bug report - NULL point dereference #483
Description
Through static analysis tools, I found two instances of null pointer dereference risks in the libsepol/cil module. Although the unit tests for this module have covered numerous scenarios with NULL inputs, these two cases still fail to properly handle NULL input despite having corresponding tests.
- cil_copy_list Function in cil_copy_ast.c
Vulnerability Location:
https://github.com/SELinuxProject/selinux/blob/main/libsepol/cil/src/cil_copy_ast.c#L56
The input parameter data in cil_copy_list may cause a null pointer dereference via data->flavor when data is NULL.
Test Case:
https://github.com/SELinuxProject/selinux/blob/main/libsepol/cil/test/unit/test_cil_copy_ast.c#L139
The unit test test_cil_copy_list_orignull_neg explicitly passes NULL as data to cil_copy_list
- cil_gen_node Function in cil_build_ast.c
Vulnerability Location:
https://github.com/SELinuxProject/selinux/blob/main/libsepol/cil/src/cil_build_ast.c#L199
The input parameter ast_node in cil_gen_node may cause a null pointer dereference via ast_node->parent when ast_node is NULL.
https://github.com/SELinuxProject/selinux/blob/main/libsepol/cil/src/cil_build_ast.c#L595
The cil_gen_class function passes ast_node to cil_gen_node without ensuring it is non-NULL.
Test Case:
https://github.com/SELinuxProject/selinux/blob/main/libsepol/cil/test/unit/test_cil_build_ast.c#L1081
The unit test for cil_gen_class includes scenarios where ast_node is passed as NULL