selinux: fix double free of cond_list on error paths

vbendel · pcmoore · commit 186edf7e368c · 2022-02-02T11:02:10.000-05:00
On error path from cond_read_list() and duplicate_policydb_cond_list()
the cond_list_destroy() gets called a second time in caller functions,
resulting in NULL pointer deref.  Fix this by resetting the
cond_list_len to 0 in cond_list_destroy(), making subsequent calls a
noop.

Also consistently reset the cond_list pointer to NULL after freeing.

Cc: stable@vger.kernel.org
Signed-off-by: Vratislav Bendel &lt;vbendel@redhat.com&gt;
[PM: fix line lengths in the description]
Signed-off-by: Paul Moore &lt;paul@paul-moore.com&gt;
diff --git a/security/selinux/ss/conditional.c b/security/selinux/ss/conditional.c
@@ -152,6 +152,8 @@ static void cond_list_destroy(struct policydb *p)
 	for (i = 0; i < p->cond_list_len; i++)
 		cond_node_destroy(&p->cond_list[i]);
 	kfree(p->cond_list);
+	p->cond_list = NULL;
+	p->cond_list_len = 0;
 }
 
 void cond_policydb_destroy(struct policydb *p)
@@ -441,7 +443,6 @@ int cond_read_list(struct policydb *p, void *fp)
 	return 0;
 err:
 	cond_list_destroy(p);
-	p->cond_list = NULL;
 	return rc;
 }
 

Original file line number	Diff line number	Diff line change
`@@ -152,6 +152,8 @@ static void cond_list_destroy(struct policydb *p)`
`152`	`152`	`for (i = 0; i < p->cond_list_len; i++)`
`153`	`153`	`cond_node_destroy(&p->cond_list[i]);`
`154`	`154`	`kfree(p->cond_list);`
	`155`	`+ p->cond_list = NULL;`
	`156`	`+ p->cond_list_len = 0;`
`155`	`157`	`}`
`156`	`158`
`157`	`159`	`void cond_policydb_destroy(struct policydb *p)`
`@@ -441,7 +443,6 @@ int cond_read_list(struct policydb p, void fp)`
`441`	`443`	`return 0;`
`442`	`444`	`err:`
`443`	`445`	`cond_list_destroy(p);`
`444`		`- p->cond_list = NULL;`
`445`	`446`	`return rc;`
`446`	`447`	`}`
`447`	`448`