• Tom Rix's avatar
    selinux: fix a double free in cond_read_node()/cond_read_list() · aa449a79
    Tom Rix authored
    Clang static analysis reports this double free error
    
    security/selinux/ss/conditional.c:139:2: warning: Attempt to free released memory [unix.Malloc]
            kfree(node->expr.nodes);
            ^~~~~~~~~~~~~~~~~~~~~~~
    
    When cond_read_node fails, it calls cond_node_destroy which frees the
    node but does not poison the entry in the node list.  So when it
    returns to its caller cond_read_list, cond_read_list deletes the
    partial list.  The latest entry in the list will be deleted twice.
    
    So instead of freeing the node in cond_read_node, let list freeing in
    code_read_list handle the freeing the problem node along with all of the
    earlier nodes.
    
    Because cond_read_node no longer does any error handling, the goto's
    the error case are redundant.  Instead just return the error code.
    
    Cc: stable@vger.kernel.org
    Fixes: 60abd318 ("selinux: convert cond_list to array")
    Signed-off-by: default avatarTom Rix <trix@redhat.com>
    Reviewed-by: default avatarOndrej Mosnacek <omosnace@redhat.com>
    [PM: subject line tweaks]
    Signed-off-by: default avatarPaul Moore <paul@paul-moore.com>
    aa449a79
conditional.c 13.2 KB