From patchwork Mon Oct  3 20:46:56 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Nicolas Iooss <nicolas.iooss@m4x.org>
X-Patchwork-Id: 9360929
Return-Path: <selinux-bounces@tycho.nsa.gov>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	D2FB3607D6 for <patchwork-selinux@patchwork.kernel.org>;
	Mon,  3 Oct 2016 20:54:04 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id C720628711
	for <patchwork-selinux@patchwork.kernel.org>;
	Mon,  3 Oct 2016 20:54:04 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id BA8E928A81; Mon,  3 Oct 2016 20:54:04 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.2 required=2.0 tests=BAYES_00, RCVD_IN_DNSWL_MED
	autolearn=ham version=3.3.1
Received: from emsm-gh1-uea11.nsa.gov (emsm-gh1-uea11.nsa.gov [8.44.101.9])
	(using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256
	bits)) (No client certificate requested)
	by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 1799628711
	for <patchwork-selinux@patchwork.kernel.org>;
	Mon,  3 Oct 2016 20:54:03 +0000 (UTC)
X-IronPort-AV: E=Sophos;i="5.31,291,1473120000"; d="scan'208";a="19768236"
IronPort-PHdr: =?us-ascii?q?9a23=3AO8VvHBKTX3tKJ1CwxNmcpTZWNBhigK39O0sv0rFi?=
	=?us-ascii?q?tYgUL//xwZ3uMQTl6Ol3ixeRBMOAuqgC0bed6vy7EUU7or+5+EgYd5JNUxJXwe?=
	=?us-ascii?q?43pCcHRPC/NEvgMfTxZDY7FskRHHVs/nW8LFQHUJ2mPw6anHS+4HYoFwnlMkIt?=
	=?us-ascii?q?f6KuS9SU1Zn8jrzps7ToICxwzAKnZr1zKBjk5S7wjeIxxbVYF6Aq1xHSqWFJce?=
	=?us-ascii?q?kFjUlhJFaUggqurpzopM0rzj5U884F24YAFPyiPvdwcbsNFzkiMmYo9OX3pBLD?=
	=?us-ascii?q?Sk2J/XJaXWIIwTRSBA2QyhDxWZP4qWPbse1mw2HOO8z9SrQ9QnKj6KBwUzft1D?=
	=?us-ascii?q?dBMCQ2pjKEwvdshb5W9Ury7yd0xJTZNcTMbPc=3D?=
X-IPAS-Result: =?us-ascii?q?A2FrBQCNxPJX/wHyM5BeHgYMgz0BAQEBAR6BU7pPJYdyTAE?=
	=?us-ascii?q?BAQEBAQEBAgECWyeCMgQDEwWCEQIEAQIkExQgDgMJAQEXKQgIAwEtFREOCwUYB?=
	=?us-ascii?q?IgsBAG1BYdVhjiIaxEBaIUSAQSZeIFljgKKCYVzkGxUgyAcgVJwhHV4gSgBAQE?=
Received: from unknown (HELO tarius.tycho.ncsc.mil) ([144.51.242.1])
	by emsm-gh1-uea11.nsa.gov with ESMTP; 03 Oct 2016 20:54:02 +0000
Received: from prometheus.infosec.tycho.ncsc.mil (prometheus [192.168.25.40])
	by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u93KrYYK004772;
	Mon, 3 Oct 2016 16:53:39 -0400
Received: from tarius.tycho.ncsc.mil (tarius.infosec.tycho.ncsc.mil
	[144.51.242.1])
	by prometheus.infosec.tycho.ncsc.mil (8.15.2/8.15.2) with ESMTP id
	u93KrXFm120346 for <selinux@prometheus.infosec.tycho.ncsc.mil>;
	Mon, 3 Oct 2016 16:53:33 -0400
Received: from goalie.tycho.ncsc.mil (goalie [144.51.242.250])
	by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u93KrW4q004766
	for <selinux@tycho.nsa.gov>; Mon, 3 Oct 2016 16:53:32 -0400
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: 
 A1B3AgASxPJXhyIeaIFeHgYMgz0BAQEBAYFxpH+RR4Qph3dMAQIBAQEBAQITAQEBCgsJCRmFEQYnYlFXGYhNBAG1BIdVhjiJZYUSAQSZeIFljgKPfJBsgyIMRhyBUnCHFQEBAQ
X-IPAS-Result: 
 A1B3AgASxPJXhyIeaIFeHgYMgz0BAQEBAYFxpH+RR4Qph3dMAQIBAQEBAQITAQEBCgsJCRmFEQYnYlFXGYhNBAG1BIdVhjiJZYUSAQSZeIFljgKPfJBsgyIMRhyBUnCHFQEBAQ
X-IronPort-AV: E=Sophos;i="5.31,291,1473134400"; d="scan'208";a="5742508"
Received: from emsm-gh1-uea10.corp.nsa.gov (HELO emsm-gh1-uea10.nsa.gov)
	([10.208.41.36])
	by goalie.tycho.ncsc.mil with ESMTP; 03 Oct 2016 16:53:32 -0400
IronPort-PHdr: =?us-ascii?q?9a23=3AK9jCmRUqOO46L9gooxEVhWUH5qHV8LGtZVwlr6E/?=
	=?us-ascii?q?grcLSJyIuqrYZhePt8tkgFKBZ4jH8fUM07OQ6PG6HzZdqs/d6zgrS99lb1c9k8?=
	=?us-ascii?q?IYnggtUoauKHbQC7rUVRE8B9lIT1R//nu2YgB/Ecf6YEDO8DXptWZBUiv2OQc9?=
	=?us-ascii?q?HOnpAIma153xjLHovceOKFwU33KUWvBbFF2OtwLft80b08NJC50a7V/3mEZOYP?=
	=?us-ascii?q?lc3mhyJFiezF7W78a0+4N/oWwL46pyv50IbaKvZKk8TLpFHBw6Ims144vtrhCF?=
	=?us-ascii?q?QgyRtVUGVWBDtBtDBAzM91nbWZDqqWOusOt23y2TJov3SrcvQhyns7ctTwXn3n?=
	=?us-ascii?q?RUfwUl+X3a35QjxJlQpwis8kRy?=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0E6AgDtw/JXhyIeaIFeHgYMGAEXAQYBB?=
	=?us-ascii?q?oJ/AQEBAQGBcaR/kUeEKYd3TAEBAQEBAQEBAgECEAEBAQoLCQkZL4IyGIIYBid?=
	=?us-ascii?q?iUVcZiE0EAbUEh1WGOIllhRIBBJl4gWWOAo98kGyDIgxGHIFScIcVAQEB?=
X-IPAS-Result: =?us-ascii?q?A0E6AgDtw/JXhyIeaIFeHgYMGAEXAQYBBoJ/AQEBAQGBcaR?=
	=?us-ascii?q?/kUeEKYd3TAEBAQEBAQEBAgECEAEBAQoLCQkZL4IyGIIYBidiUVcZiE0EAbUEh?=
	=?us-ascii?q?1WGOIllhRIBBJl4gWWOAo98kGyDIgxGHIFScIcVAQEB?=
X-IronPort-AV: E=Sophos;i="5.31,291,1473120000"; d="scan'208";a="18230888"
Received: from mx1.polytechnique.org ([129.104.30.34])
	by emsm-gh1-uea10.nsa.gov with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384;
	03 Oct 2016 20:53:31 +0000
Received: from localhost.localdomain (32.206.133.77.rev.sfr.net
	[77.133.206.32])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128
	bits)) (No client certificate requested)
	by ssl.polytechnique.org (Postfix) with ESMTPSA id BD57C564740
	for <selinux@tycho.nsa.gov>; Mon,  3 Oct 2016 22:47:01 +0200 (CEST)
From: Nicolas Iooss <nicolas.iooss@m4x.org>
To: selinux@tycho.nsa.gov
Subject: [PATCH 2/3] libsepol/cil: fix double-free in cil categories parser
Date: Mon,  3 Oct 2016 22:46:56 +0200
Message-Id: <20161003204657.2635-3-nicolas.iooss@m4x.org>
X-Mailer: git-send-email 2.10.0
In-Reply-To: <20161003204657.2635-1-nicolas.iooss@m4x.org>
References: <20161003204657.2635-1-nicolas.iooss@m4x.org>
X-AV-Checked: ClamAV using ClamSMTP at svoboda.polytechnique.org (Mon Oct 3
	22:47:02 2016 +0200 (CEST))
X-Org-Mail: nicolas.iooss.2010@polytechnique.org
X-BeenThere: selinux@tycho.nsa.gov
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: "Security-Enhanced Linux \(SELinux\) mailing list"
	<selinux.tycho.nsa.gov>
List-Post: <mailto:selinux@tycho.nsa.gov>
List-Help: <mailto:selinux-request@tycho.nsa.gov?subject=help>
MIME-Version: 1.0
Errors-To: selinux-bounces@tycho.nsa.gov
Sender: "Selinux" <selinux-bounces@tycho.nsa.gov>
X-Virus-Scanned: ClamAV using ClamSMTP

