From patchwork Tue Aug 16 17:28:34 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Roberts, William C" X-Patchwork-Id: 9284353 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 7F10760839 for ; Tue, 16 Aug 2016 18:01:30 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 73E4828640 for ; Tue, 16 Aug 2016 18:01:30 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 688282865C; Tue, 16 Aug 2016 18:01:30 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-4.2 required=2.0 tests=BAYES_00, RCVD_IN_DNSWL_MED autolearn=ham version=3.3.1 Received: from emsm-gh1-uea11.nsa.gov (emsm-gh1-uea11.nsa.gov [8.44.101.9]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id AC35728643 for ; Tue, 16 Aug 2016 18:01:29 +0000 (UTC) X-IronPort-AV: E=Sophos;i="5.28,529,1464652800"; d="scan'208";a="18517298" IronPort-PHdr: =?us-ascii?q?9a23=3AUl6bTBan2WCdtLZmE8beej//LSx+4OfEezUN459i?= =?us-ascii?q?sYplN5qZpM+zbnLW6fgltlLVR4KTs6sC0LuP9fm/EjVYsN7B6ClEK80UEUddyI?= =?us-ascii?q?0/pE8JOIa9E0r1LfrnPWQRPf9pcxtbxUy9KlVfA83kZlff8TWY5D8WHQjjZ0Iu?= =?us-ascii?q?frymUrDbg8n/7e2u4ZqbO1wO32vkJ+otZ0zu/E2R7pBQ2to6bP5pi1PgmThhQ6?= =?us-ascii?q?xu32RmJFaezV7Xx/yb29pdyRlWoO8r7MVaUK/3LOwSRL1cCyk6YShuvJW4/STZ?= =?us-ascii?q?SUOzwldUEiBPylsbSzTCuQr3Wpb3rzvSqvt22C7cO9b/C78zR3Dq7bhgQQX00g?= =?us-ascii?q?8bJjU59yfRkcU2g6VF5Fq6qhV5z5TTYY3QMPtlYovBbNgaQixHRc8XWCtfRsun?= =?us-ascii?q?Y5AnE/sKPeEeqZL04VQJs0iQHw6pUfzuzjtJj3qw1usg1O4sCx3d9A0mA98K9n?= =?us-ascii?q?/TqYamfJwOWPy4mfGbhQ7IaOlbjHKksIU=3D?= X-IPAS-Result: =?us-ascii?q?A2FxBgB5VLNX/wHyM5BeGwEBAYMlgVKnJpQWI4deTAEBAQE?= =?us-ascii?q?BAQECAQJbJ4IyBAMRghUCBAECJBMUIA4DCQEBFwghCAgDAS0VEQcHCwUYBIgQv?= =?us-ascii?q?l0BCgEBASOIKoZfEQGFdwWPEoovjxkCiWuFWEiPaFSEGk4BhSqBNgEBAQ?= Received: from unknown (HELO tarius.tycho.ncsc.mil) ([144.51.242.1]) by emsm-gh1-uea11.nsa.gov with ESMTP; 16 Aug 2016 17:59:38 +0000 Received: from prometheus.infosec.tycho.ncsc.mil (prometheus [192.168.25.40]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u7GHveTL011070; Tue, 16 Aug 2016 13:58:13 -0400 Received: from tarius.tycho.ncsc.mil (tarius.infosec.tycho.ncsc.mil [144.51.242.1]) by prometheus.infosec.tycho.ncsc.mil (8.15.2/8.15.2) with ESMTP id u7GHT8oE243290 for ; Tue, 16 Aug 2016 13:29:08 -0400 Received: from goalie.tycho.ncsc.mil (goalie [144.51.242.250]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u7GHT7Zj007907; Tue, 16 Aug 2016 13:29:07 -0400 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: A1BaBgCWS7NX/yNjr8ZeGwEBAYMngVK3OoQMhh0CgVRMAQEBAQEBAQJehQYCBCdSECAxVwcSiDG+VAEBAQEBAQQBAQEBI4gqjGgFjxKKL48ZAo9DSI9oVIQaHDIBhxYBAQE X-IPAS-Result: A1BaBgCWS7NX/yNjr8ZeGwEBAYMngVK3OoQMhh0CgVRMAQEBAQEBAQJehQYCBCdSECAxVwcSiDG+VAEBAQEBAQQBAQEBI4gqjGgFjxKKL48ZAo9DSI9oVIQaHDIBhxYBAQE X-IronPort-AV: E=Sophos;i="5.28,529,1464667200"; d="scan'208";a="5648262" Received: from emsm-gh1-uea11.corp.nsa.gov (HELO emsm-gh1-uea11.nsa.gov) ([10.208.41.37]) by goalie.tycho.ncsc.mil with ESMTP; 16 Aug 2016 13:29:00 -0400 IronPort-PHdr: =?us-ascii?q?9a23=3AeNW/qBwf8Mv8rHPXCy+O+j09IxM/srCxBDY+r6Qd?= =?us-ascii?q?0O4QIJqq85mqBkHD//Il1AaPBtSCrasbwLOO4uigATVGusfZ9ihaMdRlbFwssY?