From 1f1f9568bc3f10741edd0676bc6d59c40e6020c7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= Date: Tue, 5 Oct 2021 16:45:09 +0200 Subject: [PATCH] checkpolicy: free memory on duplicate user declaration MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit class process sid tl class process { transition } sensitivity s0; dominance { s0 } category c0; level s0; mlsconstrain process transition t1 eq t2; role e; user sys_useallowr roles e level s0 range s0:c0; user sys_useallowr roles e level s0 range s0; sid e se:s:s Direct leak of 16 byte(s) in 1 object(s) allocated from: #0 0x5259cd in malloc (./out/checkpolicy-fuzzer+0x5259cd) #1 0x606369 in mls_semantic_level_cpy ./libsepol/src/mls.c:768:30 #2 0x57bb08 in define_user ./checkpolicy/policy_define.c:4377:8 #3 0x585955 in yyparse ./checkpolicy/policy_parse.y:657:30 #4 0x55a7d7 in read_source_policy ./checkpolicy/fuzz/checkpolicy-fuzzer.c:108:6 #5 0x55a7d7 in LLVMFuzzerTestOneInput ./checkpolicy/fuzz/checkpolicy-fuzzer.c:162:6 #6 0x45af33 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o #7 0x446a72 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o #8 0x44c99b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o #9 0x475e32 in main (./out/checkpolicy-fuzzer+0x475e32) #10 0x7febb0536e49 in __libc_start_main csu/../csu/libc-start.c:314:16 Signed-off-by: Christian Göttsche --- checkpolicy/policy_define.c | 1 + 1 file changed, 1 insertion(+) diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c index 946c969074..2270c13935 100644 --- a/checkpolicy/policy_define.c +++ b/checkpolicy/policy_define.c @@ -4430,6 +4430,7 @@ int define_user(void) } if (l == 0) { + mls_semantic_level_destroy(&usrdatum->range.level[1]); if (mls_semantic_level_cpy(&usrdatum->range.level[1], &usrdatum->range.level[0])) { yyerror("out of memory");