afl-fuzz: Fix double free
This crash was found by running afl-fuzz. When a compile error is found,
we would sometimes free the block list twice, once in compile_file() and
once again in compile_filter(). This change sets |*arg_blocks| to NULL
after freeing it to avoid that.
Bug: None
Test: make tests
Change-Id: I048e0008acd6bf386b96d2f895953bd646af156a
diff --git a/syscall_filter_unittest.cc b/syscall_filter_unittest.cc
index 776f7db..a1f546c 100644
--- a/syscall_filter_unittest.cc
+++ b/syscall_filter_unittest.cc
@@ -963,6 +963,23 @@
ASSERT_EQ(res, -1);
}
+TEST_F(FileTest, double_free_on_compile_error) {
+ const char *policy =
+ "read:arg0 == 0\n"
+ "write:0";
+
+ FILE *policy_file = write_policy_to_pipe(policy, strlen(policy));
+ ASSERT_NE(policy_file, nullptr);
+ int res = compile_file(
+ policy_file, head_, &arg_blocks_, &labels_, USE_RET_KILL, NO_LOGGING, 0);
+ fclose(policy_file);
+
+ /*
+ * Policy is malformed, but process should not crash.
+ */
+ ASSERT_EQ(res, -1);
+}
+
TEST_F(FileTest, seccomp_mode1) {
const char *policy =
"read: 1\n"