SELinux: fix array out of bounds when mounting with selinux options

Given an illegal selinux option it was possible for match_token to work in random memory at the end of the match_table_t array. Note that privilege is required to perform a context mount, so this issue is effectively limited to root only. Signed-off-by: Eric Paris <[email protected]> Acked-by: Stephen Smalley <[email protected]> Signed-off-by: James Morris <[email protected]>
iegor · Sep 19, 2007 · 31e8793 · 31e8793
1 parent a88a8ef
commit 31e8793
Showing 1 changed file with 2 additions and 0 deletions.
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
@@ -316,6 +316,7 @@ static inline int inode_doinit(struct inode *inode)
 }
 
 enum {
+	Opt_error = -1,
 	Opt_context = 1,
 	Opt_fscontext = 2,
 	Opt_defcontext = 4,
@@ -327,6 +328,7 @@ static match_table_t tokens = {
 	{Opt_fscontext, "fscontext=%s"},
 	{Opt_defcontext, "defcontext=%s"},
 	{Opt_rootcontext, "rootcontext=%s"},
+	{Opt_error, NULL},
 };
 
 #define SEL_MOUNT_FAIL_MSG "SELinux:  duplicate or incompatible mount options\n"