]>
Commit | Line | Data |
---|---|---|
73769232 GKH |
1 | From e2e0e09758a6f7597de0f9b819647addfb71b6bd Mon Sep 17 00:00:00 2001 |
2 | From: Gen Zhang <blackgod016574@gmail.com> | |
3 | Date: Wed, 12 Jun 2019 21:28:21 +0800 | |
4 | Subject: selinux: fix a missing-check bug in selinux_add_mnt_opt( ) | |
5 | ||
6 | From: Gen Zhang <blackgod016574@gmail.com> | |
7 | ||
8 | commit e2e0e09758a6f7597de0f9b819647addfb71b6bd upstream. | |
9 | ||
10 | In selinux_add_mnt_opt(), 'val' is allocated by kmemdup_nul(). It returns | |
11 | NULL when fails. So 'val' should be checked. And 'mnt_opts' should be | |
12 | freed when error. | |
13 | ||
14 | Signed-off-by: Gen Zhang <blackgod016574@gmail.com> | |
15 | Fixes: 757cbe597fe8 ("LSM: new method: ->sb_add_mnt_opt()") | |
16 | Cc: <stable@vger.kernel.org> | |
17 | [PM: fixed some indenting problems] | |
18 | Signed-off-by: Paul Moore <paul@paul-moore.com> | |
19 | Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> | |
20 | ||
21 | --- | |
22 | security/selinux/hooks.c | 19 ++++++++++++++----- | |
23 | 1 file changed, 14 insertions(+), 5 deletions(-) | |
24 | ||
25 | --- a/security/selinux/hooks.c | |
26 | +++ b/security/selinux/hooks.c | |
27 | @@ -1048,15 +1048,24 @@ static int selinux_add_mnt_opt(const cha | |
28 | if (token == Opt_error) | |
29 | return -EINVAL; | |
30 | ||
31 | - if (token != Opt_seclabel) | |
32 | + if (token != Opt_seclabel) { | |
33 | val = kmemdup_nul(val, len, GFP_KERNEL); | |
34 | + if (!val) { | |
35 | + rc = -ENOMEM; | |
36 | + goto free_opt; | |
37 | + } | |
38 | + } | |
39 | rc = selinux_add_opt(token, val, mnt_opts); | |
40 | if (unlikely(rc)) { | |
41 | kfree(val); | |
42 | - if (*mnt_opts) { | |
43 | - selinux_free_mnt_opts(*mnt_opts); | |
44 | - *mnt_opts = NULL; | |
45 | - } | |
46 | + goto free_opt; | |
47 | + } | |
48 | + return rc; | |
49 | + | |
50 | +free_opt: | |
51 | + if (*mnt_opts) { | |
52 | + selinux_free_mnt_opts(*mnt_opts); | |
53 | + *mnt_opts = NULL; | |
54 | } | |
55 | return rc; | |
56 | } |