From patchwork Mon Aug 15 15:59:11 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Roberts, William C" X-Patchwork-Id: 9281511 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 6A81860467 for ; Mon, 15 Aug 2016 16:25:57 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 5AB1A28D80 for ; Mon, 15 Aug 2016 16:25:57 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 4F85A28D92; Mon, 15 Aug 2016 16:25:57 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-1.9 required=2.0 tests=BAYES_00 autolearn=ham version=3.3.1 Received: from emsm-gh1-uea10.nsa.gov (smtp.nsa.gov [8.44.101.8]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 13D1F28D80 for ; Mon, 15 Aug 2016 16:25:53 +0000 (UTC) X-IronPort-AV: E=Sophos;i="5.28,525,1464652800"; d="scan'208";a="16601358" IronPort-PHdr: =?us-ascii?q?9a23=3A6sTalBxN+f21QRfXCy+O+j09IxM/srCxBDY+r6Qd?= =?us-ascii?q?0OkRIJqq85mqBkHD//Il1AaPBtSCrasZwLuN++C4ACpbsM7H6ChDOLV3FDY9wf?= =?us-ascii?q?0MmAIhBMPXQWbaF9XNKxIAIcJZSVV+9Gu6O0UGUOz3ZlnVv2HgpWVKQka3CwN5?= =?us-ascii?q?K6zPF5LIiIzvjqbpqsSVOlgD1WH1Iesrak7n9UOJ7oheqLAhA5558gHOrHpMdr?= =?us-ascii?q?Ye7kJTDnXXoSzB4Nyt9oVo6SVatqFp3cdBVaLnY/ZwFuQAX3wbKWR92OnH/VmG?= =?us-ascii?q?FFPOtTMgVTANnx5JBRXVxA3rVZf29C3hv6xy3zfedc/pRrkuRW6K87ZgSBiujj?= =?us-ascii?q?wOcTE+7iWfkcF5iq5BpxOt4hh+2JL8fJCeNP04eLjUO9wdWy4JRcpKfzBQCYO7?= =?us-ascii?q?KY0UBqwOOvgLgZP6og4RrB+6BACpQuip0DhCi2XqxoU71fgsFUfN2wlzTJo1rH?= =?us-ascii?q?3IoYCtZ+8pWuevwfyNlG3O?= X-IPAS-Result: =?us-ascii?q?A2FuCABw7LFX/wHyM5BeGwEBAYMngVKnGpQVI4dUTAEBAQE?= =?us-ascii?q?BAQECAQJbJ4IyBAMRghUCBAECJBMUIA4DCQEBFwghCAgDAS0VEQcHCwUYBIgQv?= =?us-ascii?q?XMBCgEBASOIKoZfEQGFdwWPEIoujxYCiWqFV0iPZ1SEGk4BhW2BNgEBAQ?= Received: from unknown (HELO tarius.tycho.ncsc.mil) ([144.51.242.1]) by emsm-gh1-uea10.nsa.gov with ESMTP; 15 Aug 2016 16:23:18 +0000 Received: from prometheus.infosec.tycho.ncsc.mil (prometheus [192.168.25.40]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u7FGLx8m008409; Mon, 15 Aug 2016 12:22:25 -0400 Received: from tarius.tycho.ncsc.mil (tarius.infosec.tycho.ncsc.mil [144.51.242.1]) by prometheus.infosec.tycho.ncsc.mil (8.15.2/8.15.2) with ESMTP id u7FFxZjI198305 for ; Mon, 15 Aug 2016 11:59:35 -0400 Received: from goalie.tycho.ncsc.mil (goalie [144.51.242.250]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u7FFxUNK005172; Mon, 15 Aug 2016 11:59:35 -0400 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: A1CUBQDi5bFX/yNjr8ZeGwEBAYMngVK3LYQMhh0CgU5MAQEBAQEBAQJehQYCBCdSECAxVwcSiDG9bQEBAQEBAQQBAQEBI4gqjGgFjxCKLo8WAo9BSI9nVIQaHDIBhyMBAQE X-IPAS-Result: A1CUBQDi5bFX/yNjr8ZeGwEBAYMngVK3LYQMhh0CgU5MAQEBAQEBAQJehQYCBCdSECAxVwcSiDG9bQEBAQEBAQQBAQEBI4gqjGgFjxCKLo8WAo9BSI9nVIQaHDIBhyMBAQE X-IronPort-AV: E=Sophos;i="5.28,525,1464667200"; d="scan'208";a="5645657" Received: from emsm-gh1-uea11.corp.nsa.gov (HELO emsm-gh1-uea11.nsa.gov) ([10.208.41.37]) by goalie.tycho.ncsc.mil with ESMTP; 15 Aug 2016 11:59:30 -0400 IronPort-PHdr: =?us-ascii?q?9a23=3AB6IVoR13magWIBFMsmDT+DRfVm0co7zxezQtwd8Z?= =?us-ascii?q?sekSLvad9pjvdHbS+e9qxAeQG96KsrQd1qGH6OigATVGusfZ9ihaMdRlbFwssY?= =?us-ascii?q?0uhQsuAcqIWwXQDcXBSGgEJvlET0Jv5HqhMEJYS47UblzWpWCuv3ZJQk2sfTR8?