Fix a double free in the List functions

justincormack · justincormack · commit 87c80bfba583 · 2019-07-01T14:41:30.000+01:00
The code was set up so that it would free the individual items and the data
in `freeListData`, but there was already a Go `defer` to free the data item,
resulting in a double free.

Remove the `free` in `freeListData` and leave the original one.

In addition, move the `defer` for freeing the list data before the error
check, so that the data is also free in the error case. This just removes
a minor leak.

This vulnerability was discovered by:
Jasiel Spelman of Trend Micro Zero Day Initiative and Trend Micro Team Nebula

Signed-off-by: Justin Cormack &lt;justin.cormack@docker.com&gt;
diff --git a/osxkeychain/osxkeychain_darwin.c b/osxkeychain/osxkeychain_darwin.c
@@ -224,5 +224,4 @@ void freeListData(char *** data, unsigned int length) {
      for(int i=0; i<length; i++) {
         free((*data)[i]);
      }
-     free(*data);
 }
diff --git a/osxkeychain/osxkeychain_darwin.go b/osxkeychain/osxkeychain_darwin.go
@@ -109,6 +109,8 @@ func (h Osxkeychain) List() (map[string]string, error) {
 	defer C.free(unsafe.Pointer(acctsC))
 	var listLenC C.uint
 	errMsg := C.keychain_list(credsLabelC, &pathsC, &acctsC, &listLenC)
+	defer C.freeListData(&pathsC, listLenC)
+	defer C.freeListData(&acctsC, listLenC)
 	if errMsg != nil {
 		defer C.free(unsafe.Pointer(errMsg))
 		goMsg := C.GoString(errMsg)
@@ -119,9 +121,6 @@ func (h Osxkeychain) List() (map[string]string, error) {
 		return nil, errors.New(goMsg)
 	}
 
-	defer C.freeListData(&pathsC, listLenC)
-	defer C.freeListData(&acctsC, listLenC)
-
 	var listLen int
 	listLen = int(listLenC)
 	pathTmp := (*[1 << 30]*C.char)(unsafe.Pointer(pathsC))[:listLen:listLen]
diff --git a/secretservice/secretservice_linux.c b/secretservice/secretservice_linux.c
@@ -158,5 +158,4 @@ void freeListData(char *** data, unsigned int length) {
 	for(i=0; i<length; i++) {
 		free((*data)[i]);
 	}
-	free(*data);
 }
diff --git a/secretservice/secretservice_linux.go b/secretservice/secretservice_linux.go
@@ -92,12 +92,12 @@ func (h Secretservice) List() (map[string]string, error) {
 	defer C.free(unsafe.Pointer(acctsC))
 	var listLenC C.uint
 	err := C.list(credsLabelC, &pathsC, &acctsC, &listLenC)
+	defer C.freeListData(&pathsC, listLenC)
+	defer C.freeListData(&acctsC, listLenC)
 	if err != nil {
 		defer C.g_error_free(err)
 		return nil, errors.New("Error from list function in secretservice_linux.c likely due to error in secretservice library")
 	}
-	defer C.freeListData(&pathsC, listLenC)
-	defer C.freeListData(&acctsC, listLenC)
 
 	resp := make(map[string]string)
 

Original file line number	Diff line number	Diff line change
`@@ -224,5 +224,4 @@ void freeListData(char *** data, unsigned int length) {`
`224`	`224`	`for(int i=0; i<length; i++) {`
`225`	`225`	`free((*data)[i]);`
`226`	`226`	`}`
`227`		`- free(*data);`
`228`	`227`	`}`
Original file line number	Diff line number	Diff line change
`@@ -158,5 +158,4 @@ void freeListData(char *** data, unsigned int length) {`
`158`	`158`	`for(i=0; i<length; i++) {`
`159`	`159`	`free((*data)[i]);`
`160`	`160`	`}`
`161`		`- free(*data);`
`162`	`161`	`}`