[PATCH v2] selinux: fix sel_read_bool() allocation and error handling

selinux.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH v2] selinux: fix sel_read_bool() allocation and error handling
@ 2025-09-02 13:11 Stephen Smalley
  2025-09-03 21:34 ` Paul Moore
  0 siblings, 1 reply; 2+ messages in thread
From: Stephen Smalley @ 2025-09-02 13:11 UTC (permalink / raw)
  To: selinux; +Cc: paul, omosnace, willy, vishal.moola, david, mst, Stephen Smalley

Switch sel_read_bool() from using get_zeroed_page() and free_page()
to a stack-allocated buffer. This also fixes a memory leak in the
error path when security_get_bool_value() returns an error.

Reported-by: Matthew Wilcox <willy@infradead.org>
Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com>
---
 security/selinux/selinuxfs.c | 18 +++++-------------
 1 file changed, 5 insertions(+), 13 deletions(-)

diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c
index 9aa1d03ab612..232e087bce3e 100644
--- a/security/selinux/selinuxfs.c
+++ b/security/selinux/selinuxfs.c
@@ -1203,7 +1203,7 @@ static ssize_t sel_read_bool(struct file *filep, char __user *buf,
 			     size_t count, loff_t *ppos)
 {
 	struct selinux_fs_info *fsi = file_inode(filep)->i_sb->s_fs_info;
-	char *page = NULL;
+	char buffer[4];
 	ssize_t length;
 	ssize_t ret;
 	int cur_enforcing;
@@ -1217,27 +1217,19 @@ static ssize_t sel_read_bool(struct file *filep, char __user *buf,
 					     fsi->bool_pending_names[index]))
 		goto out_unlock;
 
-	ret = -ENOMEM;
-	page = (char *)get_zeroed_page(GFP_KERNEL);
-	if (!page)
-		goto out_unlock;
-
 	cur_enforcing = security_get_bool_value(index);
 	if (cur_enforcing < 0) {
 		ret = cur_enforcing;
 		goto out_unlock;
 	}
-	length = scnprintf(page, PAGE_SIZE, "%d %d", cur_enforcing,
-			  fsi->bool_pending_values[index]);
+	length = scnprintf(buffer, sizeof(buffer), "%d %d", !!cur_enforcing,
+			  !!fsi->bool_pending_values[index]);
 	mutex_unlock(&selinux_state.policy_mutex);
-	ret = simple_read_from_buffer(buf, count, ppos, page, length);
-out_free:
-	free_page((unsigned long)page);
-	return ret;
+	return simple_read_from_buffer(buf, count, ppos, buffer, length);
 
 out_unlock:
 	mutex_unlock(&selinux_state.policy_mutex);
-	goto out_free;
+	return ret;
 }
 
 static ssize_t sel_write_bool(struct file *filep, const char __user *buf,
-- 
2.51.0


^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [PATCH v2] selinux: fix sel_read_bool() allocation and error  handling
  2025-09-02 13:11 [PATCH v2] selinux: fix sel_read_bool() allocation and error handling Stephen Smalley
@ 2025-09-03 21:34 ` Paul Moore
  0 siblings, 0 replies; 2+ messages in thread
From: Paul Moore @ 2025-09-03 21:34 UTC (permalink / raw)
  To: Stephen Smalley, selinux
  Cc: omosnace, willy, vishal.moola, david, mst, Stephen Smalley

On Sep  2, 2025 Stephen Smalley <stephen.smalley.work@gmail.com> wrote:
> 
> Switch sel_read_bool() from using get_zeroed_page() and free_page()
> to a stack-allocated buffer. This also fixes a memory leak in the
> error path when security_get_bool_value() returns an error.
> 
> Reported-by: Matthew Wilcox <willy@infradead.org>
> Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com>
> ---
>  security/selinux/selinuxfs.c | 18 +++++-------------
>  1 file changed, 5 insertions(+), 13 deletions(-)

Merged into selinux/dev, thanks!

--
paul-moore.com

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2025-09-03 21:34 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-09-02 13:11 [PATCH v2] selinux: fix sel_read_bool() allocation and error handling Stephen Smalley
2025-09-03 21:34 ` Paul Moore

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).