Commit 023f108d authored Jun 07, 2017 by Paul Moore Committed by James Morris Jun 13, 2017

selinux: fix double free in selinux_parse_opts_str()

This patch is based on a discussion generated by an earlier patch
from Tetsuo Handa:

* https://marc.info/?t=149035659300001&r=1&w=2



The double free problem involves the mnt_opts field of the
security_mnt_opts struct, selinux_parse_opts_str() frees the memory
on error, but doesn't set the field to NULL so if the caller later
attempts to call security_free_mnt_opts() we trigger the problem.

In order to play it safe we change selinux_parse_opts_str() to call
security_free_mnt_opts() on error instead of free'ing the memory
directly.  This should ensure that everything is handled correctly,
regardless of what the caller may do.

Fixes: e0007529 ("LSM/SELinux: Interfaces to allow FS to control mount options")
Cc: stable@vger.kernel.org
Cc: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: James Morris <james.l.morris@oracle.com>

parent 63f700aa

security/selinux/hooks.c

+2 −3

Original line number	Diff line number	Diff line
		@@ -1106,10 +1106,8 @@ static int selinux_parse_opts_str(char *options,

		opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int),
		GFP_KERNEL);
		if (!opts->mnt_opts_flags) {
		kfree(opts->mnt_opts);
		if (!opts->mnt_opts_flags)
		goto out_err;
		}

		if (fscontext) {
		opts->mnt_opts[num_mnt_opts] = fscontext;
		@@ -1132,6 +1130,7 @@ static int selinux_parse_opts_str(char *options,
		return 0;

		out_err:
		security_free_mnt_opts(opts);
		kfree(context);
		kfree(defcontext);
		kfree(fscontext);

Admin message