Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / selinux / b251dbba9845e36b93b59b7489ddfd9113009283
commitb251dbba9845e36b93b59b7489ddfd9113009283[log] [tgz]
authorNicolas Iooss <nicolas.iooss@m4x.org>Tue Mar 28 23:41:49 2017 +0200
committerJames Carter <jwcart2@tycho.nsa.gov>Wed Mar 29 10:26:47 2017 -0400
treedd9ade3fd3eb39bf68180870fee80c8cb8abfb5a
parentb6579d262e20e3ac82218abf3a2ce153e15f86a0 [diff]
libsepol: fix use-after-free in sepol_user_clone()

When sepol_user_add_role() fails to allocate memory for role_cp but
succeeds in reallocating user->roles memory, it frees this reallocated
memory, thus leaving user->roles referencing a free memory block. When
sepol_user_clone() calls sepol_user_free(new_user) because the
allocation failure made sepol_user_add_role() fail, the following code
is executed:

    for (i = 0; i < user->num_roles; i++)
        free(user->roles[i]);
    free(user->roles);

As user->roles has been freed, this code frees pointers which may be
invalid and then tries to free user->roles again.

Fix this flaw by returning right after strdup() failed in
sepol_user_add_role().

This issue has been found using clang's static analyzer.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
1 file changed
tree: dd9ade3fd3eb39bf68180870fee80c8cb8abfb5a
  1. checkpolicy/
  2. dbus/
  3. gui/
  4. libselinux/
  5. libsemanage/
  6. libsepol/
  7. mcstrans/
  8. policycoreutils/
  9. python/
  10. restorecond/
  11. sandbox/
  12. scripts/
  13. secilc/
  14. semodule-utils/
  15. .gitignore
  16. .travis.yml
  17. CleanSpec.mk
  18. Makefile
  19. README