diff options
| author | Vratislav Bendel <vbendel@redhat.com> | 2022-02-02 14:25:11 +0300 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2022-02-08 20:34:02 +0300 |
| commit | 70caa32e6d81f45f0702070c0e4dfe945e92fbd7 (patch) | |
| tree | 81eb8c04c1a7832dbc9dec4fb203672c5352e443 /security | |
| parent | d63d077fc44645d51df7e9007df87853f5c13e4c (diff) | |
| download | linux-70caa32e6d81f45f0702070c0e4dfe945e92fbd7.tar.xz | |
selinux: fix double free of cond_list on error paths
commit 186edf7e368c40d06cf727a1ad14698ea67b74ad upstream.
On error path from cond_read_list() and duplicate_policydb_cond_list()
the cond_list_destroy() gets called a second time in caller functions,
resulting in NULL pointer deref. Fix this by resetting the
cond_list_len to 0 in cond_list_destroy(), making subsequent calls a
noop.
Also consistently reset the cond_list pointer to NULL after freeing.
Cc: stable@vger.kernel.org
Signed-off-by: Vratislav Bendel <vbendel@redhat.com>
[PM: fix line lengths in the description]
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'security')
| -rw-r--r-- | security/selinux/ss/conditional.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/security/selinux/ss/conditional.c b/security/selinux/ss/conditional.c index 2ec6e5cd25d9..feb206f3acb4 100644 --- a/security/selinux/ss/conditional.c +++ b/security/selinux/ss/conditional.c @@ -152,6 +152,8 @@ static void cond_list_destroy(struct policydb *p) for (i = 0; i < p->cond_list_len; i++) cond_node_destroy(&p->cond_list[i]); kfree(p->cond_list); + p->cond_list = NULL; + p->cond_list_len = 0; } void cond_policydb_destroy(struct policydb *p) @@ -441,7 +443,6 @@ int cond_read_list(struct policydb *p, void *fp) return 0; err: cond_list_destroy(p); - p->cond_list = NULL; return rc; } |