From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail.linuxfoundation.org ([140.211.169.12]:37600 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751727AbdFRBFP (ORCPT ); Sat, 17 Jun 2017 21:05:15 -0400 Subject: Patch "selinux: fix double free in selinux_parse_opts_str()" has been added to the 4.11-stable tree To: paul@paul-moore.com, dvyukov@google.com, gregkh@linuxfoundation.org, james.l.morris@oracle.com, penguin-kernel@I-love.SAKURA.ne.jp Cc: , From: Date: Sun, 18 Jun 2017 09:03:42 +0800 Message-ID: <14977478225383@kroah.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ANSI_X3.4-1968 Content-Transfer-Encoding: 8bit Sender: stable-owner@vger.kernel.org List-ID: This is a note to let you know that I've just added the patch titled selinux: fix double free in selinux_parse_opts_str() to the 4.11-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: selinux-fix-double-free-in-selinux_parse_opts_str.patch and it can be found in the queue-4.11 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let know about it. >>From 023f108dcc187e34ef864bf10ed966cf25e14e2a Mon Sep 17 00:00:00 2001 From: Paul Moore Date: Wed, 7 Jun 2017 16:48:19 -0400 Subject: selinux: fix double free in selinux_parse_opts_str() From: Paul Moore commit 023f108dcc187e34ef864bf10ed966cf25e14e2a upstream. This patch is based on a discussion generated by an earlier patch from Tetsuo Handa: * https://marc.info/?t=149035659300001&r=1&w=2 The double free problem involves the mnt_opts field of the security_mnt_opts struct, selinux_parse_opts_str() frees the memory on error, but doesn't set the field to NULL so if the caller later attempts to call security_free_mnt_opts() we trigger the problem. In order to play it safe we change selinux_parse_opts_str() to call security_free_mnt_opts() on error instead of free'ing the memory directly. This should ensure that everything is handled correctly, regardless of what the caller may do. Fixes: e0007529893c1c06 ("LSM/SELinux: Interfaces to allow FS to control mount options") Cc: Tetsuo Handa Reported-by: Dmitry Vyukov Signed-off-by: Paul Moore Signed-off-by: James Morris Signed-off-by: Greg Kroah-Hartman --- security/selinux/hooks.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -1106,10 +1106,8 @@ static int selinux_parse_opts_str(char * opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_KERNEL); - if (!opts->mnt_opts_flags) { - kfree(opts->mnt_opts); + if (!opts->mnt_opts_flags) goto out_err; - } if (fscontext) { opts->mnt_opts[num_mnt_opts] = fscontext; @@ -1132,6 +1130,7 @@ static int selinux_parse_opts_str(char * return 0; out_err: + security_free_mnt_opts(opts); kfree(context); kfree(defcontext); kfree(fscontext); Patches currently in stable-queue which might be from paul@paul-moore.com are queue-4.11/selinux-fix-double-free-in-selinux_parse_opts_str.patch