dcbb3a6a58
fix heap-use-after-free in __class_reset_perm_values() fix heap-buffer-overflow in cil_print_recursive_blockinherit
37 lines
1.1 KiB
Diff
37 lines
1.1 KiB
Diff
From b7ea65f547c67bfbae4ae133052583b090747e5a Mon Sep 17 00:00:00 2001
|
|
From: Nicolas Iooss <nicolas.iooss@m4x.org>
|
|
Date: Wed, 30 Dec 2020 11:07:46 +0100
|
|
Subject: [PATCH] libsepol/cil: destroy perm_datums when __cil_resolve_perms
|
|
fails
|
|
|
|
When __cil_resolve_perms fails, it does not destroy perm_datums, which
|
|
leads to a memory leak reported by OSS-Fuzz with the following CIL
|
|
policy:
|
|
|
|
(class cl01())
|
|
(classorder(cl01))
|
|
(type at02)
|
|
(type tpr3)
|
|
(allow at02 tpr3(cl01((s))))
|
|
|
|
Calling cil_list_destroy() fixes the issue.
|
|
|
|
Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28466
|
|
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
|
|
---
|
|
libsepol/cil/src/cil_resolve_ast.c | 1 +
|
|
1 file changed, 1 insertion(+)
|
|
|
|
diff --git a/libsepol/cil/src/cil_resolve_ast.c b/libsepol/cil/src/cil_resolve_ast.c
|
|
index 68b590bcc..0c85eabe5 100644
|
|
--- a/libsepol/cil/src/cil_resolve_ast.c
|
|
+++ b/libsepol/cil/src/cil_resolve_ast.c
|
|
@@ -146,6 +146,7 @@ static int __cil_resolve_perms(symtab_t *class_symtab, symtab_t *common_symtab,
|
|
return SEPOL_OK;
|
|
|
|
exit:
|
|
+ cil_list_destroy(perm_datums, CIL_FALSE);
|
|
return rc;
|
|
}
|
|
|