selinux: fix sel_read_bool() allocation and error handling

Switch sel_read_bool() from using get_zeroed_page() and free_page()
to a stack-allocated buffer. This also fixes a memory leak in the
error path when security_get_bool_value() returns an error.

Reported-by: Matthew Wilcox <willy@infradead.org>
Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>

diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c
index 9aa1d03ab6120a8b854927ed0452b5f4130c3fc9..232e087bce3eeafe9f3ee03999bf6ca9e74f973d 100644 (file)
--- a/security/selinux/selinuxfs.c
+++ b/security/selinux/selinuxfs.c
@@ -1203,7 +1203,7 @@ static ssize_t sel_read_bool(struct file *filep, char __user *buf,
                             size_t count, loff_t *ppos)
 {
        struct selinux_fs_info *fsi = file_inode(filep)->i_sb->s_fs_info;
-       char *page = NULL;
+       char buffer[4];
        ssize_t length;
        ssize_t ret;
        int cur_enforcing;
@@ -1217,27 +1217,19 @@ static ssize_t sel_read_bool(struct file *filep, char __user *buf,
                                             fsi->bool_pending_names[index]))
                goto out_unlock;
 
-       ret = -ENOMEM;
-       page = (char *)get_zeroed_page(GFP_KERNEL);
-       if (!page)
-               goto out_unlock;
-
        cur_enforcing = security_get_bool_value(index);
        if (cur_enforcing < 0) {
                ret = cur_enforcing;
                goto out_unlock;
        }
-       length = scnprintf(page, PAGE_SIZE, "%d %d", cur_enforcing,
-                         fsi->bool_pending_values[index]);
+       length = scnprintf(buffer, sizeof(buffer), "%d %d", !!cur_enforcing,
+                         !!fsi->bool_pending_values[index]);
        mutex_unlock(&selinux_state.policy_mutex);
-       ret = simple_read_from_buffer(buf, count, ppos, page, length);
-out_free:
-       free_page((unsigned long)page);
-       return ret;
+       return simple_read_from_buffer(buf, count, ppos, buffer, length);
 
 out_unlock:
        mutex_unlock(&selinux_state.policy_mutex);
-       goto out_free;
+       return ret;
 }
 
 static ssize_t sel_write_bool(struct file *filep, const char __user *buf,