releases/5.1.12/selinux-fix-a-missing-check-bug-in-selinux_sb_eat_lsm_opts.patch

   1 From fec6375320c6399c708fa9801f8cfbf950fee623 Mon Sep 17 00:00:00 2001
   2 From: Gen Zhang <blackgod016574@gmail.com>
   3 Date: Wed, 12 Jun 2019 21:55:38 +0800
   4 Subject: selinux: fix a missing-check bug in selinux_sb_eat_lsm_opts()
   5
   6 From: Gen Zhang <blackgod016574@gmail.com>
   7
   8 commit fec6375320c6399c708fa9801f8cfbf950fee623 upstream.
   9
  10 In selinux_sb_eat_lsm_opts(), 'arg' is allocated by kmemdup_nul(). It
  11 returns NULL when fails. So 'arg' should be checked. And 'mnt_opts'
  12 should be freed when error.
  13
  14 Signed-off-by: Gen Zhang <blackgod016574@gmail.com>
  15 Fixes: 99dbbb593fe6 ("selinux: rewrite selinux_sb_eat_lsm_opts()")
  16 Cc: <stable@vger.kernel.org>
  17 Signed-off-by: Paul Moore <paul@paul-moore.com>
  18 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  19
  20 ---
  21  security/selinux/hooks.c |   20 ++++++++++++++------
  22  1 file changed, 14 insertions(+), 6 deletions(-)
  23
  24 --- a/security/selinux/hooks.c
  25 +++ b/security/selinux/hooks.c
  26 @@ -2612,10 +2612,11 @@ static int selinux_sb_eat_lsm_opts(char
  27         char *from = options;
  28         char *to = options;
  29         bool first = true;
  30 +       int rc;
  31
  32         while (1) {
  33                 int len = opt_len(from);
  34 -               int token, rc;
  35 +               int token;
  36                 char *arg = NULL;
  37
  38                 token = match_opt_prefix(from, len, &arg);
  39 @@ -2631,15 +2632,15 @@ static int selinux_sb_eat_lsm_opts(char
  40                                                 *q++ = c;
  41                                 }
  42                                 arg = kmemdup_nul(arg, q - arg, GFP_KERNEL);
  43 +                               if (!arg) {
  44 +                                       rc = -ENOMEM;
  45 +                                       goto free_opt;
  46 +                               }
  47                         }
  48                         rc = selinux_add_opt(token, arg, mnt_opts);
  49                         if (unlikely(rc)) {
  50                                 kfree(arg);
  51 -                               if (*mnt_opts) {
  52 -                                       selinux_free_mnt_opts(*mnt_opts);
  53 -                                       *mnt_opts = NULL;
  54 -                               }
  55 -                               return rc;
  56 +                               goto free_opt;
  57                         }
  58                 } else {
  59                         if (!first) {   // copy with preceding comma
  60 @@ -2657,6 +2658,13 @@ static int selinux_sb_eat_lsm_opts(char
  61         }
  62         *to = '\0';
  63         return 0;
  64 +
  65 +free_opt:
  66 +       if (*mnt_opts) {
  67 +               selinux_free_mnt_opts(*mnt_opts);
  68 +               *mnt_opts = NULL;
  69 +       }
  70 +       return rc;
  71  }
  72
  73  static int selinux_sb_remount(struct super_block *sb, void *mnt_opts)