Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
libsepol/cil: Resolve anonymous class permission sets only once
Anonymous class permission sets can be passed as call arguments.
Anonymous call arguments are resolved when they are used in a
rule. [This is because all the information might not be present
(like common permissions being added to a class) when the call
itself is resolved.] If there is more than one rule using an
anonymous class permission set, then a memory leak will occur
when a new list for the permission datum expression is created
without destroying the old one.

When resolving the class and permissions, check if the class has
already been resolved. If it has, then the permissions have been
as well.

This bug was found by the secilc-fuzzer.

Signed-off-by: James Carter <jwcart2@gmail.com>
  • Loading branch information
jwcart2 committed Jun 4, 2021
1 parent 69fc31d commit a8dcf4d
Showing 1 changed file with 4 additions and 0 deletions.
4 changes: 4 additions & 0 deletions libsepol/cil/src/cil_resolve_ast.c
Expand Up @@ -158,6 +158,10 @@ int cil_resolve_classperms(struct cil_tree_node *current, struct cil_classperms
symtab_t *common_symtab = NULL;
struct cil_class *class;

if (cp->class) {
return SEPOL_OK;
}

rc = cil_resolve_name(current, cp->class_str, CIL_SYM_CLASSES, extra_args, &datum);
if (rc != SEPOL_OK) {
goto exit;
Expand Down

0 comments on commit a8dcf4d

Please sign in to comment.