* [PATCH AUTOSEL 5.18 50/53] selinux: fix memleak in security_read_state_kernel()
[not found] <20220808013350.314757-1-sashal@kernel.org>
@ 2022-08-08 1:33 ` Sasha Levin
2022-08-08 1:33 ` [PATCH AUTOSEL 5.18 51/53] selinux: Add boundary check in put_entry() Sasha Levin
1 sibling, 0 replies; 2+ messages in thread
From: Sasha Levin @ 2022-08-08 1:33 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Xiu Jianfeng, Paul Moore, Sasha Levin, stephen.smalley.work,
eparis, cgzones, omosnace, michalorzel.eng, selinux
From: Xiu Jianfeng <xiujianfeng@huawei.com>
[ Upstream commit 73de1befcc53a7c68b0c5e76b9b5ac41c517760f ]
In this function, it directly returns the result of __security_read_policy
without freeing the allocated memory in *data, cause memory leak issue,
so free the memory if __security_read_policy failed.
Signed-off-by: Xiu Jianfeng <xiujianfeng@huawei.com>
[PM: subject line tweak]
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
security/selinux/ss/services.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index 6901dc07680d..cad54f454d01 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -4049,6 +4049,7 @@ int security_read_policy(struct selinux_state *state,
int security_read_state_kernel(struct selinux_state *state,
void **data, size_t *len)
{
+ int err;
struct selinux_policy *policy;
policy = rcu_dereference_protected(
@@ -4061,5 +4062,11 @@ int security_read_state_kernel(struct selinux_state *state,
if (!*data)
return -ENOMEM;
- return __security_read_policy(policy, *data, len);
+ err = __security_read_policy(policy, *data, len);
+ if (err) {
+ vfree(*data);
+ *data = NULL;
+ *len = 0;
+ }
+ return err;
}
--
2.35.1
^ permalink raw reply related [flat|nested] 2+ messages in thread
* [PATCH AUTOSEL 5.18 51/53] selinux: Add boundary check in put_entry()
[not found] <20220808013350.314757-1-sashal@kernel.org>
2022-08-08 1:33 ` [PATCH AUTOSEL 5.18 50/53] selinux: fix memleak in security_read_state_kernel() Sasha Levin
@ 2022-08-08 1:33 ` Sasha Levin
1 sibling, 0 replies; 2+ messages in thread
From: Sasha Levin @ 2022-08-08 1:33 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Xiu Jianfeng, Paul Moore, Sasha Levin, stephen.smalley.work,
eparis, selinux
From: Xiu Jianfeng <xiujianfeng@huawei.com>
[ Upstream commit 15ec76fb29be31df2bccb30fc09875274cba2776 ]
Just like next_entry(), boundary check is necessary to prevent memory
out-of-bound access.
Signed-off-by: Xiu Jianfeng <xiujianfeng@huawei.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
security/selinux/ss/policydb.h | 2 ++
1 file changed, 2 insertions(+)
diff --git a/security/selinux/ss/policydb.h b/security/selinux/ss/policydb.h
index c24d4e1063ea..ffc4e7bad205 100644
--- a/security/selinux/ss/policydb.h
+++ b/security/selinux/ss/policydb.h
@@ -370,6 +370,8 @@ static inline int put_entry(const void *buf, size_t bytes, int num, struct polic
{
size_t len = bytes * num;
+ if (len > fp->len)
+ return -EINVAL;
memcpy(fp->data, buf, len);
fp->data += len;
fp->len -= len;
--
2.35.1
^ permalink raw reply related [flat|nested] 2+ messages in thread
end of thread, other threads:[~2022-08-08 1:44 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <20220808013350.314757-1-sashal@kernel.org>
2022-08-08 1:33 ` [PATCH AUTOSEL 5.18 50/53] selinux: fix memleak in security_read_state_kernel() Sasha Levin
2022-08-08 1:33 ` [PATCH AUTOSEL 5.18 51/53] selinux: Add boundary check in put_entry() Sasha Levin
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).