Skip to content

Commit

Permalink
selinux: fix NULL dereference in policydb_destroy()
Browse files Browse the repository at this point in the history
The conversion to kvmalloc() forgot to account for the possibility that
p->type_attr_map_array might be null in policydb_destroy().

Fix this by destroying its contents only if it is not NULL.

Also make sure ebitmap_init() is called on all entries before
policydb_destroy() can be called. Right now this is a no-op, because
both kvcalloc() and ebitmap_init() just zero out the whole struct, but
let's rather not rely on a specific implementation.

Reported-by: [email protected]
Fixes: acdf52d ("selinux: convert to kvmalloc")
Signed-off-by: Ondrej Mosnacek <[email protected]>
Acked-by: Stephen Smalley <[email protected]>
Signed-off-by: Paul Moore <[email protected]>
  • Loading branch information
WOnder93 authored and pcmoore committed Mar 18, 2019
1 parent 9e98c67 commit 6a1afff
Showing 1 changed file with 9 additions and 4 deletions.
13 changes: 9 additions & 4 deletions security/selinux/ss/policydb.c
Original file line number Diff line number Diff line change
Expand Up @@ -828,9 +828,11 @@ void policydb_destroy(struct policydb *p)
hashtab_map(p->range_tr, range_tr_destroy, NULL);
hashtab_destroy(p->range_tr);

for (i = 0; i < p->p_types.nprim; i++)
ebitmap_destroy(&p->type_attr_map_array[i]);
kvfree(p->type_attr_map_array);
if (p->type_attr_map_array) {
for (i = 0; i < p->p_types.nprim; i++)
ebitmap_destroy(&p->type_attr_map_array[i]);
kvfree(p->type_attr_map_array);
}

ebitmap_destroy(&p->filename_trans_ttypes);
ebitmap_destroy(&p->policycaps);
Expand Down Expand Up @@ -2496,10 +2498,13 @@ int policydb_read(struct policydb *p, void *fp)
if (!p->type_attr_map_array)
goto bad;

/* just in case ebitmap_init() becomes more than just a memset(0): */
for (i = 0; i < p->p_types.nprim; i++)
ebitmap_init(&p->type_attr_map_array[i]);

for (i = 0; i < p->p_types.nprim; i++) {
struct ebitmap *e = &p->type_attr_map_array[i];

ebitmap_init(e);
if (p->policyvers >= POLICYDB_VERSION_AVTAB) {
rc = ebitmap_read(e, fp);
if (rc)
Expand Down

0 comments on commit 6a1afff

Please sign in to comment.