= =?us-ascii?q?Kum9IIPOlcP/j7n0oMyKJVwVz2vmKfMqdVPt/F2X7pFXyaJZaY8JgiPTpXVJf+?= =?us-ascii?q?kEjUhJHnm02yjG28Gr4ZR4+D5Rsf9yv+RJUKH9YrhqBecAVGduGykP6cbqrRjO?= =?us-ascii?q?SxeUrjtZCz1O00kAPw+Q9xz+X5HsogPmp+F932+cJsSwQrcqHXyg8KxiUgOyoD?= =?us-ascii?q?sWPD4+tmfMg4p/i7wf6Amsrhpz2YnVbMSRNeFiVr/MdtMdA2xaV4BeUDIFSpiw?= =?us-ascii?q?dKMTHuEBOqBetIC7qFwQ/jWkAgz5G+Lrzj5Bgzn9m7c92ek7DRru3Qo8EtZIu3?= =?us-ascii?q?PR/4a9D7sbTe3glPqA9j7Edf4DnG6lsIU=3D?= X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0FsCAAe5rFX/yNjr8ZeGwEBAYMngVKnG?= =?us-ascii?q?pAThAyGHQKBTkwBAQEBAQEBAgECWyeCMgQBEwGCFAIEJ1IQIDFXBxKIMb1uAQE?= =?us-ascii?q?BAQEBBAEBAQEBIogqjGgFjxCKLo8WAo9BSI9nVIQaHDIBhyMBAQE?= X-IPAS-Result: =?us-ascii?q?A0FsCAAe5rFX/yNjr8ZeGwEBAYMngVKnGpAThAyGHQKBTkw?= =?us-ascii?q?BAQEBAQEBAgECWyeCMgQBEwGCFAIEJ1IQIDFXBxKIMb1uAQEBAQEBBAEBAQEBI?= =?us-ascii?q?ogqjGgFjxCKLo8WAo9BSI9nVIQaHDIBhyMBAQE?= X-IronPort-AV: E=Sophos;i="5.28,525,1464652800"; d="scan'208";a="18475756" Received: from fmsmga002-icc.fm.intel.com ([198.175.99.35]) by emsm-gh1-uea11.nsa.gov with ESMTP; 15 Aug 2016 15:59:21 +0000 Received: from orsmga001.jf.intel.com ([10.7.209.18]) by fmsmga002-icc.fm.intel.com with ESMTP; 15 Aug 2016 08:59:19 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos; i="5.28,525,1464678000"; d="scan'208"; a="1014647692" Received: from hkramach-mobl1.amr.corp.intel.com (HELO wcrobert-MOBL1.amr.corp.intel.com) ([10.254.184.14]) by orsmga001.jf.intel.com with ESMTP; 15 Aug 2016 08:59:18 -0700 From: william.c.roberts@intel.com To: selinux@tycho.nsa.gov, jwcart2@tycho.nsa.gov, seandroid-list@tycho.nsa.gov, sds@tycho.nsa.gov Subject: [PATCH v3 4/7] genfs_read: fix use heap-use-after-free Date: Mon, 15 Aug 2016 08:59:11 -0700 Message-Id: <1471276754-25266-5-git-send-email-william.c.roberts@intel.com> X-Mailer: git-send-email 1.9.1 In-Reply-To: <1471276754-25266-1-git-send-email-william.c.roberts@intel.com> References: <1471276754-25266-1-git-send-email-william.c.roberts@intel.com> X-BeenThere: selinux@tycho.nsa.gov X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Post: List-Help: MIME-Version: 1.0 Errors-To: selinux-bounces@tycho.nsa.gov Sender: "Selinux" X-Virus-Scanned: ClamAV using ClamSMTP From: William Roberts The newc variable is calloc'd and assigned to a new owner during a loop. After the first assignment of newc to newgenfs->head, the subsequent iteration could fail before the newc is reseated with a new heap allocation pointer. When the subsequent iteration fails, the newc variable is freed. Later, an attempt it made to free the same pointer assigned to newgenfs->head. To correct this, clear newc after every loop iteration. Signed-off-by: William Roberts --- libsepol/src/policydb.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libsepol/src/policydb.c b/libsepol/src/policydb.c index 6a80f94..971793d 100644 --- a/libsepol/src/policydb.c +++ b/libsepol/src/policydb.c @@ -2812,6 +2812,8 @@ static int genfs_read(policydb_t * p, struct policy_file *fp) l->next = newc; else newgenfs->head = newc; + /* clear newc after a new owner has the pointer */ + newc = NULL; } }