1 From fec6375320c6399c708fa9801f8cfbf950fee623 Mon Sep 17 00:00:00 2001
2 From: Gen Zhang <blackgod016574@gmail.com>
3 Date: Wed, 12 Jun 2019 21:55:38 +0800
4 Subject: selinux: fix a missing-check bug in selinux_sb_eat_lsm_opts()
6 From: Gen Zhang <blackgod016574@gmail.com>
8 commit fec6375320c6399c708fa9801f8cfbf950fee623 upstream.
10 In selinux_sb_eat_lsm_opts(), 'arg' is allocated by kmemdup_nul(). It
11 returns NULL when fails. So 'arg' should be checked. And 'mnt_opts'
12 should be freed when error.
14 Signed-off-by: Gen Zhang <blackgod016574@gmail.com>
15 Fixes: 99dbbb593fe6 ("selinux: rewrite selinux_sb_eat_lsm_opts()")
16 Cc: <stable@vger.kernel.org>
17 Signed-off-by: Paul Moore <paul@paul-moore.com>
18 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
21 security/selinux/hooks.c | 20 ++++++++++++++------
22 1 file changed, 14 insertions(+), 6 deletions(-)
24 --- a/security/selinux/hooks.c
25 +++ b/security/selinux/hooks.c
26 @@ -2612,10 +2612,11 @@ static int selinux_sb_eat_lsm_opts(char
33 int len = opt_len(from);
38 token = match_opt_prefix(from, len, &arg);
39 @@ -2631,15 +2632,15 @@ static int selinux_sb_eat_lsm_opts(char
42 arg = kmemdup_nul(arg, q - arg, GFP_KERNEL);
48 rc = selinux_add_opt(token, arg, mnt_opts);
52 - selinux_free_mnt_opts(*mnt_opts);
59 if (!first) { // copy with preceding comma
60 @@ -2657,6 +2658,13 @@ static int selinux_sb_eat_lsm_opts(char
67 + selinux_free_mnt_opts(*mnt_opts);
73 static int selinux_sb_remount(struct super_block *sb, void *mnt_opts)