提交 d95488dc 编写于 作者: E Eric Blake

security, storage: plug memory leaks for security_context_t

security_context_t happens to be a typedef for char*, and happens to
begin with a string usable as a raw context string.  But in reality,
it is an opaque type that may or may not have additional information
after the first NUL byte, where that additional information can
include pointers that can only be freed via freecon().

Proof is from this valgrind run of daemon/libvirtd:

==6028== 839,169 (40 direct, 839,129 indirect) bytes in 1 blocks are definitely lost in loss record 274 of 274
==6028==    at 0x4A0515D: malloc (vg_replace_malloc.c:195)
==6028==    by 0x3022E0D48C: selabel_open (label.c:165)
==6028==    by 0x3022E11646: matchpathcon_init_prefix (matchpathcon.c:296)
==6028==    by 0x3022E1190D: matchpathcon (matchpathcon.c:317)
==6028==    by 0x4F9D842: SELinuxRestoreSecurityFileLabel (security_selinux.c:382)

800k is a lot of memory to be leaking.

* src/storage/storage_backend.c
(virStorageBackendUpdateVolTargetInfoFD): Avoid leak on error.
* src/security/security_selinux.c
(SELinuxReserveSecurityLabel, SELinuxGetSecurityProcessLabel)
(SELinuxRestoreSecurityFileLabel): Use correct function to free
security_context_t.
上级 d90babe9
...@@ -239,7 +239,7 @@ SELinuxReserveSecurityLabel(virSecurityDriverPtr drv ATTRIBUTE_UNUSED, ...@@ -239,7 +239,7 @@ SELinuxReserveSecurityLabel(virSecurityDriverPtr drv ATTRIBUTE_UNUSED,
} }
ctx = context_new(pctx); ctx = context_new(pctx);
VIR_FREE(pctx); freecon(pctx);
if (!ctx) if (!ctx)
goto err; goto err;
...@@ -298,11 +298,12 @@ SELinuxGetSecurityProcessLabel(virSecurityDriverPtr drv ATTRIBUTE_UNUSED, ...@@ -298,11 +298,12 @@ SELinuxGetSecurityProcessLabel(virSecurityDriverPtr drv ATTRIBUTE_UNUSED,
_("security label exceeds " _("security label exceeds "
"maximum length: %d"), "maximum length: %d"),
VIR_SECURITY_LABEL_BUFLEN - 1); VIR_SECURITY_LABEL_BUFLEN - 1);
freecon(ctx);
return -1; return -1;
} }
strcpy(sec->label, (char *) ctx); strcpy(sec->label, (char *) ctx);
VIR_FREE(ctx); freecon(ctx);
sec->enforcing = security_getenforce(); sec->enforcing = security_getenforce();
if (sec->enforcing == -1) { if (sec->enforcing == -1) {
...@@ -387,7 +388,7 @@ SELinuxRestoreSecurityFileLabel(const char *path) ...@@ -387,7 +388,7 @@ SELinuxRestoreSecurityFileLabel(const char *path)
} }
err: err:
VIR_FREE(fcon); freecon(fcon);
VIR_FREE(newpath); VIR_FREE(newpath);
return rc; return rc;
} }
......
...@@ -1148,11 +1148,11 @@ virStorageBackendUpdateVolTargetInfoFD(virStorageVolTargetPtr target, ...@@ -1148,11 +1148,11 @@ virStorageBackendUpdateVolTargetInfoFD(virStorageVolTargetPtr target,
} }
} else { } else {
target->perms.label = strdup(filecon); target->perms.label = strdup(filecon);
freecon(filecon);
if (target->perms.label == NULL) { if (target->perms.label == NULL) {
virReportOOMError(); virReportOOMError();
return -1; return -1;
} }
freecon(filecon);
} }
#else #else
target->perms.label = NULL; target->perms.label = NULL;
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册