There are two users of policydb->cond_list: cond_read_list()
and duplicate_policydb_cond_list(). If any of them gets an error,
usually an -ENOMEM, the error-path-cleanup *_destroy() functions
get called twice: firstly from these two and secondly from
the caller functions' error paths.
In case such -ENOMEM happens while assigning cond_node data, i.e.
while ->cond_list_len is already non-zero, it leads to inappropriate
dereferencing of policydb->cond_list[] data in the second called
cond_list_destroy() from the caller functions' error paths, resulting
with:
- NULL pointer deref from cond_read_list();
- use-after-free + double-free from duplicate_policydb_cond_list().
(the cond_read_list() manages to set ->cond_list to NULL)
Patch 1/3 simply makes the error behavior consistent by always setting
->cond_list to NULL.
Patch 2/3 fixes the actual bug by resetting ->cond_list_len to 0,
so any subsequent cond_list_destroy() calls would become noop.
Patch 3/3 cleans up the duplicate *_destroy calls on these error paths,
albeit it's a bit questionable and I'm looking for feedback on it:
- on one hand the idea is that the caller functions call the *_destroy()
bits anyway, hence removing duplicate efforts (which also fixes the bug,
but I'd still prefer to apply patches 1 and 2 regardless);
- on the other hand it's appropriate and more bug-proof for a function
to clean everything it allocated on error.
Hence I'm looking forward to seeing what approach the upstream would find
more appropriate.
Signed-off-by: Vratislav Bendel <[email protected]>
From: Vratislav Bendel <[email protected]>
Currently there are two users of policydb->cond_list: cond_read_list()
and duplicate_policydb_cond_list(). On their error path one clears
->cond_list to NULL, but the other doesn't.
Make the behavior consistent by resetting ->cond_list to NULL in
cond_list_destroy(), which is called by both on the error path.
Signed-off-by: Vratislav Bendel <[email protected]>
---
security/selinux/ss/conditional.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/security/selinux/ss/conditional.c b/security/selinux/ss/conditional.c
index 2ec6e5cd25d9..1d0e5f326b62 100644
--- a/security/selinux/ss/conditional.c
+++ b/security/selinux/ss/conditional.c
@@ -152,6 +152,7 @@ static void cond_list_destroy(struct policydb *p)
for (i = 0; i < p->cond_list_len; i++)
cond_node_destroy(&p->cond_list[i]);
kfree(p->cond_list);
+ p->cond_list = NULL;
}
void cond_policydb_destroy(struct policydb *p)
@@ -441,7 +442,6 @@ int cond_read_list(struct policydb *p, void *fp)
return 0;
err:
cond_list_destroy(p);
- p->cond_list = NULL;
return rc;
}
--
2.26.3
On Fri, Jan 28, 2022 at 9:29 PM <[email protected]> wrote:
> There are two users of policydb->cond_list: cond_read_list()
> and duplicate_policydb_cond_list(). If any of them gets an error,
> usually an -ENOMEM, the error-path-cleanup *_destroy() functions
> get called twice: firstly from these two and secondly from
> the caller functions' error paths.
>
> In case such -ENOMEM happens while assigning cond_node data, i.e.
> while ->cond_list_len is already non-zero, it leads to inappropriate
> dereferencing of policydb->cond_list[] data in the second called
> cond_list_destroy() from the caller functions' error paths, resulting
> with:
> - NULL pointer deref from cond_read_list();
> - use-after-free + double-free from duplicate_policydb_cond_list().
> (the cond_read_list() manages to set ->cond_list to NULL)
>
> Patch 1/3 simply makes the error behavior consistent by always setting
> ->cond_list to NULL.
>
> Patch 2/3 fixes the actual bug by resetting ->cond_list_len to 0,
> so any subsequent cond_list_destroy() calls would become noop.
>
> Patch 3/3 cleans up the duplicate *_destroy calls on these error paths,
> albeit it's a bit questionable and I'm looking for feedback on it:
> - on one hand the idea is that the caller functions call the *_destroy()
> bits anyway, hence removing duplicate efforts (which also fixes the bug,
> but I'd still prefer to apply patches 1 and 2 regardless);
> - on the other hand it's appropriate and more bug-proof for a function
> to clean everything it allocated on error.