When cil_fill_cats() fails to parse an expression and destroys a
category set, it fails to reset *cats to NULL. This makes this object be
destroyed again in cil_destroy_catset().

This bug can be triggered by the following policy:

    (class CLASS (PERM))
    (classorder (CLASS))
    (sid SID)
    (sidorder (SID))
    (user USER)
    (role ROLE)
    (type TYPE)
    (category CAT)
    (categoryorder (CAT))
    (sensitivity SENS)
    (sensitivityorder (SENS))
    (sensitivitycategory SENS (CAT))
    (allow TYPE self (CLASS (PERM)))
    (roletype ROLE TYPE)
    (userrole USER ROLE)
    (userlevel USER (SENS))
    (userrange USER ((SENS)(SENS (CAT))))
    (sidcontext SID (USER ROLE TYPE ((SENS)(SENS))))

    (categoryset cats (range unknown))

This bug has been found by fuzzing secilc with american fuzzy lop.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
---
 libsepol/cil/src/cil_build_ast.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/libsepol/cil/src/cil_build_ast.c b/libsepol/cil/src/cil_build_ast.c
index a96c2a95ca3f..f57bd21358d3 100644
--- a/libsepol/cil/src/cil_build_ast.c
+++ b/libsepol/cil/src/cil_build_ast.c
@@ -5481,6 +5481,7 @@ int cil_fill_cats(struct cil_tree_node *curr, struct cil_cats **cats)
 	rc = cil_gen_expr(curr, CIL_CAT, &(*cats)->str_expr);
 	if (rc != SEPOL_OK) {
 		cil_destroy_cats(*cats);
+		*cats = NULL;
 	}
 
 	return rc;