From patchwork Tue Nov 8 15:53:12 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stephen Smalley X-Patchwork-Id: 9417669 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 7ED8360512 for ; Tue, 8 Nov 2016 15:50:47 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 6D759289DD for ; Tue, 8 Nov 2016 15:50:47 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 5E0BD28B2D; Tue, 8 Nov 2016 15:50:47 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-4.2 required=2.0 tests=BAYES_00, RCVD_IN_DNSWL_MED autolearn=ham version=3.3.1 Received: from emsm-gh1-uea11.nsa.gov (smtp.nsa.gov [8.44.101.9]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 2FAEF28B29 for ; Tue, 8 Nov 2016 15:50:44 +0000 (UTC) X-IronPort-AV: E=Sophos;i="5.31,462,1473120000"; d="scan'208";a="588610" IronPort-PHdr: =?us-ascii?q?9a23=3AjqC6ZhNYJXaECe9YZZsl6mtUPXoX/o7sNwtQ0KIM?= =?us-ascii?q?zox0KPjyrarrMEGX3/hxlliBBdydsKMezbuI+P26EUU7or+5+EgYd5JNUxJXwe?= =?us-ascii?q?43pCcHRPC/NEvgMfTxZDY7FskRHHVs/nW8LFQHUJ2mPw6anHS+4HYoFwnlMkIt?= =?us-ascii?q?f6KuS9SU3pr8irr60qaQSj0AvCC6b7J2IUf+hiTqne5Sv7FfLL0swADCuHpCdr?= =?us-ascii?q?ce72ppIVWOg0S0vZ/or9Ze6SAYh9YNv44FC/27LOwESulDATAnNX0lzNH6vhnE?= =?us-ascii?q?Cw2U7z0TVXtFvABPBl3+8BziXpr3+hD/v+551TjSadb6VpgoSD+i6OFtUxauhy?= =?us-ascii?q?AZYW1quFrLg9B92foI6CmqoAZylsuOOIw=3D?= X-IPAS-Result: =?us-ascii?q?A2HfBADs8iFY/wHyM5BdHAEBBAEBCgEBFwEBBAEBCgEBgwQ?= =?us-ascii?q?BAQEBAR+BRxC7EyWIFFMBAQEBAQEBAQIBAl8ogjMEAxMFghcCJBMUIAsDAwkCF?= =?us-ascii?q?ykICAMBLRUfCwUYBIg7tCFSOAKLHyWPLxEBgmgLgwkFjll5il2QSAKKDYYDAkm?= =?us-ascii?q?QbVVWDQEMChuDFhyBe1SFDXiBNQEBAQ?= Received: from unknown (HELO tarius.tycho.ncsc.mil) ([144.51.242.1]) by emsm-gh1-uea11.nsa.gov with ESMTP; 08 Nov 2016 15:50:41 +0000 Received: from prometheus.infosec.tycho.ncsc.mil (prometheus [192.168.25.40]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id uA8FoK06032052; Tue, 8 Nov 2016 10:50:28 -0500 Received: from tarius.tycho.ncsc.mil (tarius.infosec.tycho.ncsc.mil [144.51.242.1]) by prometheus.infosec.tycho.ncsc.mil (8.15.2/8.15.2) with ESMTP id uA8FoJRJ245376 for ; Tue, 8 Nov 2016 10:50:19 -0500 Received: from moss-pluto.infosec.tycho.ncsc.mil (moss-pluto [192.168.25.131]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id uA8FoIBp032045; Tue, 8 Nov 2016 10:50:18 -0500 From: Stephen Smalley To: selinux@tycho.nsa.gov Subject: [PATCH] libsepol: sepol_{bool|iface|user}_key_create: copy name Date: Tue, 8 Nov 2016 10:53:12 -0500 Message-Id: <1478620392-16248-1-git-send-email-sds@tycho.nsa.gov> X-Mailer: git-send-email 2.7.4 X-BeenThere: selinux@tycho.nsa.gov X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Post: List-Help: Cc: Stephen Smalley MIME-Version: 1.0 Errors-To: selinux-bounces@tycho.nsa.gov Sender: "Selinux" X-Virus-Scanned: ClamAV using ClamSMTP The sepol_{bool|iface|user}_key_create() functions were not