> Hence I'm looking forward to seeing what approach the upstream would find
> more appropriate.
>
> Signed-off-by: Vratislav Bendel <[email protected]>
For the series (with or without the last patch):
Reviewed-by: Ondrej Mosnacek <[email protected]>
--
Ondrej Mosnacek
Software Engineer, Linux Security - SELinux kernel
Red Hat, Inc.
On Tue, Feb 1, 2022 at 9:10 PM Paul Moore <[email protected]> wrote:
>
> On Tue, Feb 1, 2022 at 12:38 PM Paul Moore <[email protected]> wrote:
> > On Fri, Jan 28, 2022 at 3:29 PM <[email protected]> wrote:
> > > From: Vratislav Bendel <[email protected]>
> > >
> > > Currently there are two users of policydb->cond_list: cond_read_list()
> > > and duplicate_policydb_cond_list(). On their error path one clears
> > > ->cond_list to NULL, but the other doesn't.
> > > Make the behavior consistent by resetting ->cond_list to NULL in
> > > cond_list_destroy(), which is called by both on the error path.
> >
> > It's also important to see if there are any callers of
> > cond_list_destroy() which incorrectly might be making use of
> > policydb::cond_list after it has been freed; thankfully that does not
> > appear to be the case in any of the call paths I looked at just now.
> > As this is more a a style/Right-Thing-To-Do patch and not an immediate
> > bugfix I'm going to go and merge this into selinux/next.
>
> After looking at patches 2/3 and 3/3, ignore the last sentence above
> and see my comments below :)
>
> > Thanks Vratislav.
> >
> > > Signed-off-by: Vratislav Bendel <[email protected]>
> > > ---
> > > security/selinux/ss/conditional.c | 2 +-
> > > 1 file changed, 1 insertion(+), 1 deletion(-)
> > >
> > > diff --git a/security/selinux/ss/conditional.c b/security/selinux/ss/conditional.c
> > > index 2ec6e5cd25d9..1d0e5f326b62 100644
> > > --- a/security/selinux/ss/conditional.c
> > > +++ b/security/selinux/ss/conditional.c
> > > @@ -152,6 +152,7 @@ static void cond_list_destroy(struct policydb *p)
> > > for (i = 0; i < p->cond_list_len; i++)
> > > cond_node_destroy(&p->cond_list[i]);
> > > kfree(p->cond_list);
> > > + p->cond_list = NULL;
>
> While patch 1/3 may not be a candidate for selinux/stable-5.17 by
> itself, patch 2/3 definitely qualifies. Considering that both patches
> are small, easily understood, and the likelihood of a merge conflict
> between the two is high, why don't you squash 1/3 and 2/3 together so
> we can submit this for selinux/stable-5.17? In addition, put the two
> lines which reset cond_list and cond_list_len together in v2, it's
> cleaner that way, example below. If you don't have time to do that
> let me know and I can squash them together and move the
> "p->cond_list_len = 0" line (don't worry, I'll preserve your
> name/email as the patch author).
I was also wondering about the possible conflict for submission
into stable. I see no problem with squashing 1/3 and 2/3 together.
I'll send the v2, as per your suggestions. :)
Thank you and have a nice day!
>
> static void cond_list_destroy(...)
> {
>
> /* ... */
>
> kfree(p->cond_list);
> p->cond_list = NULL;
> p->cond_list_len = 0;
> }
>
> > > }
> > >
> > > void cond_policydb_destroy(struct policydb *p)
> > > @@ -441,7 +442,6 @@ int cond_read_list(struct policydb *p, void *fp)
> > > return 0;
> > > err:
> > > cond_list_destroy(p);
> > > - p->cond_list = NULL;
> > > return rc;
> > > }
>
> --
> paul-moore.com
>
On Tue, Feb 1, 2022 at 12:38 PM Paul Moore <[email protected]> wrote:
> On Fri, Jan 28, 2022 at 3:29 PM <[email protected]> wrote:
> > From: Vratislav Bendel <[email protected]>
> >
> > Currently there are two users of policydb->cond_list: cond_read_list()
> > and duplicate_policydb_cond_list(). On their error path one clears
> > ->cond_list to NULL, but the other doesn't.
