Received: by 2002:a25:683:0:0:0:0:0 with SMTP id 125csp1530368ybg; Thu, 11 Jun 2020 12:12:29 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzvWmYylEG+al615hKUYpOrS5KFRj7fITXUGh6oUE3NTk5wSxTHV1mLYJSuNcgKAHZES1Cz X-Received: by 2002:a17:906:7f94:: with SMTP id f20mr9995233ejr.394.1591902748859; Thu, 11 Jun 2020 12:12:28 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1591902748; cv=none; d=google.com; s=arc-20160816; b=oX/Y1/J+BqHnA/ExBjYNwDnsEUBB1xZrq/f01TwX63Hn+JygbPcVWz0LVeFKKSGnAq kLD3xC+Ps+JtMaiPx9vlwGI5nQt4+KzM+TslDd9hAEHZU911sDGlTlOXMx435TzuDozH fpkJPZJQn+P1jomU8mW9hhNIXCPASwFGsUFbMx+o8Fu4lFvJ1WNzZQrPzEC3Pid8T6GB dOHhxE6F1YtVk4ZpYwUnvOtsZweNQm+0sdf56PA+bwUimilzpZ4tZRmG0l89Kdn+5jIR tYvOhRGy2hWzXLRyjkuLwptfclDBIyQL1AXfOsJSKFnrE26Rs1uCFJgHv3Og+GSD2WPB 1wgA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=3OIkJTnbC9/J/at4KtnWFQYW8cUJ1h1xUBzB/M6Jqjg=; b=Wk/vtSUpxdTVS6jr8sW9PN3qzoHq6N1cT3trxEL+i6tDWvW07zFd/GlvdO/Jxbv+p5 K/9Ceui0GNWVVg/1UfTH+9q4gjw/OdYEwIsR08I/r5S6d9MqbM4DHjP27xJTQcuJPQsm TbepHGNWgHQZHt7VLqRPckdHUxHWlq7wkXVDcSmqd6pEf0z4hIBEWaPE+iD+1qy/ct1e 61LSzgth3mX1Sg2ypiQSf7zGvgGbkewF4JON9+nwmgPkNmSpBIzeUlrp3HFLeYUArnAr RERbwYIuTHvjoGZe5m5VjPgs4VuKh9B+CruDxGw0YvrDMoFF0DXkQTAKOUCsdSHjd183 VaTg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=qowMjbdu; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id n21si2492470ejd.625.2020.06.11.12.12.06; Thu, 11 Jun 2020 12:12:28 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=qowMjbdu; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726499AbgFKQgW (ORCPT + 99 others); Thu, 11 Jun 2020 12:36:22 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51366 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725824AbgFKQgV (ORCPT ); Thu, 11 Jun 2020 12:36:21 -0400 Received: from mail-oi1-x242.google.com (mail-oi1-x242.google.com [IPv6:2607:f8b0:4864:20::242]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 39FE1C08C5C1; Thu, 11 Jun 2020 09:36:20 -0700 (PDT) Received: by mail-oi1-x242.google.com with SMTP id s21so5949591oic.9; Thu, 11 Jun 2020 09:36:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=3OIkJTnbC9/J/at4KtnWFQYW8cUJ1h1xUBzB/M6Jqjg=; b=qowMjbduJb4fdYh/wOL3xk4gMnMJjMX/YMpMHNHLFbFfEBc0eW0LYimV6yY4ebxQ/B 7417HbNq5P/5arcKzbqEMfZoUAZnfuUUIho4+KJsTdmCPjp39qI5eWdD5aro5NEBc1KQ 4GaPt+M6L+J3VaebksAMg48XwOcUY/4DS8Gtmu5Iv8u24fST8r8Usy0b/RuPSdcFBUdc zKCLADF1WndtRAQKGoRBUIG1s3Tl0/fZ+FMjeyr03k5gwoZNOkPYxhVl+Ov2srRl9wTG LSuhhPwymLv+OTK9g8hfQzvqG+AFWJPx8DeFhqbIzY6y1lVTpZaCbVaHwhNY+p/DjDpK raeA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=3OIkJTnbC9/J/at4KtnWFQYW8cUJ1h1xUBzB/M6Jqjg=; b=f73UlNCe3vmTO0otyvb5WlwlJ3bRLppja24EQyxz6AyBguFUYvILsz1DwAIuQivU9v H3WjG3ApZExZSVaODu/B0KXgRZIVsLhTqMb64+zWHo/0L9VDjY1yDjlPJmrQLQunQe+z DgPuvf/CJWMGjY8ezkgwDVvpDOfIhXpFik0x8UmSUxwC2HdXl5DcMa51GOZzzOA/31Ah lQ7MkT12QX+sX5dgjUIMu/8zVxaYP7RVvgLwY+33bw5AP2q+NMGREUBltEiXtzw3Ipyu SH/2aqVpCHeDzOf9gYgw9+UptuQT+JpYCKf+3nSlg7tFA5hXw7eAlB8i/OIFMiETo6Sa NPRQ== X-Gm-Message-State: AOAM531fu3n8iGqHuFD6umVIPNif9LbIYynegmXxFLjrVkZPmSUzlgOo sVgtcx0RNEuM//K1Bpr1JQSd+kJZqSViesZwKoI= X-Received: by 2002:aca:ec97:: with SMTP id k145mr6749390oih.92.1591893379701; Thu, 11 Jun 2020 09:36:19 -0700 (PDT) MIME-Version: 1.0 References: <20200611155830.8941-1-trix@redhat.com> In-Reply-To: <20200611155830.8941-1-trix@redhat.com> From: Stephen Smalley Date: Thu, 11 Jun 2020 12:36:08 -0400 Message-ID: Subject: Re: [PATCH] selinux: fix another double free To: trix@redhat.com Cc: Paul Moore , Eric Paris , Ondrej Mosnacek , weiyongjun1@huawei.com, SElinux list , linux-kernel Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Jun 11, 2020 at 11:58 AM wrote: > > From: Tom Rix > > Clang static analysis reports this double free error > > security/selinux/ss/conditional.c:139:2: warning: Attempt to free released memory [unix.Malloc] > kfree(node->expr.nodes); > ^~~~~~~~~~~~~~~~~~~~~~~ > > When cond_read_node fails, it calls cond_node_destroy which frees the > node but does not poison the entry in the node list. So when it > returns to its caller cond_read_list, cond_read_list deletes the > partial list. The latest entry in the list will be deleted twice. > > So instead of freeing the node in cond_read_node, let list freeing in > code_read_list handle the freeing the problem node along with all of the the > earlier nodes. > > Signed-off-by: Tom Rix Looks like this was introduced by 60abd3181db29ea81742106cc0ac2e27fd05b418 ("selinux: convert cond_list to array"). Acked-by: Stephen Smalley