Through static analysis tools, I found two instances of null pointer dereference risks in the libsepol/cil module. Although the unit tests for this module have covered numerous scenarios with NULL inputs, these two cases still fail to properly handle NULL input despite having corresponding tests.
- cil_copy_list Function in cil_copy_ast.c
Vulnerability Location:
https://github.com/SELinuxProject/selinux/blob/main/libsepol/cil/src/cil_copy_ast.c#L56
The input parameter data in cil_copy_list may cause a null pointer dereference via data->flavor when data is NULL.
Test Case:
https://github.com/SELinuxProject/selinux/blob/main/libsepol/cil/test/unit/test_cil_copy_ast.c#L139
The unit test test_cil_copy_list_orignull_neg explicitly passes NULL as data to cil_copy_list
- cil_gen_node Function in cil_build_ast.c
Vulnerability Location:
https://github.com/SELinuxProject/selinux/blob/main/libsepol/cil/src/cil_build_ast.c#L199
The input parameter ast_node in cil_gen_node may cause a null pointer dereference via ast_node->parent when ast_node is NULL.
https://github.com/SELinuxProject/selinux/blob/main/libsepol/cil/src/cil_build_ast.c#L595
The cil_gen_class function passes ast_node to cil_gen_node without ensuring it is non-NULL.
Test Case:
https://github.com/SELinuxProject/selinux/blob/main/libsepol/cil/test/unit/test_cil_build_ast.c#L1081
The unit test for cil_gen_class includes scenarios where ast_node is passed as NULL
Through static analysis tools, I found two instances of null pointer dereference risks in the libsepol/cil module. Although the unit tests for this module have covered numerous scenarios with NULL inputs, these two cases still fail to properly handle NULL input despite having corresponding tests.
Vulnerability Location:
https://github.com/SELinuxProject/selinux/blob/main/libsepol/cil/src/cil_copy_ast.c#L56
The input parameter data in cil_copy_list may cause a null pointer dereference via data->flavor when data is NULL.
Test Case:
https://github.com/SELinuxProject/selinux/blob/main/libsepol/cil/test/unit/test_cil_copy_ast.c#L139
The unit test test_cil_copy_list_orignull_neg explicitly passes NULL as data to cil_copy_list
Vulnerability Location:
https://github.com/SELinuxProject/selinux/blob/main/libsepol/cil/src/cil_build_ast.c#L199
The input parameter ast_node in cil_gen_node may cause a null pointer dereference via ast_node->parent when ast_node is NULL.
https://github.com/SELinuxProject/selinux/blob/main/libsepol/cil/src/cil_build_ast.c#L595
The cil_gen_class function passes ast_node to cil_gen_node without ensuring it is non-NULL.
Test Case:
https://github.com/SELinuxProject/selinux/blob/main/libsepol/cil/test/unit/test_cil_build_ast.c#L1081
The unit test for cil_gen_class includes scenarios where ast_node is passed as NULL