> > Make the behavior consistent by resetting ->cond_list to NULL in
> > cond_list_destroy(), which is called by both on the error path.
>
> It's also important to see if there are any callers of
> cond_list_destroy() which incorrectly might be making use of
> policydb::cond_list after it has been freed; thankfully that does not
> appear to be the case in any of the call paths I looked at just now.
> As this is more a a style/Right-Thing-To-Do patch and not an immediate
> bugfix I'm going to go and merge this into selinux/next.
After looking at patches 2/3 and 3/3, ignore the last sentence above
and see my comments below :)
> Thanks Vratislav.
>
> > Signed-off-by: Vratislav Bendel <[email protected]>
> > ---
> > security/selinux/ss/conditional.c | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/security/selinux/ss/conditional.c b/security/selinux/ss/conditional.c
> > index 2ec6e5cd25d9..1d0e5f326b62 100644
> > --- a/security/selinux/ss/conditional.c
> > +++ b/security/selinux/ss/conditional.c
> > @@ -152,6 +152,7 @@ static void cond_list_destroy(struct policydb *p)
> > for (i = 0; i < p->cond_list_len; i++)
> > cond_node_destroy(&p->cond_list[i]);
> > kfree(p->cond_list);
> > + p->cond_list = NULL;
While patch 1/3 may not be a candidate for selinux/stable-5.17 by
itself, patch 2/3 definitely qualifies. Considering that both patches
are small, easily understood, and the likelihood of a merge conflict
between the two is high, why don't you squash 1/3 and 2/3 together so
we can submit this for selinux/stable-5.17? In addition, put the two
lines which reset cond_list and cond_list_len together in v2, it's
cleaner that way, example below. If you don't have time to do that
let me know and I can squash them together and move the
"p->cond_list_len = 0" line (don't worry, I'll preserve your
name/email as the patch author).
static void cond_list_destroy(...)
{
/* ... */
kfree(p->cond_list);
p->cond_list = NULL;
p->cond_list_len = 0;
}
> > }
> >
> > void cond_policydb_destroy(struct policydb *p)
> > @@ -441,7 +442,6 @@ int cond_read_list(struct policydb *p, void *fp)
> > return 0;
> > err:
> > cond_list_destroy(p);
> > - p->cond_list = NULL;
> > return rc;
> > }
--
paul-moore.com
On Fri, Jan 28, 2022 at 3:29 PM <[email protected]> wrote:
> From: Vratislav Bendel <[email protected]>
>
> Currently there are two users of policydb->cond_list: cond_read_list()
> and duplicate_policydb_cond_list(). On their error path one clears
> ->cond_list to NULL, but the other doesn't.
> Make the behavior consistent by resetting ->cond_list to NULL in
> cond_list_destroy(), which is called by both on the error path.
It's also important to see if there are any callers of
cond_list_destroy() which incorrectly might be making use of
policydb::cond_list after it has been freed; thankfully that does not
appear to be the case in any of the call paths I looked at just now.
As this is more a a style/Right-Thing-To-Do patch and not an immediate
bugfix I'm going to go and merge this into selinux/next.
Thanks Vratislav.
> Signed-off-by: Vratislav Bendel <[email protected]>
> ---
> security/selinux/ss/conditional.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/security/selinux/ss/conditional.c b/security/selinux/ss/conditional.c
> index 2ec6e5cd25d9..1d0e5f326b62 100644
> --- a/security/selinux/ss/conditional.c
> +++ b/security/selinux/ss/conditional.c
> @@ -152,6 +152,7 @@ static void cond_list_destroy(struct policydb *p)
> for (i = 0; i < p->cond_list_len; i++)
> cond_node_destroy(&p->cond_list[i]);
> kfree(p->cond_list);
> + p->cond_list = NULL;
> }
>
> void cond_policydb_destroy(struct policydb *p)
> @@ -441,7 +442,6 @@ int cond_read_list(struct policydb *p, void *fp)
> return 0;
> err:
> cond_list_destroy(p);
> - p->cond_list = NULL;
> return rc;
> }
>
> --
> 2.26.3
--
paul-moore.com