From: Casey Schaufler <casey@schaufler-ca.com>
To: kernel-janitors@vger.kernel.org
Subject: Re: [patch] Smack: freeing an error pointer in smk_write_revoke_subj()
Date: Fri, 12 Jun 2015 20:00:05 +0000 [thread overview]
Message-ID: <557B3A45.2090908@schaufler-ca.com> (raw)
In-Reply-To: <20150611085116.GC27393@mwanda>
On 6/11/2015 1:51 AM, Dan Carpenter wrote:
> This code used to rely on the fact that kfree(NULL) was a no-op, but
> then we changed smk_parse_smack() to return error pointers on failure
> instead of NULL. Calling kfree() on an error pointer will oops.
>
> I have re-arranged things a bit so that we only free things if they
> have been allocated.
>
> Fixes: e774ad683f42 ('smack: pass error code through pointers')
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Applied to https://github.com/cschaufler/smack-next.git#smack-for-4.2-stacked
>
> diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c
> index 6beac42..2716d02 100644
> --- a/security/smack/smackfs.c
> +++ b/security/smack/smackfs.c
> @@ -2253,8 +2253,8 @@ static const struct file_operations smk_access2_ops = {
> static ssize_t smk_write_revoke_subj(struct file *file, const char __user *buf,
> size_t count, loff_t *ppos)
> {
> - char *data = NULL;
> - const char *cp = NULL;
> + char *data;
> + const char *cp;
> struct smack_known *skp;
> struct smack_rule *sp;
> struct list_head *rule_list;
> @@ -2276,18 +2276,18 @@ static ssize_t smk_write_revoke_subj(struct file *file, const char __user *buf,
>
> if (copy_from_user(data, buf, count) != 0) {
> rc = -EFAULT;
> - goto free_out;
> + goto out_data;
> }
>
> cp = smk_parse_smack(data, count);
> if (IS_ERR(cp)) {
> rc = PTR_ERR(cp);
> - goto free_out;
> + goto out_data;
> }
>
> skp = smk_find_entry(cp);
> if (skp = NULL)
> - goto free_out;
> + goto out_cp;
>
> rule_list = &skp->smk_rules;
> rule_lock = &skp->smk_rules_lock;
> @@ -2299,9 +2299,11 @@ static ssize_t smk_write_revoke_subj(struct file *file, const char __user *buf,
>
> mutex_unlock(rule_lock);
>
> -free_out:
> - kfree(data);
> +out_cp:
> kfree(cp);
> +out_data:
> + kfree(data);
> +
> return rc;
> }
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
prev parent reply other threads:[~2015-06-12 20:00 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-06-11 8:51 [patch] Smack: freeing an error pointer in smk_write_revoke_subj() Dan Carpenter
2015-06-11 9:11 ` Lukasz Pawelczyk
2015-06-12 20:00 ` Casey Schaufler [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=557B3A45.2090908@schaufler-ca.com \
--to=casey@schaufler-ca.com \
--cc=kernel-janitors@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.