copying the name. This produces a use-after-free in the swig-generated code for python3 bindings. Copy the name in these functions, and free it upon sepol_{bool|iface|user}_key_free(). Reported-by: Nicolas Iooss Signed-off-by: Stephen Smalley --- libsepol/src/boolean_record.c | 10 ++++++++-- libsepol/src/iface_record.c | 10 ++++++++-- libsepol/src/user_record.c | 10 ++++++++-- 3 files changed, 24 insertions(+), 6 deletions(-) diff --git a/libsepol/src/boolean_record.c b/libsepol/src/boolean_record.c index 8b64413..ebef7f1 100644 --- a/libsepol/src/boolean_record.c +++ b/libsepol/src/boolean_record.c @@ -15,7 +15,7 @@ struct sepol_bool { struct sepol_bool_key { /* This boolean's name */ - const char *name; + char *name; }; int sepol_bool_key_create(sepol_handle_t * handle, @@ -30,7 +30,12 @@ int sepol_bool_key_create(sepol_handle_t * handle, return STATUS_ERR; } - tmp_key->name = name; + tmp_key->name = strdup(name); + if (!tmp_key->name) { + ERR(handle, "out of memory, " "could not create boolean key"); + free(tmp_key); + return STATUS_ERR; + } *key_ptr = tmp_key; return STATUS_SUCCESS; @@ -62,6 +67,7 @@ int sepol_bool_key_extract(sepol_handle_t * handle, void sepol_bool_key_free(sepol_bool_key_t * key) { + free(key->name); free(key); } diff --git a/libsepol/src/iface_record.c b/libsepol/src/iface_record.c index 09adeb7..c8b977c 100644 --- a/libsepol/src/iface_record.c +++ b/libsepol/src/iface_record.c @@ -20,7 +20,7 @@ struct sepol_iface { struct sepol_iface_key { /* Interface name */ - const char *name; + char *name; }; /* Key */ @@ -36,7 +36,12 @@ int sepol_iface_key_create(sepol_handle_t * handle, return STATUS_ERR; } - tmp_key->name = name; + tmp_key->name = strdup(name); + if (!tmp_key->name) { + ERR(handle, "out of memory, could not create interface key"); + free(tmp_key); + return STATUS_ERR; + } *key_ptr = tmp_key; return STATUS_SUCCESS; @@ -68,6 +73,7 @@ int sepol_iface_key_extract(sepol_handle_t * handle, void sepol_iface_key_free(sepol_iface_key_t * key) { + free(key->name); free(key); } diff --git a/libsepol/src/user_record.c b/libsepol/src/user_record.c index c59c54b..e7e2fc2 100644 --- a/libsepol/src/user_record.c +++ b/libsepol/src/user_record.c @@ -24,7 +24,7 @@ struct sepol_user { struct sepol_user_key { /* This user's name */ - const char *name; + char *name; }; int sepol_user_key_create(sepol_handle_t * handle, @@ -40,7 +40,12 @@ int sepol_user_key_create(sepol_handle_t * handle, return STATUS_ERR; } - tmp_key->name = name; + tmp_key->name = strdup(name); + if (!tmp_key->name) { + ERR(handle, "out of memory, could not create selinux user key"); + free(tmp_key); + return STATUS_ERR; + } *key_ptr = tmp_key; return STATUS_SUCCESS; @@ -71,6 +76,7 @@ int sepol_user_key_extract(sepol_handle_t * handle, void sepol_user_key_free(sepol_user_key_t * key) { + free(key->name); free(key); }