From: Paul Moore Date: Wed, 7 Jun 2017 20:48:19 +0000 (-0400) Subject: selinux: fix double free in selinux_parse_opts_str() X-Git-Tag: v3.2.93~25 X-Git-Url: https://git.openpandora.org/cgi-bin/gitweb.cgi?p=pandora-kernel.git;a=commitdiff_plain;h=96769d9b5c25e842da75f720f7dc7c619a64b29b selinux: fix double free in selinux_parse_opts_str() commit 023f108dcc187e34ef864bf10ed966cf25e14e2a upstream. This patch is based on a discussion generated by an earlier patch from Tetsuo Handa: * https://marc.info/?t=149035659300001&r=1&w=2 The double free problem involves the mnt_opts field of the security_mnt_opts struct, selinux_parse_opts_str() frees the memory on error, but doesn't set the field to NULL so if the caller later attempts to call security_free_mnt_opts() we trigger the problem. In order to play it safe we change selinux_parse_opts_str() to call security_free_mnt_opts() on error instead of free'ing the memory directly. This should ensure that everything is handled correctly, regardless of what the caller may do. Fixes: e0007529893c1c06 ("LSM/SELinux: Interfaces to allow FS to control mount options") Cc: Tetsuo Handa Reported-by: Dmitry Vyukov Signed-off-by: Paul Moore Signed-off-by: James Morris [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings --- diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index c279f2f3372d..4c6a34700d49 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -911,10 +911,8 @@ static int selinux_parse_opts_str(char *options, goto out_err; opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC); - if (!opts->mnt_opts_flags) { - kfree(opts->mnt_opts); + if (!opts->mnt_opts_flags) goto out_err; - } if (fscontext) { opts->mnt_opts[num_mnt_opts] = fscontext; @@ -937,6 +935,7 @@ static int selinux_parse_opts_str(char *options, return 0; out_err: + security_free_mnt_opts(opts); kfree(context); kfree(defcontext); kfree(fscontext);