checkpolicy was directly assigning type sets rather than using type_set_cpy() and therefore creating pointer aliases to the same type set from multiple filename-based type transition rules if they specified multiple classes. This would then yield a double free when destroying the rules afterward and a segmentation fault. Fix it to use type_set_cpy().
Reported-by: William C Roberts <[email protected]> Signed-off-by: Stephen Smalley <[email protected]> --- checkpolicy/policy_define.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c index da47566..7f32029 100644 --- a/checkpolicy/policy_define.c +++ b/checkpolicy/policy_define.c @@ -3315,8 +3315,14 @@ int define_filename_trans(void) append_filename_trans(ftr); ftr->name = strdup(name); - ftr->stypes = stypes; - ftr->ttypes = ttypes; + if (type_set_cpy(&ftr->stypes, &stypes)) { + yyerror("out of memory"); + goto bad; + } + if (type_set_cpy(&ftr->ttypes, &ttypes)) { + yyerror("out of memory"); + goto bad; + } ftr->tclass = c + 1; ftr->otype = otype; } -- 2.1.0 _______________________________________________ Seandroid-list mailing list [email protected] To unsubscribe, send email to [email protected]. To get help, send an email containing "help" to [email protected].
