From: Stephen Smalley <stephen.smalley.work@gmail.com>
To: selinux@vger.kernel.org
Cc: paul@paul-moore.com, omosnace@redhat.com, willy@infradead.org,
vishal.moola@gmail.com, david@redhat.com, mst@redhat.com,
Stephen Smalley <stephen.smalley.work@gmail.com>
Subject: [PATCH] selinux: fix sel_read_bool() allocation and error handling
Date: Fri, 29 Aug 2025 10:10:01 -0400 [thread overview]
Message-ID: <20250829141000.13795-2-stephen.smalley.work@gmail.com> (raw)
Switch sel_read_bool() from using get_zeroed_page() and free_page()
to kzalloc() and kfree(), and fix the error path to free the buffer
when security_get_bool_value() returns an error.
Reported-by: Matthew Wilcox <willy@infradead.org>
Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com>
---
Could likely just use kmalloc() as suggested but being conservative.
Double NOT also likely unnecessary since values are sanitized on
input but likewise being conservative. We obviously have more places
to fix in selinuxfs.
security/selinux/selinuxfs.c | 18 ++++++++++--------
1 file changed, 10 insertions(+), 8 deletions(-)
diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c
index 9aa1d03ab612..e90990c57bd1 100644
--- a/security/selinux/selinuxfs.c
+++ b/security/selinux/selinuxfs.c
@@ -1203,7 +1203,8 @@ static ssize_t sel_read_bool(struct file *filep, char __user *buf,
size_t count, loff_t *ppos)
{
struct selinux_fs_info *fsi = file_inode(filep)->i_sb->s_fs_info;
- char *page = NULL;
+ char *buffer = NULL;
+ size_t size;
ssize_t length;
ssize_t ret;
int cur_enforcing;
@@ -1218,21 +1219,22 @@ static ssize_t sel_read_bool(struct file *filep, char __user *buf,
goto out_unlock;
ret = -ENOMEM;
- page = (char *)get_zeroed_page(GFP_KERNEL);
- if (!page)
+ size = 4; /* 0|1 0|1 */
+ buffer = kzalloc(size, GFP_KERNEL);
+ if (!buffer)
goto out_unlock;
cur_enforcing = security_get_bool_value(index);
if (cur_enforcing < 0) {
ret = cur_enforcing;
- goto out_unlock;
+ goto out_free;
}
- length = scnprintf(page, PAGE_SIZE, "%d %d", cur_enforcing,
- fsi->bool_pending_values[index]);
+ length = scnprintf(buffer, size, "%d %d", !!cur_enforcing,
+ !!fsi->bool_pending_values[index]);
mutex_unlock(&selinux_state.policy_mutex);
- ret = simple_read_from_buffer(buf, count, ppos, page, length);
+ ret = simple_read_from_buffer(buf, count, ppos, buffer, length);
out_free:
- free_page((unsigned long)page);
+ kfree(buffer);
return ret;
out_unlock:
--
2.51.0
next reply other threads:[~2025-08-29 14:13 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-08-29 14:10 Stephen Smalley [this message]
2025-08-29 14:21 ` [PATCH] selinux: fix sel_read_bool() allocation and error handling Stephen Smalley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250829141000.13795-2-stephen.smalley.work@gmail.com \
--to=stephen.smalley.work@gmail.com \
--cc=david@redhat.com \
--cc=mst@redhat.com \
--cc=omosnace@redhat.com \
--cc=paul@paul-moore.com \
--cc=selinux@vger.kernel.org \
--cc=vishal.moola@gmail.com \
--cc=willy@infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).