From: Stephen Smalley <sds@tycho.nsa.gov>
To: Ondrej Mosnacek <omosnace@redhat.com>,
selinux@vger.kernel.org, Paul Moore <paul@paul-moore.com>
Cc: Kent Overstreet <kent.overstreet@gmail.com>,
Andrew Morton <akpm@linux-foundation.org>,
linux-kernel@vger.kernel.org,
syzbot+a57b2aff60832666fc28@syzkaller.appspotmail.com
Subject: Re: [PATCH] selinux: fix NULL dereference in policydb_destroy()
Date: Mon, 18 Mar 2019 09:42:52 -0400 [thread overview]
Message-ID: <a5c9075d-fd4d-6ff7-b848-2f78ff871c45@tycho.nsa.gov> (raw)
In-Reply-To: <20190317134653.26824-1-omosnace@redhat.com>
On 3/17/19 9:46 AM, Ondrej Mosnacek wrote:
> The conversion to kvmalloc() forgot to account for the possibility that
> p->type_attr_map_array might be null in policydb_destroy().
>
> Fix this by destroying its contents only if it is not NULL.
>
> Also make sure ebitmap_init() is called on all entries before
> policydb_destroy() can be called. Right now this is a no-op, because
> both kvcalloc() and ebitmap_init() just zero out the whole struct, but
> let's rather not rely on a specific implementation.
>
> Reported-by: syzbot+a57b2aff60832666fc28@syzkaller.appspotmail.com
> Fixes: acdf52d97f82 ("selinux: convert to kvmalloc")
> Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
> ---
> security/selinux/ss/policydb.c | 13 +++++++++----
> 1 file changed, 9 insertions(+), 4 deletions(-)
>
> NOTE: This applies directly on top of current Linus' tree, since the
> problematic commit is not present in the selinux/stable-5.1 branch.
>
> diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c
> index 6b576e588725..daecdfb15a9c 100644
> --- a/security/selinux/ss/policydb.c
> +++ b/security/selinux/ss/policydb.c
> @@ -828,9 +828,11 @@ void policydb_destroy(struct policydb *p)
> hashtab_map(p->range_tr, range_tr_destroy, NULL);
> hashtab_destroy(p->range_tr);
>
> - for (i = 0; i < p->p_types.nprim; i++)
> - ebitmap_destroy(&p->type_attr_map_array[i]);
> - kvfree(p->type_attr_map_array);
> + if (p->type_attr_map_array) {
> + for (i = 0; i < p->p_types.nprim; i++)
> + ebitmap_destroy(&p->type_attr_map_array[i]);
> + kvfree(p->type_attr_map_array);
> + }
>
> ebitmap_destroy(&p->filename_trans_ttypes);
> ebitmap_destroy(&p->policycaps);
> @@ -2496,10 +2498,13 @@ int policydb_read(struct policydb *p, void *fp)
> if (!p->type_attr_map_array)
> goto bad;
>
> + /* just in case ebitmap_init() becomes more than just a memset(0): */
> + for (i = 0; i < p->p_types.nprim; i++)
> + ebitmap_init(&p->type_attr_map_array[i]);
> +
> for (i = 0; i < p->p_types.nprim; i++) {
> struct ebitmap *e = &p->type_attr_map_array[i];
>
> - ebitmap_init(e);
> if (p->policyvers >= POLICYDB_VERSION_AVTAB) {
> rc = ebitmap_read(e, fp);
> if (rc)
>
next prev parent reply other threads:[~2019-03-18 13:46 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-03-17 13:46 [PATCH] selinux: fix NULL dereference in policydb_destroy() Ondrej Mosnacek
2019-03-18 13:42 ` Stephen Smalley [this message]
2019-03-18 16:29 ` Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=a5c9075d-fd4d-6ff7-b848-2f78ff871c45@tycho.nsa.gov \
--to=sds@tycho.nsa.gov \
--cc=akpm@linux-foundation.org \
--cc=kent.overstreet@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=omosnace@redhat.com \
--cc=paul@paul-moore.com \
--cc=selinux@vger.kernel.org \
--cc=syzbot+a57b2aff60832666fc28@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).