Skip to content

Commit

Permalink
libsepol: zero member before potential dereference
Browse files Browse the repository at this point in the history
The `next` member might be checked against NULL and dereferenced before
it gets assigned, due to jumps from failure gotos to the cleanup
section.

    ==31017==ERROR: AddressSanitizer: SEGV on unknown address (pc 0x000000579654 bp 0x7ffd3a07d110 sp 0x7ffd3a07d000 T0)
    ==31017==The signal is caused by a READ memory access.
    ==31017==Hint: this fault was caused by a dereference of a high value address (see register values below).  Disassemble the provided pc to learn which register was used.
        #0 0x579654 in filename_trans_read_one ./libsepol/src/policydb.c:2874:55
        #1 0x579654 in filename_trans_read ./libsepol/src/policydb.c:2902:9
        SELinuxProject#2 0x5771b7 in policydb_read ./libsepol/src/policydb.c:4509:7
        SELinuxProject#3 0x55a1f5 in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:24:6
        SELinuxProject#4 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o
        SELinuxProject#5 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o
        SELinuxProject#6 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o
        SELinuxProject#7 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2)
        SELinuxProject#8 0x7f2a4e7f97ec in __libc_start_main csu/../csu/libc-start.c:332:16
        SELinuxProject#9 0x423689 in _start (./out/binpolicy-fuzzer+0x423689)

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
  • Loading branch information
cgzones authored and jwcart2 committed Dec 15, 2021
1 parent 1b4979c commit 8565e2c
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion libsepol/src/policydb.c
Original file line number Diff line number Diff line change
Expand Up @@ -2780,6 +2780,7 @@ static int filename_trans_read_one(policydb_t *p, struct policy_file *fp)
if (!datum)
goto err;

datum->next = NULL;
*dst = datum;

/* ebitmap_read() will at least init the bitmap */
Expand All @@ -2797,7 +2798,6 @@ static int filename_trans_read_one(policydb_t *p, struct policy_file *fp)

dst = &datum->next;
}
*dst = NULL;

if (ndatum > 1 && filename_trans_check_datum(first))
goto err;
Expand Down

0 comments on commit 8565e2c

Please sign in to comment.