diff options
| author | Tom Rix <trix@redhat.com> | 2020-06-15 22:45:48 +0200 |
|---|---|---|
| committer | Paul Moore <paul@paul-moore.com> | 2020-06-17 02:25:19 +0200 |
| commit | aa449a7965a6172a89d48844c313708962216f1f (patch) | |
| tree | c76ab322333c9ec3f3087e75dd95cbaa5decafe9 /security/selinux/hooks.c | |
| parent | selinux: fix double free (diff) | |
| download | linux-aa449a7965a6172a89d48844c313708962216f1f.tar.xz linux-aa449a7965a6172a89d48844c313708962216f1f.zip | |
selinux: fix a double free in cond_read_node()/cond_read_list()
Clang static analysis reports this double free error
security/selinux/ss/conditional.c:139:2: warning: Attempt to free released memory [unix.Malloc]
kfree(node->expr.nodes);
^~~~~~~~~~~~~~~~~~~~~~~
When cond_read_node fails, it calls cond_node_destroy which frees the
node but does not poison the entry in the node list. So when it
returns to its caller cond_read_list, cond_read_list deletes the
partial list. The latest entry in the list will be deleted twice.
So instead of freeing the node in cond_read_node, let list freeing in
code_read_list handle the freeing the problem node along with all of the
earlier nodes.
Because cond_read_node no longer does any error handling, the goto's
the error case are redundant. Instead just return the error code.
Cc: stable@vger.kernel.org
Fixes: 60abd3181db2 ("selinux: convert cond_list to array")
Signed-off-by: Tom Rix <trix@redhat.com>
Reviewed-by: Ondrej Mosnacek <omosnace@redhat.com>
[PM: subject line tweaks]
Signed-off-by: Paul Moore <paul@paul-moore.com>
Diffstat (limited to 'security/selinux/hooks.c')
0 files changed, 0 insertions, 0 deletions