www.infradead.org Git - users/willy/linux.git/commit

author	Tom Rix <trix@redhat.com>
	Mon, 15 Jun 2020 20:45:48 +0000 (13:45 -0700)
committer	Paul Moore <paul@paul-moore.com>
	Wed, 17 Jun 2020 00:25:19 +0000 (20:25 -0400)
commit	aa449a7965a6172a89d48844c313708962216f1f
tree	c76ab322333c9ec3f3087e75dd95cbaa5decafe9	tree
parent	65de50969a77509452ae590e9449b70a22b923bb	commit \| diff

selinux: fix a double free in cond_read_node()/cond_read_list()

Clang static analysis reports this double free error

security/selinux/ss/conditional.c:139:2: warning: Attempt to free released memory [unix.Malloc]
        kfree(node->expr.nodes);
        ^~~~~~~~~~~~~~~~~~~~~~~

When cond_read_node fails, it calls cond_node_destroy which frees the
node but does not poison the entry in the node list.  So when it
returns to its caller cond_read_list, cond_read_list deletes the
partial list.  The latest entry in the list will be deleted twice.

So instead of freeing the node in cond_read_node, let list freeing in
code_read_list handle the freeing the problem node along with all of the
earlier nodes.

Because cond_read_node no longer does any error handling, the goto's
the error case are redundant.  Instead just return the error code.

Cc: stable@vger.kernel.org
Fixes: 60abd3181db2 ("selinux: convert cond_list to array")
Signed-off-by: Tom Rix <trix@redhat.com>
Reviewed-by: Ondrej Mosnacek <omosnace@redhat.com>
[PM: subject line tweaks]
Signed-off-by: Paul Moore <paul@paul-moore.com>