=?us-ascii?q?BDGC7XoEU2gQjgEAQ02ctEm7Dd/NtX7hu+583jSKFdHnRrAzHzK55uFkTwGswC?=
	=?us-ascii?q?UYPDcj7Dv/lt17jKUdpgmo4RN43cqce4ycMvZkeaLRONcbXnZpQtdaVysHBJi1?=
	=?us-ascii?q?KYQIEa5JJupDh5XsrFsJ6x2lDE+jA/285CVPgyrp3Kk+0u0kVwqAxgsqEsgSq1?=
	=?us-ascii?q?zVqsn4MOEZVuXmn+Hz0TzfYqYOin/G44/Sf0Vk+KnUUA=3D=3D?=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0HIBACFq6tX/yNjr8ZdGwEBAYMngVKnC?=
	=?us-ascii?q?ZARhAyGHQKBX0wBAQEBAQECAlongjIEARMBghQCBCdSECAxVwcSiDHCMgEBAQE?=
	=?us-ascii?q?BAQQBAQEBASKIKoxoBY8Oii6PEgKPQUiPZFSEGhwyAYdQAQEB?=
X-IPAS-Result: =?us-ascii?q?A0HIBACFq6tX/yNjr8ZdGwEBAYMngVKnCZARhAyGHQKBX0w?=
	=?us-ascii?q?BAQEBAQECAlongjIEARMBghQCBCdSECAxVwcSiDHCMgEBAQEBAQQBAQEBASKIK?=
	=?us-ascii?q?oxoBY8Oii6PEgKPQUiPZFSEGhwyAYdQAQEB?=
X-IronPort-AV: E=Sophos;i="5.28,502,1464652800"; d="scan'208";a="18384794"
Received: from fmsmga002-icc.fm.intel.com ([198.175.99.35])
	by emsm-gh1-uea11.nsa.gov with ESMTP; 10 Aug 2016 22:36:08 +0000
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos; i="5.28,502,1464678000"; d="scan'208";
	a="1038936112"
Received: from kamiles-mobl.amr.corp.intel.com (HELO
	wcrobert-MOBL1.amr.corp.intel.com) ([10.252.141.225])
	by fmsmga002.fm.intel.com with ESMTP; 10 Aug 2016 15:36:08 -0700
From: william.c.roberts@intel.com
To: selinux@tycho.nsa.gov, jwcart2@tycho.nsa.gov,
	seandroid-list@tycho.nsa.gov, sds@tycho.nsa.gov
Subject: [PATCH v2 4/5] genfs_read: fix use heap-use-after-free
Date: Wed, 10 Aug 2016 15:35:59 -0700
Message-Id: <1470868560-31328-4-git-send-email-william.c.roberts@intel.com>
X-Mailer: git-send-email 1.9.1
In-Reply-To: <1470868560-31328-1-git-send-email-william.c.roberts@intel.com>
References: <1470868560-31328-1-git-send-email-william.c.roberts@intel.com>
X-BeenThere: selinux@tycho.nsa.gov
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: "Security-Enhanced Linux \(SELinux\) mailing list"
	<selinux.tycho.nsa.gov>
List-Post: <mailto:selinux@tycho.nsa.gov>
List-Help: <mailto:selinux-request@tycho.nsa.gov?subject=help>
MIME-Version: 1.0
Errors-To: selinux-bounces@tycho.nsa.gov
Sender: "Selinux" <selinux-bounces@tycho.nsa.gov>
X-Virus-Scanned: ClamAV using ClamSMTP

From: William Roberts <william.c.roberts@intel.com>

The newc variable is calloc'd and assigned to a new
owner during a loop. After the first assignment of newc
to newgenfs->head, the subsequent iteration could fail
before the newc is reseated with a new heap allocation
pointer. When the subsequent iteration fails, the
newc variable is freed. Later, an attempt it made to
free the same pointer assigned to newgenfs->head.

To correct this, clear newc after every loop iteration.

Signed-off-by: William Roberts <william.c.roberts@intel.com>
---
 libsepol/src/policydb.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/libsepol/src/policydb.c b/libsepol/src/policydb.c
index 6a80f94..971793d 100644
--- a/libsepol/src/policydb.c
+++ b/libsepol/src/policydb.c
@@ -2812,6 +2812,8 @@ static int genfs_read(policydb_t * p, struct policy_file *fp)
 				l->next = newc;
 			else
 				newgenfs->head = newc;
+			/* clear newc after a new owner has the pointer */
+			newc = NULL;
 		}
 	}