[2.6 patch] security/selinux/netlabel.c: fix double free

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [2.6 patch] security/selinux/netlabel.c: fix double free
@ 2008-01-28 22:09 Adrian Bunk
  2008-01-28 22:23 ` Paul Moore
  0 siblings, 1 reply; 4+ messages in thread
From: Adrian Bunk @ 2008-01-28 22:09 UTC (permalink / raw)
  To: paul.moore, James Morris, sds, eparis; +Cc: netdev, linux-kernel

This patch fixes a double free (security_netlbl_sid_to_secattr() already 
calls netlbl_secattr_destroy() when it returns !0) introduced by
commit 45c950e0f839fded922ebc0bfd59b1081cc71b70 and spotted by the 
Coverity checker.

Signed-off-by: Adrian Bunk <bunk@kernel.org>

---
--- linux-2.6/security/selinux/netlabel.c.old	2008-01-23 00:38:19.000000000 +0200
+++ linux-2.6/security/selinux/netlabel.c	2008-01-23 00:39:09.000000000 +0200
@@ -58,22 +58,22 @@ static int selinux_netlbl_sock_setsid(st
 	rc = security_netlbl_sid_to_secattr(sid, &secattr);
 	if (rc != 0)
 		goto sock_setsid_return;
 	rc = netlbl_sock_setattr(sk, &secattr);
 	if (rc == 0) {
 		spin_lock_bh(&sksec->nlbl_lock);
 		sksec->nlbl_state = NLBL_LABELED;
 		spin_unlock_bh(&sksec->nlbl_lock);
 	}
 
-sock_setsid_return:
 	netlbl_secattr_destroy(&secattr);
+sock_setsid_return:
 	return rc;
 }
 
 /**
  * selinux_netlbl_cache_invalidate - Invalidate the NetLabel cache
  *
  * Description:
  * Invalidate the NetLabel security attribute mapping cache.
  *
  */

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [2.6 patch] security/selinux/netlabel.c: fix double free
  2008-01-28 22:09 [2.6 patch] security/selinux/netlabel.c: fix double free Adrian Bunk
@ 2008-01-28 22:23 ` Paul Moore
  2008-01-28 22:35   ` Adrian Bunk
  0 siblings, 1 reply; 4+ messages in thread
From: Paul Moore @ 2008-01-28 22:23 UTC (permalink / raw)
  To: Adrian Bunk; +Cc: James Morris, sds, eparis, netdev, linux-kernel

On Monday 28 January 2008 5:09:38 pm Adrian Bunk wrote:
> This patch fixes a double free (security_netlbl_sid_to_secattr()
> already calls netlbl_secattr_destroy() when it returns !0) introduced
> by commit 45c950e0f839fded922ebc0bfd59b1081cc71b70 and spotted by the
> Coverity checker.

Hi Adrian,

Thanks for finding this mistake, however, I'd rather see it fixed by 
removing the netlbl_secattr_destroy() call in 
security_netlbl_sid_to_secattr() as it really shouldn't be there 
anymore.  We moved the matching _init() call into 
selinux_netlbl_sock_setsid() and I'd like to see the _init() and 
_destroy() calls done in the same function.  I can push a revised patch 
for this if you would prefer, otherwise I'll be happy to ack an updated 
version ...

> Signed-off-by: Adrian Bunk <bunk@kernel.org>
>
> ---
> --- linux-2.6/security/selinux/netlabel.c.old	2008-01-23
> 00:38:19.000000000 +0200 +++
> linux-2.6/security/selinux/netlabel.c	2008-01-23 00:39:09.000000000
> +0200 @@ -58,22 +58,22 @@ static int selinux_netlbl_sock_setsid(st rc
> = security_netlbl_sid_to_secattr(sid, &secattr);
>  	if (rc != 0)
>  		goto sock_setsid_return;
>  	rc = netlbl_sock_setattr(sk, &secattr);
>  	if (rc == 0) {
>  		spin_lock_bh(&sksec->nlbl_lock);
>  		sksec->nlbl_state = NLBL_LABELED;
>  		spin_unlock_bh(&sksec->nlbl_lock);
>  	}
>
> -sock_setsid_return:
>  	netlbl_secattr_destroy(&secattr);
> +sock_setsid_return:
>  	return rc;
>  }
>
>  /**
>   * selinux_netlbl_cache_invalidate - Invalidate the NetLabel cache
>   *
>   * Description:
>   * Invalidate the NetLabel security attribute mapping cache.
>   *
>   */



