diff options
Diffstat (limited to 'pcr/libsepol/0011-libsepol-sepol_-bool-iface-user-_key_create-copy-nam.patch')
-rw-r--r-- | pcr/libsepol/0011-libsepol-sepol_-bool-iface-user-_key_create-copy-nam.patch | 126 |
1 files changed, 126 insertions, 0 deletions
diff --git a/pcr/libsepol/0011-libsepol-sepol_-bool-iface-user-_key_create-copy-nam.patch b/pcr/libsepol/0011-libsepol-sepol_-bool-iface-user-_key_create-copy-nam.patch new file mode 100644 index 000000000..82df34438 --- /dev/null +++ b/pcr/libsepol/0011-libsepol-sepol_-bool-iface-user-_key_create-copy-nam.patch @@ -0,0 +1,126 @@ +From b14534df3a481ea73eee578b90dcf34c96e4a2c9 Mon Sep 17 00:00:00 2001 +From: Stephen Smalley <sds@tycho.nsa.gov> +Date: Tue, 8 Nov 2016 10:46:14 -0500 +Subject: [PATCH] libsepol: sepol_{bool|iface|user}_key_create: copy name + +The sepol_{bool|iface|user}_key_create() functions were not +copying the name. This produces a use-after-free in the +swig-generated code for python3 bindings. Copy the name +in these functions, and free it upon sepol_{bool|iface|user}_key_free(). + +Reported-by: Nicolas Iooss <nicolas.iooss@m4x.org> +Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> +--- + libsepol/src/boolean_record.c | 10 ++++++++-- + libsepol/src/iface_record.c | 10 ++++++++-- + libsepol/src/user_record.c | 10 ++++++++-- + 3 files changed, 24 insertions(+), 6 deletions(-) + +diff --git a/libsepol/src/boolean_record.c b/libsepol/src/boolean_record.c +index 8b644138a3bc..ebef7f18f0f9 100644 +--- a/libsepol/src/boolean_record.c ++++ b/libsepol/src/boolean_record.c +@@ -15,7 +15,7 @@ struct sepol_bool { + + struct sepol_bool_key { + /* This boolean's name */ +- const char *name; ++ char *name; + }; + + int sepol_bool_key_create(sepol_handle_t * handle, +@@ -30,7 +30,12 @@ int sepol_bool_key_create(sepol_handle_t * handle, + return STATUS_ERR; + } + +- tmp_key->name = name; ++ tmp_key->name = strdup(name); ++ if (!tmp_key->name) { ++ ERR(handle, "out of memory, " "could not create boolean key"); ++ free(tmp_key); ++ return STATUS_ERR; ++ } + + *key_ptr = tmp_key; + return STATUS_SUCCESS; +@@ -62,6 +67,7 @@ int sepol_bool_key_extract(sepol_handle_t * handle, + + void sepol_bool_key_free(sepol_bool_key_t * key) + { ++ free(key->name); + free(key); + } + +diff --git a/libsepol/src/iface_record.c b/libsepol/src/iface_record.c +index 09adeb79f5e9..c8b977c8facc 100644 +--- a/libsepol/src/iface_record.c ++++ b/libsepol/src/iface_record.c +@@ -20,7 +20,7 @@ struct sepol_iface { + struct sepol_iface_key { + + /* Interface name */ +- const char *name; ++ char *name; + }; + + /* Key */ +@@ -36,7 +36,12 @@ int sepol_iface_key_create(sepol_handle_t * handle, + return STATUS_ERR; + } + +- tmp_key->name = name; ++ tmp_key->name = strdup(name); ++ if (!tmp_key->name) { ++ ERR(handle, "out of memory, could not create interface key"); ++ free(tmp_key); ++ return STATUS_ERR; ++ } + + *key_ptr = tmp_key; + return STATUS_SUCCESS; +@@ -68,6 +73,7 @@ int sepol_iface_key_extract(sepol_handle_t * handle, + + void sepol_iface_key_free(sepol_iface_key_t * key) + { ++ free(key->name); + free(key); + } + +diff --git a/libsepol/src/user_record.c b/libsepol/src/user_record.c +index c59c54b1e9b5..e7e2fc20fe36 100644 +--- a/libsepol/src/user_record.c ++++ b/libsepol/src/user_record.c +@@ -24,7 +24,7 @@ struct sepol_user { + + struct sepol_user_key { + /* This user's name */ +- const char *name; ++ char *name; + }; + + int sepol_user_key_create(sepol_handle_t * handle, +@@ -40,7 +40,12 @@ int sepol_user_key_create(sepol_handle_t * handle, + return STATUS_ERR; + } + +- tmp_key->name = name; ++ tmp_key->name = strdup(name); ++ if (!tmp_key->name) { ++ ERR(handle, "out of memory, could not create selinux user key"); ++ free(tmp_key); ++ return STATUS_ERR; ++ } + + *key_ptr = tmp_key; + return STATUS_SUCCESS; +@@ -71,6 +76,7 @@ int sepol_user_key_extract(sepol_handle_t * handle, + + void sepol_user_key_free(sepol_user_key_t * key) + { ++ free(key->name); + free(key); + } + +-- +2.10.2 + |