summaryrefslogtreecommitdiff
path: root/security
diff options
context:
space:
mode:
authorVratislav Bendel <vbendel@redhat.com>2022-02-02 14:25:11 +0300
committerPaul Moore <paul@paul-moore.com>2022-02-02 19:02:10 +0300
commit186edf7e368c40d06cf727a1ad14698ea67b74ad (patch)
tree138762ec92ee3a0a054d3809e235a90db82259d7 /security
parente783362eb54cd99b2cac8b3a9aeac942e6f6ac07 (diff)
downloadlinux-186edf7e368c40d06cf727a1ad14698ea67b74ad.tar.xz
selinux: fix double free of cond_list on error paths
On error path from cond_read_list() and duplicate_policydb_cond_list() the cond_list_destroy() gets called a second time in caller functions, resulting in NULL pointer deref. Fix this by resetting the cond_list_len to 0 in cond_list_destroy(), making subsequent calls a noop. Also consistently reset the cond_list pointer to NULL after freeing. Cc: stable@vger.kernel.org Signed-off-by: Vratislav Bendel <vbendel@redhat.com> [PM: fix line lengths in the description] Signed-off-by: Paul Moore <paul@paul-moore.com>
Diffstat (limited to 'security')
-rw-r--r--security/selinux/ss/conditional.c3
1 files changed, 2 insertions, 1 deletions
diff --git a/security/selinux/ss/conditional.c b/security/selinux/ss/conditional.c
index 2ec6e5cd25d9..feb206f3acb4 100644
--- a/security/selinux/ss/conditional.c
+++ b/security/selinux/ss/conditional.c
@@ -152,6 +152,8 @@ static void cond_list_destroy(struct policydb *p)
for (i = 0; i < p->cond_list_len; i++)
cond_node_destroy(&p->cond_list[i]);
kfree(p->cond_list);
+ p->cond_list = NULL;
+ p->cond_list_len = 0;
}
void cond_policydb_destroy(struct policydb *p)
@@ -441,7 +443,6 @@ int cond_read_list(struct policydb *p, void *fp)
return 0;
err:
cond_list_destroy(p);
- p->cond_list = NULL;
return rc;
}