-- 
paul moore
linux security @ hp

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [2.6 patch] security/selinux/netlabel.c: fix double free
  2008-01-28 22:23 ` Paul Moore
@ 2008-01-28 22:35   ` Adrian Bunk
  2008-01-28 22:39     ` Paul Moore
  0 siblings, 1 reply; 4+ messages in thread
From: Adrian Bunk @ 2008-01-28 22:35 UTC (permalink / raw)
  To: Paul Moore; +Cc: James Morris, sds, eparis, netdev, linux-kernel

On Mon, Jan 28, 2008 at 05:23:46PM -0500, Paul Moore wrote:
> On Monday 28 January 2008 5:09:38 pm Adrian Bunk wrote:
> > This patch fixes a double free (security_netlbl_sid_to_secattr()
> > already calls netlbl_secattr_destroy() when it returns !0) introduced
> > by commit 45c950e0f839fded922ebc0bfd59b1081cc71b70 and spotted by the
> > Coverity checker.
> 
> Hi Adrian,

Hi Paul,

> Thanks for finding this mistake, however, I'd rather see it fixed by 
> removing the netlbl_secattr_destroy() call in 
> security_netlbl_sid_to_secattr() as it really shouldn't be there 
> anymore.  We moved the matching _init() call into 
> selinux_netlbl_sock_setsid() and I'd like to see the _init() and 
> _destroy() calls done in the same function.  I can push a revised patch 
> for this if you would prefer, otherwise I'll be happy to ack an updated 
> version ...

doing the patch is trivial but you are able to write a better 
changelog for it - just push a revised patch.

> paul moore

cu
Adrian

-- 

       "Is there not promise of rain?" Ling Tan asked suddenly out
        of the darkness. There had been need of rain for many days.
       "Only a promise," Lao Er said.
                                       Pearl S. Buck - Dragon Seed


^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [2.6 patch] security/selinux/netlabel.c: fix double free
  2008-01-28 22:35   ` Adrian Bunk
@ 2008-01-28 22:39     ` Paul Moore
  0 siblings, 0 replies; 4+ messages in thread
From: Paul Moore @ 2008-01-28 22:39 UTC (permalink / raw)
  To: Adrian Bunk; +Cc: James Morris, sds, eparis, netdev, linux-kernel

On Monday 28 January 2008 5:35:40 pm Adrian Bunk wrote:
> On Mon, Jan 28, 2008 at 05:23:46PM -0500, Paul Moore wrote:
> > Thanks for finding this mistake, however, I'd rather see it fixed
> > by removing the netlbl_secattr_destroy() call in
> > security_netlbl_sid_to_secattr() as it really shouldn't be there
> > anymore.  We moved the matching _init() call into
> > selinux_netlbl_sock_setsid() and I'd like to see the _init() and
> > _destroy() calls done in the same function.  I can push a revised
> > patch for this if you would prefer, otherwise I'll be happy to ack
> > an updated version ...
>
> doing the patch is trivial but you are able to write a better
> changelog for it - just push a revised patch.

Will do, thanks.

-- 
paul moore
linux security @ hp

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2008-01-28 22:39 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2008-01-28 22:09 [2.6 patch] security/selinux/netlabel.c: fix double free Adrian Bunk
2008-01-28 22:23 ` Paul Moore
2008-01-28 22:35   ` Adrian Bunk
2008-01-28 22:39     ` Paul Moore

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).