From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sat, 5 Feb 2022 12:54:33 +0000 (+0100)
Subject: 5.10-stable patches
X-Git-Tag: v5.10.98~17
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=cdc8da7bfc9e14f5d3972a3ea9a604a30e8bbcd6;p=thirdparty%2Fkernel%2Fstable-queue.git

5.10-stable patches

added patches:
	selinux-fix-double-free-of-cond_list-on-error-paths.patch
---

diff --git a/queue-5.10/selinux-fix-double-free-of-cond_list-on-error-paths.patch b/queue-5.10/selinux-fix-double-free-of-cond_list-on-error-paths.patch
new file mode 100644
index 00000000000..8367935c3a4
--- /dev/null
+++ b/queue-5.10/selinux-fix-double-free-of-cond_list-on-error-paths.patch
@@ -0,0 +1,45 @@
+From 186edf7e368c40d06cf727a1ad14698ea67b74ad Mon Sep 17 00:00:00 2001
+From: Vratislav Bendel <vbendel@redhat.com>
+Date: Wed, 2 Feb 2022 12:25:11 +0100
+Subject: selinux: fix double free of cond_list on error paths
+
+From: Vratislav Bendel <vbendel@redhat.com>
+
+commit 186edf7e368c40d06cf727a1ad14698ea67b74ad upstream.
+
+On error path from cond_read_list() and duplicate_policydb_cond_list()
+the cond_list_destroy() gets called a second time in caller functions,
+resulting in NULL pointer deref.  Fix this by resetting the
+cond_list_len to 0 in cond_list_destroy(), making subsequent calls a
+noop.
+
+Also consistently reset the cond_list pointer to NULL after freeing.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Vratislav Bendel <vbendel@redhat.com>
+[PM: fix line lengths in the description]
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ security/selinux/ss/conditional.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/security/selinux/ss/conditional.c
++++ b/security/selinux/ss/conditional.c
+@@ -152,6 +152,8 @@ static void cond_list_destroy(struct pol
+ 	for (i = 0; i < p->cond_list_len; i++)
+ 		cond_node_destroy(&p->cond_list[i]);
+ 	kfree(p->cond_list);
++	p->cond_list = NULL;
++	p->cond_list_len = 0;
+ }
+ 
+ void cond_policydb_destroy(struct policydb *p)
+@@ -440,7 +442,6 @@ int cond_read_list(struct policydb *p, v
+ 	return 0;
+ err:
+ 	cond_list_destroy(p);
+-	p->cond_list = NULL;
+ 	return rc;
+ }
+ 
diff --git a/queue-5.10/series b/queue-5.10/series
new file mode 100644
index 00000000000..14d144cca13
--- /dev/null
+++ b/queue-5.10/series
@@ -0,0 +1 @@
+selinux-fix-double-free-of-cond_list-on-error-paths.patch
diff --git a/queue-5.4/series b/queue-5.4/series
new file mode 100644
index 00000000000..e69de29bb2d