78d458d163
OSS-Fuzz found a memory leak when trying to compile the following
policy:
(class CLASS (PERM ioctl))
(classorder (CLASS))
(sid SID)
(sidorder (SID))
(user USER)
(role ROLE)
(type TYPE)
(category CAT)
(categoryorder (CAT))
(sensitivity SENS)
(sensitivityorder (SENS))
(sensitivitycategory SENS (CAT))
(allow TYPE self (CLASS (PERM)))
(roletype ROLE TYPE)
(userrole USER ROLE)
(userlevel USER (SENS))
(userrange USER ((SENS)(SENS (CAT))))
(sidcontext SID (USER ROLE TYPE ((SENS)(SENS))))
(permissionx ioctl_test (ioctl CLASS (and (range 0x1600 0x19FF) (not (range 0x1750 0x175F)))))
(allowx TYPE TYPE ioctl_test)
(boolean BOOLEAN false)
(booleanif (not (xor (eq BOOLEAN BOOLEAN)
(and (not (xor (eq BOOLEAN BOOLEAN)
(and (not (xor (eq BOOLEAN BOOLEAN)
(and (not (xor (eq BOOLEAN BOOLEAN)
(and (not (xor (eq BOOLEAN BOOLEAN)
(and (not (xor (eq BOOLEAN BOOLEAN)
(and (not (xor (eq BOOLEAN BOOLEAN)
(and (not (xor (eq BOOLEAN BOOLEAN)
(and (not (xor (eq BOOLEAN BOOLEAN)
(and (not (xor (eq BOOLEAN BOOLEAN)
(and (not (xor (eq BOOLEAN BOOLEAN)
(and (not (xor (eq BOOLEAN BOOLEAN)
(and (not (xor (eq BOOLEAN BOOLEAN)
(and (not (xor (eq BOOLEAN BOOLEAN)
(and (not (xor (eq BOOLEAN BOOLEAN)
(and (not (xor (eq BOOLEAN BOOLEAN)
(and (not (xor (eq BOOLEAN BOOLEAN)
(and (not (xor (eq BOOLEAN BOOLEAN)
(and (not (xor (eq BOOLEAN BOOLEAN)
(and (not (xor (eq BOOLEAN BOOLEAN)
(and (not (xor (eq BOOLEAN BOOLEAN)
(and (not (xor (eq BOOLEAN BOOLEAN)
(and (not (xor (eq BOOLEAN BOOLEAN)
(and (not (xor (eq BOOLEAN BOOLEAN)
(and (not (xor (eq BOOLEAN BOOLEAN)
(and (not (xor (eq BOOLEAN BOOLEAN)
(and (not (xor (eq BOOLEAN BOOLEAN)
(and (not (xor (eq BOOLEAN BOOLEAN)
(and (not (xor (eq BOOLEAN BOOLEAN)
(and (not (xor (eq BOOLEAN BOOLEAN)
(and (not (xor (eq BOOLEAN BOOLEAN)
(and (not (xor (eq BOOLEAN BOOLEAN)
(and (not (xor (eq BOOLEAN BOOLEAN)
(and (not (xor (eq BOOLEAN BOOLEAN)
(and (not (xor (eq BOOLEAN BOOLEAN)
(and (not (xor (eq BOOLEAN BOOLEAN)
(and (not (xor (eq BOOLEAN BOOLEAN)
(and (eq BOOLEAN BOOLEAN) BOOLEAN ) ) )
BOOLEAN ) ) )
BOOLEAN ) ) )
BOOLEAN ) ) )
BOOLEAN ) ) )
BOOLEAN ) ) )
BOOLEAN ) ) )
BOOLEAN ) ) )
BOOLEAN ) ) )
BOOLEAN ) ) )
BOOLEAN ) ) )
BOOLEAN ) ) )
BOOLEAN ) ) )
BOOLEAN ) ) )
BOOLEAN ) ) )
BOOLEAN ) ) )
BOOLEAN ) ) )
BOOLEAN ) ) )
BOOLEAN ) ) )
BOOLEAN ) ) )
BOOLEAN ) ) )
BOOLEAN ) ) )
BOOLEAN ) ) )
BOOLEAN ) ) )
BOOLEAN ) ) )
BOOLEAN ) ) )
BOOLEAN ) ) )
BOOLEAN ) ) )
BOOLEAN ) ) )
BOOLEAN ) ) )
BOOLEAN ) ) )
BOOLEAN ) ) )
BOOLEAN ) ) )
BOOLEAN ) ) )
BOOLEAN ) ) )
BOOLEAN ) ) )
BOOLEAN ) ) )
(true
(allow TYPE TYPE (CLASS (PERM)))
)
)
When the CIL compiler reports "Conditional expression exceeded max
allowable depth" because of the loooooong expression in the booleanif
statement, cil_binary_create_allocated_pdb returns without freeing the
memory which was allocated to store the keys and values of hash table
avrulex_ioctl_table.
Fix this by moving the freeing logic to a dedicated destructor function
and calling it in the exit block of cil_binary_create_allocated_pdb.
Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28618
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
|
||
|---|---|---|
| .. | ||
| cil | ||
| include | ||
| man | ||
| src | ||
| tests | ||
| utils | ||
| .gitignore | ||
| COPYING | ||
| Makefile | ||
| VERSION | ||