[thirdparty/kernel/stable-queue.git] / pending-5.1 / selinux-fix-a-missing-check-bug-in-selinux_sb_eat_lsm_opts.patch

From fec6375320c6399c708fa9801f8cfbf950fee623 Mon Sep 17 00:00:00 2001
From: Gen Zhang <blackgod016574@gmail.com>
Date: Wed, 12 Jun 2019 21:55:38 +0800
Subject: selinux: fix a missing-check bug in selinux_sb_eat_lsm_opts()

From: Gen Zhang <blackgod016574@gmail.com>

commit fec6375320c6399c708fa9801f8cfbf950fee623 upstream.

In selinux_sb_eat_lsm_opts(), 'arg' is allocated by kmemdup_nul(). It
returns NULL when fails. So 'arg' should be checked. And 'mnt_opts'
should be freed when error.

Signed-off-by: Gen Zhang <blackgod016574@gmail.com>
Fixes: 99dbbb593fe6 ("selinux: rewrite selinux_sb_eat_lsm_opts()")
Cc: <stable@vger.kernel.org>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 security/selinux/hooks.c |   20 ++++++++++++++------
 1 file changed, 14 insertions(+), 6 deletions(-)

--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -2612,10 +2612,11 @@ static int selinux_sb_eat_lsm_opts(char
 	char *from = options;
 	char *to = options;
 	bool first = true;
+	int rc;
 
 	while (1) {
 		int len = opt_len(from);
-		int token, rc;
+		int token;
 		char *arg = NULL;
 
 		token = match_opt_prefix(from, len, &arg);
@@ -2631,15 +2632,15 @@ static int selinux_sb_eat_lsm_opts(char
 						*q++ = c;
 				}
 				arg = kmemdup_nul(arg, q - arg, GFP_KERNEL);
+				if (!arg) {
+					rc = -ENOMEM;
+					goto free_opt;
+				}
 			}
 			rc = selinux_add_opt(token, arg, mnt_opts);
 			if (unlikely(rc)) {
 				kfree(arg);
-				if (*mnt_opts) {
-					selinux_free_mnt_opts(*mnt_opts);
-					*mnt_opts = NULL;
-				}
-				return rc;
+				goto free_opt;
 			}
 		} else {
 			if (!first) {	// copy with preceding comma
@@ -2657,6 +2658,13 @@ static int selinux_sb_eat_lsm_opts(char
 	}
 	*to = '\0';
 	return 0;
+
+free_opt:
+	if (*mnt_opts) {
+		selinux_free_mnt_opts(*mnt_opts);
+		*mnt_opts = NULL;
+	}
+	return rc;
 }
 
 static int selinux_sb_remount(struct super_block *sb, void *mnt_opts)
Commit	Line	Data
73769232 GKH	1	From fec6375320c6399c708fa9801f8cfbf950fee623 Mon Sep 17 00:00:00 2001
	2	From: Gen Zhang <blackgod016574@gmail.com>
	3	Date: Wed, 12 Jun 2019 21:55:38 +0800
	4	Subject: selinux: fix a missing-check bug in selinux_sb_eat_lsm_opts()
	5
	6	From: Gen Zhang <blackgod016574@gmail.com>
	7
	8	commit fec6375320c6399c708fa9801f8cfbf950fee623 upstream.
	9
	10	In selinux_sb_eat_lsm_opts(), 'arg' is allocated by kmemdup_nul(). It
	11	returns NULL when fails. So 'arg' should be checked. And 'mnt_opts'
	12	should be freed when error.
	13
	14	Signed-off-by: Gen Zhang <blackgod016574@gmail.com>
	15	Fixes: 99dbbb593fe6 ("selinux: rewrite selinux_sb_eat_lsm_opts()")
	16	Cc: <stable@vger.kernel.org>
	17	Signed-off-by: Paul Moore <paul@paul-moore.com>
	18	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	19
	20	---
	21	security/selinux/hooks.c \| 20 ++++++++++++++------
	22	1 file changed, 14 insertions(+), 6 deletions(-)
	23
	24	--- a/security/selinux/hooks.c
	25	+++ b/security/selinux/hooks.c
	26	@@ -2612,10 +2612,11 @@ static int selinux_sb_eat_lsm_opts(char
	27	char *from = options;
	28	char *to = options;
	29	bool first = true;
	30	+ int rc;
	31
	32	while (1) {
	33	int len = opt_len(from);
	34	- int token, rc;
	35	+ int token;
	36	char *arg = NULL;
	37
	38	token = match_opt_prefix(from, len, &arg);
	39	@@ -2631,15 +2632,15 @@ static int selinux_sb_eat_lsm_opts(char
	40	*q++ = c;
	41	}
	42	arg = kmemdup_nul(arg, q - arg, GFP_KERNEL);
	43	+ if (!arg) {
	44	+ rc = -ENOMEM;
	45	+ goto free_opt;
	46	+ }
	47	}
	48	rc = selinux_add_opt(token, arg, mnt_opts);
	49	if (unlikely(rc)) {
	50	kfree(arg);
	51	- if (*mnt_opts) {
	52	- selinux_free_mnt_opts(*mnt_opts);
	53	- *mnt_opts = NULL;
	54	- }
	55	- return rc;
	56	+ goto free_opt;
	57	}
	58	} else {
	59	if (!first) { // copy with preceding comma
	60	@@ -2657,6 +2658,13 @@ static int selinux_sb_eat_lsm_opts(char
	61	}
	62	*to = '\0';
	63	return 0;
	64	+
65	+free_opt:
66	+ if (*mnt_opts) {
67	+ selinux_free_mnt_opts(*mnt_opts);
68	+ *mnt_opts = NULL;
69	+ }
70	+ return rc;
71	}
72
73	static int selinux_sb_remount(struct super_block sb, void mnt_opts)