libsepol: invalidate the pointer to the policydb if policydb_init fails

Facebook's Infer static analyzer warns about a use-after-free issue in
libsemanage:

    int semanage_direct_mls_enabled(semanage_handle_t * sh)
    {
            sepol_policydb_t *p = NULL;
            int retval;

            retval = sepol_policydb_create(&p);
            if (retval < 0)
                    goto cleanup;

            /* ... */
    cleanup:
            sepol_policydb_free(p);
            return retval;
    }

When sepol_policydb_create() is called, p is allocated and
policydb_init() is called. If this second call fails, p is freed
andsepol_policydb_create() returns -1, but p still stores a pointer to
freed memory. This pointer is then freed again in the cleanup part of
semanage_direct_mls_enabled().

Fix this by setting p to NULL in sepol_policydb_create() after freeing
it.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>

This commit is contained in:

Nicolas Iooss

2021-02-28 08:59:20 +01:00

parent 6238e02571

commit a9e0004f60

No known key found for this signature in database

GPG Key ID: C191415F340DAAA0

1 changed files with 1 additions and 0 deletions

									
										1

libsepol/src/policydb_public.c

										View File
									
				@ -68,6 +68,7 @@ int sepol_policydb_create(sepol_policydb_t ** sp)

					p = &(*sp)->p;

					if (policydb_init(p)) {

						free(*sp);

						*sp = NULL;

						return -1;

					}

					return 0;

libsepol: invalidate the pointer to the policydb if policydb_init fails

1 libsepol/src/policydb_public.c Unescape Escape View File

1

libsepol/src/policydb_public.c

View File