= =?us-ascii?q?0uhQsuAcqIWwXQDcXBSGgEJvlET0Jv5HqhMEJYS47UblzWpWCuv3ZJQk2sfTR8?= =?us-ascii?q?Kum9IIPOlcP/j7n0oMyKJVwXz2PlMPsydEzw9lSJ8JFOwMNLEeUY8lPxuHxGeu?= =?us-ascii?q?BblytDBGm4uFLC3Pq254Np6C9KuvgspIZqWKT+eLkkH/QDVGx1e0h83sDgtAHC?= =?us-ascii?q?QA2T/TNcFzxOylsbSzTCuQr3Wpb3rzvSqvt22C7cO9b/C78zR3Dq7bhgQQX00g?= =?us-ascii?q?8bJjU59yfRkcU2g6VF5Fq6qhV5z5TTYY3QMPtlYovBbNgaQixHRc8XWCtfRsun?= =?us-ascii?q?Y5AnE/sKPeEeqZL04VQJs0iQHw6pUfzuzjtJj3qw1usg1O4sCx3d9A0mA98K9n?= =?us-ascii?q?/TqYamfJwOWPy4mfGbhQ7IaOlbjHKksNDF?= X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0FYBwBDTLNX/yNjr8ZeGwEBAYMngVKnJ?= =?us-ascii?q?pAUhAyGHQKBVEwBAQEBAQEBAgECWyeCMgQBEwGCFAIEJ1IQIDFXBxKIMb5UAQE?= =?us-ascii?q?BAQEBBAEBAQEBIogqjGgFjxKKL48ZAo9DSI9oVIQaHDIBhxYBAQE?= X-IPAS-Result: =?us-ascii?q?A0FYBwBDTLNX/yNjr8ZeGwEBAYMngVKnJpAUhAyGHQKBVEw?= =?us-ascii?q?BAQEBAQEBAgECWyeCMgQBEwGCFAIEJ1IQIDFXBxKIMb5UAQEBAQEBBAEBAQEBI?= =?us-ascii?q?ogqjGgFjxKKL48ZAo9DSI9oVIQaHDIBhxYBAQE?= X-IronPort-AV: E=Sophos;i="5.28,529,1464652800"; d="scan'208";a="18515591" Received: from fmsmga002-icc.fm.intel.com ([198.175.99.35]) by emsm-gh1-uea11.nsa.gov with ESMTP; 16 Aug 2016 17:28:47 +0000 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos; i="5.28,529,1464678000"; d="scan'208"; a="1042217078" Received: from mtbauma1-mobl.amr.corp.intel.com (HELO wcrobert-MOBL1.amr.corp.intel.com) ([10.255.79.225]) by fmsmga002.fm.intel.com with ESMTP; 16 Aug 2016 10:28:40 -0700 From: william.c.roberts@intel.com To: selinux@tycho.nsa.gov, jwcart2@tycho.nsa.gov, seandroid-list@tycho.nsa.gov, sds@tycho.nsa.gov Subject: [PATCH v4 4/7] genfs_read: fix use heap-use-after-free Date: Tue, 16 Aug 2016 10:28:34 -0700 Message-Id: <1471368517-20552-5-git-send-email-william.c.roberts@intel.com> X-Mailer: git-send-email 1.9.1 In-Reply-To: <1471368517-20552-1-git-send-email-william.c.roberts@intel.com> References: <1471368517-20552-1-git-send-email-william.c.roberts@intel.com> X-BeenThere: selinux@tycho.nsa.gov X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Post: List-Help: MIME-Version: 1.0 Errors-To: selinux-bounces@tycho.nsa.gov Sender: "Selinux" X-Virus-Scanned: ClamAV using ClamSMTP From: William Roberts The newc variable is calloc'd and assigned to a new owner during a loop. After the first assignment of newc to newgenfs->head, the subsequent iteration could fail before the newc is reseated with a new heap allocation pointer. When the subsequent iteration fails, the newc variable is freed. Later, an attempt it made to free the same pointer assigned to newgenfs->head. To correct this, clear newc after every loop iteration. Signed-off-by: William Roberts --- libsepol/src/policydb.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libsepol/src/policydb.c b/libsepol/src/policydb.c index 6a80f94..971793d 100644 --- a/libsepol/src/policydb.c +++ b/libsepol/src/policydb.c @@ -2812,6 +2812,8 @@ static int genfs_read(policydb_t * p, struct policy_file *fp) l->next = newc; else newgenfs->head = newc; + /* clear newc after a new owner has the pointer */ + newc = NULL; } }