[TODO] libsepol: double free on error after sensitivity alias

class s
sid e
class s { y }
sensitivity i alias { d };

==13999==ERROR: AddressSanitizer: heap-use-after-free on address 0x6030000008b8 at pc 0x000000594081 bp 0x7ffcd296ad80 sp 0x7ffcd296ad78
READ of size 8 at 0x6030000008b8 thread T0
    #0 0x594080 in ebitmap_destroy ./libsepol/src/ebitmap.c:379:9
    #1 0x61d546 in mls_level_destroy ./DESTDIR/usr/include/sepol/policydb/mls_types.h:98:2
    #2 0x61d546 in sens_destroy ./libsepol/src/policydb.c:1380:2
    #3 0x5bc9d5 in hashtab_map ./libsepol/src/hashtab.c:234:10
    #4 0x60cbf1 in symtabs_destroy ./libsepol/src/policydb.c:1581:9
    #5 0x60cbf1 in policydb_destroy ./libsepol/src/policydb.c:1489:2
    #6 0x55aaa2 in LLVMFuzzerTestOneInput ./checkpolicy/fuzz/checkpolicy-fuzzer.c:209:2
    #7 0x45af33 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o
    #8 0x446a72 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o
    #9 0x44c99b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o
    #10 0x475e32 in main (./out/checkpolicy-fuzzer+0x475e32)
    #11 0x7f31b5ea1e49 in __libc_start_main csu/../csu/libc-start.c:314:16
    #12 0x4236e9 in _start (./out/checkpolicy-fuzzer+0x4236e9)

0x6030000008b8 is located 8 bytes inside of 24-byte region [0x6030000008b0,0x6030000008c8)
freed by thread T0 here:
    #0 0x525762 in __interceptor_free (./out/checkpolicy-fuzzer+0x525762)
    #1 0x61d566 in sens_destroy ./libsepol/src/policydb.c:1381:2
    #2 0x5bc9d5 in hashtab_map ./libsepol/src/hashtab.c:234:10
    #3 0x60cbf1 in symtabs_destroy ./libsepol/src/policydb.c:1581:9
    #4 0x60cbf1 in policydb_destroy ./libsepol/src/policydb.c:1489:2
    #5 0x55aaa2 in LLVMFuzzerTestOneInput ./checkpolicy/fuzz/checkpolicy-fuzzer.c:209:2
    #6 0x45af33 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o
    #7 0x446a72 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o
    #8 0x44c99b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o
    #9 0x475e32 in main (./out/checkpolicy-fuzzer+0x475e32)
    #10 0x7f31b5ea1e49 in __libc_start_main csu/../csu/libc-start.c:314:16

previously allocated by thread T0 here:
    #0 0x5259cd in malloc (./out/checkpolicy-fuzzer+0x5259cd)
    #1 0x56be7e in define_sens ./checkpolicy/policy_define.c:744:26
    #2 0x583ed4 in yyparse ./checkpolicy/policy_parse.y:261:30
    #3 0x55a5a0 in read_source_policy ./checkpolicy/fuzz/checkpolicy-fuzzer.c:96:6
    #4 0x55a5a0 in LLVMFuzzerTestOneInput ./checkpolicy/fuzz/checkpolicy-fuzzer.c:162:6
    #5 0x45af33 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o
    #6 0x446a72 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o
    #7 0x44c99b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o
    #8 0x475e32 in main (./out/checkpolicy-fuzzer+0x475e32)
    #9 0x7f31b5ea1e49 in __libc_start_main csu/../csu/libc-start.c:314:16

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>

libsepol/src/policydb.c

@@ -1378,8 +1378,10 @@ static int sens_destroy(hashtab_key_t key, hashtab_datum_t datum, void *p
 	if (key)
 		free(key);
 	levdatum = (level_datum_t *) datum;
-	mls_level_destroy(levdatum->level);
-	free(levdatum->level);
+	if (!levdatum->isalias) {
+		mls_level_destroy(levdatum->level);
+		free(levdatum->level);
+	}
 	level_datum_destroy(levdatum);
 	free(levdatum);
 	return 0;