selinux/stable-5.8 PR 20200621

-----BEGIN PGP SIGNATURE-----
 
 iQJIBAABCAAyFiEES0KozwfymdVUl37v6iDy2pc3iXMFAl7vxoUUHHBhdWxAcGF1
 bC1tb29yZS5jb20ACgkQ6iDy2pc3iXOs3Q/+JSNYoKZiOJax5u1ePEwk5JRasRij
 JkKNjspXueVcoVkVF8lOiSOmQm/7FyfDUi2Qk8U5Gmx7Pr6vQJZgghHxdPMsemCz
 mNbbR8UMm6ssTim19ULBQ3S0Sc1QMQvQCLNDZcv24ne2K8d9HTBrFGenqlLU4UtZ
 JrMLircBt39fVonooMrf9ycGlM8tUZwm8te+Jp7KL18GUKZT8hr0HKzu2WE6/qT4
 WBGNaWxqnfbajnDb41ix2rL+lb8Snqn94cxCjp248rn7M5fJRSCKmYaumBh5ViJ2
 VuD/ZQsTX5SSnc9YDpkUDXya9M1wzFwf64ku6Avga1BXS6lNWB1wqWueSTMfggiL
 2B+LVANWkGFfHtVAVA5xsxXjeJnYmIj/g8qSiHS/RSFJazr1b/cXWedvyewll/Nv
 rFRBsVzktV6BBrlTclcrsu9FmlZRAThNC3uYs/s5vbAja+wHEhCLuacO+jiducRP
 fqQCP2iF6MqC6B2I8WzVp3jU8k2t02i6ySaXmXjzrwOZSLvnOdvDBzE7e95yNLRg
 WLeGd/o2PdLpVoSNVHelFrqm8VZKYSCkWty9WppklnrIVVydKMJ3bgihXY4pADyf
 1ABtKUZgySZKZOpr1pQBqIivHuvKqUGFynj6PSRsngQBoq6V3XpJ7ZCBhuG7cNAT
 9BfnUkhFW7lW70I=
 =nILH
 -----END PGP SIGNATURE-----

Merge tag 'selinux-pr-20200621' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux

Pull SELinux fixes from Paul Moore:
 "Three small patches to fix problems in the SELinux code, all found via
  clang.

  Two patches fix potential double-free conditions and one fixes an
  undefined return value"

* tag 'selinux-pr-20200621' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux:
  selinux: fix undefined return of cond_evaluate_expr
  selinux: fix a double free in cond_read_node()/cond_read_list()
  selinux: fix double free
This commit is contained in:
Linus Torvalds 2020-06-21 15:41:24 -07:00
commit 817d914d17
2 changed files with 12 additions and 13 deletions

View File

@ -27,6 +27,9 @@ static int cond_evaluate_expr(struct policydb *p, struct cond_expr *expr)
int s[COND_EXPR_MAXDEPTH]; int s[COND_EXPR_MAXDEPTH];
int sp = -1; int sp = -1;
if (expr->len == 0)
return -1;
for (i = 0; i < expr->len; i++) { for (i = 0; i < expr->len; i++) {
struct cond_expr_node *node = &expr->nodes[i]; struct cond_expr_node *node = &expr->nodes[i];
@ -392,27 +395,19 @@ static int cond_read_node(struct policydb *p, struct cond_node *node, void *fp)
rc = next_entry(buf, fp, sizeof(u32) * 2); rc = next_entry(buf, fp, sizeof(u32) * 2);
if (rc) if (rc)
goto err; return rc;
expr->expr_type = le32_to_cpu(buf[0]); expr->expr_type = le32_to_cpu(buf[0]);
expr->bool = le32_to_cpu(buf[1]); expr->bool = le32_to_cpu(buf[1]);
if (!expr_node_isvalid(p, expr)) { if (!expr_node_isvalid(p, expr))
rc = -EINVAL; return -EINVAL;
goto err;
}
} }
rc = cond_read_av_list(p, fp, &node->true_list, NULL); rc = cond_read_av_list(p, fp, &node->true_list, NULL);
if (rc) if (rc)
goto err; return rc;
rc = cond_read_av_list(p, fp, &node->false_list, &node->true_list); return cond_read_av_list(p, fp, &node->false_list, &node->true_list);
if (rc)
goto err;
return 0;
err:
cond_node_destroy(node);
return rc;
} }
int cond_read_list(struct policydb *p, void *fp) int cond_read_list(struct policydb *p, void *fp)

View File

@ -2888,8 +2888,12 @@ int security_get_bools(struct selinux_state *state,
if (*names) { if (*names) {
for (i = 0; i < *len; i++) for (i = 0; i < *len; i++)
kfree((*names)[i]); kfree((*names)[i]);
kfree(*names);
} }
kfree(*values); kfree(*values);
*len = 0;
*names = NULL;
*values = NULL;
goto out; goto out;
} }