RepoMirrors/selinux
1
0
Fork 0
mirror of https://github.com/SELinuxProject/selinux synced 2024-12-18 04:04:34 +00:00
Code Issues Packages Projects Releases Wiki Activity

libsepol: make role_list_destroy() do nothing when role_list is NULL

Browse Source 
When a function called by sepol_module_policydb_to_cil() fails before
role_list_create() has been called, role_list is still NULL but is
dereferenced in role_list_destroy(). Here is a gdb session on hll/pp:

    Unknown value for handle-unknown: 6

    Program received signal SIGSEGV, Segmentation fault.
    0x00007ffff7a68a37 in role_list_destroy () at module_to_cil.c:215
    215     struct list_node *curr = role_list->head;

    (gdb) bt
    #0  0x00007ffff7a68a37 in role_list_destroy () at
    module_to_cil.c:215
    #1  sepol_module_policydb_to_cil (fp=fp@entry=0x7ffff79925e0
    <_IO_2_1_stdout_>, pdb=<optimized out>, linked=linked@entry=0) at
    module_to_cil.c:4060
    #2  0x00007ffff7a6ac75 in sepol_module_package_to_cil
    (fp=fp@entry=0x7ffff79925e0 <_IO_2_1_stdout_>, mod_pkg=0x604280) at
    module_to_cil.c:4080
    #3  0x0000000000401a58 in main (argc=<optimized out>,
    argv=<optimized out>) at pp.c:150

This issue has been found while fuzzing hll/pp with the American Fuzzy
Lop.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
This commit is contained in:
Nicolas Iooss 2017-05-22 23:45:55 +02:00 committed by Stephen Smalley
parent b217ffd77e
commit 914691cc2a
1 changed files with 6 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
libsepol/src/module_to_cil.c
View File

@ -212,7 +212,12 @@ static void list_destroy(struct list **list)
static void role_list_destroy(void)
{
struct list_node *curr = role_list->head;
struct list_node *curr;
if (role_list == NULL) {
return;
}
curr = role_list->head;
while (curr != NULL) {
free(curr->data);