diff options
author | Linus Torvalds <torvalds@linux-foundation.org> | 2020-06-21 15:41:24 -0700 |
---|---|---|
committer | Linus Torvalds <torvalds@linux-foundation.org> | 2020-06-21 15:41:24 -0700 |
commit | 817d914d17651c188f28a284261ff6091d80ad2c (patch) | |
tree | 8916eba51e95090dec075f4af2e161f399734950 /security | |
parent | 16f4aa9b7c2304e439796bd097b2c0a7663f5d6e (diff) | |
parent | 8231b0b9c322c894594fb42eb0eb9f93544a6acc (diff) | |
download | linux-stable-817d914d17651c188f28a284261ff6091d80ad2c.tar.gz linux-stable-817d914d17651c188f28a284261ff6091d80ad2c.tar.bz2 linux-stable-817d914d17651c188f28a284261ff6091d80ad2c.zip |
Merge tag 'selinux-pr-20200621' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux
Pull SELinux fixes from Paul Moore:
"Three small patches to fix problems in the SELinux code, all found via
clang.
Two patches fix potential double-free conditions and one fixes an
undefined return value"
* tag 'selinux-pr-20200621' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux:
selinux: fix undefined return of cond_evaluate_expr
selinux: fix a double free in cond_read_node()/cond_read_list()
selinux: fix double free
Diffstat (limited to 'security')
-rw-r--r-- | security/selinux/ss/conditional.c | 21 | ||||
-rw-r--r-- | security/selinux/ss/services.c | 4 |
2 files changed, 12 insertions, 13 deletions
diff --git a/security/selinux/ss/conditional.c b/security/selinux/ss/conditional.c index da94a1b4bfda..0cc7cdd58465 100644 --- a/security/selinux/ss/conditional.c +++ b/security/selinux/ss/conditional.c @@ -27,6 +27,9 @@ static int cond_evaluate_expr(struct policydb *p, struct cond_expr *expr) int s[COND_EXPR_MAXDEPTH]; int sp = -1; + if (expr->len == 0) + return -1; + for (i = 0; i < expr->len; i++) { struct cond_expr_node *node = &expr->nodes[i]; @@ -392,27 +395,19 @@ static int cond_read_node(struct policydb *p, struct cond_node *node, void *fp) rc = next_entry(buf, fp, sizeof(u32) * 2); if (rc) - goto err; + return rc; expr->expr_type = le32_to_cpu(buf[0]); expr->bool = le32_to_cpu(buf[1]); - if (!expr_node_isvalid(p, expr)) { - rc = -EINVAL; - goto err; - } + if (!expr_node_isvalid(p, expr)) + return -EINVAL; } rc = cond_read_av_list(p, fp, &node->true_list, NULL); if (rc) - goto err; - rc = cond_read_av_list(p, fp, &node->false_list, &node->true_list); - if (rc) - goto err; - return 0; -err: - cond_node_destroy(node); - return rc; + return rc; + return cond_read_av_list(p, fp, &node->false_list, &node->true_list); } int cond_read_list(struct policydb *p, void *fp) diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index 313919bd42f8..ef0afd878bfc 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c @@ -2888,8 +2888,12 @@ err: if (*names) { for (i = 0; i < *len; i++) kfree((*names)[i]); + kfree(*names); } kfree(*values); + *len = 0; + *names = NULL; + *values = NULL; goto out; } |