From: Ondrej Mosnacek <omosnace@redhat.com> mainline inclusion from master commit 6a1afffb08ce5f9fb9ccc20f7ab24846c0142984 category: bugfix bugzilla: 120851 CVE: NA --------------------------- The conversion to kvmalloc() forgot to account for the possibility that p->type_attr_map_array might be null in policydb_destroy(). Fix this by destroying its contents only if it is not NULL. Also make sure ebitmap_init() is called on all entries before policydb_destroy() can be called. Right now this is a no-op, because both kvcalloc() and ebitmap_init() just zero out the whole struct, but let's rather not rely on a specific implementation. Reported-by: syzbot+a57b2aff60832666fc28@syzkaller.appspotmail.com Fixes: acdf52d97f82 ("selinux: convert to kvmalloc") Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: Paul Moore <paul@paul-moore.com> Signed-off-by: Wang Weiyang <wangweiyang2@huawei.com> Conflicts: security/selinux/ss/policydb.c [ acdf52d97f82 is not applied so only half of this commit is used ] Reviewed-by: Xiu Jianfeng <xiujianfeng@huawei.com> Signed-off-by: Yang Yingliang <yangyingliang@huawei.com> --- security/selinux/ss/policydb.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c index 91d259c87d10c..7fae43da8a647 100644 --- a/security/selinux/ss/policydb.c +++ b/security/selinux/ss/policydb.c @@ -2552,11 +2552,17 @@ int policydb_read(struct policydb *p, void *fp) if (rc) goto bad; + /* just in case ebitmap_init() becomes more than just a memset(0): */ for (i = 0; i < p->p_types.nprim; i++) { struct ebitmap *e = flex_array_get(p->type_attr_map_array, i); BUG_ON(!e); ebitmap_init(e); + } + + for (i = 0; i < p->p_types.nprim; i++) { + struct ebitmap *e = flex_array_get(p->type_attr_map_array, i); + if (p->policyvers >= POLICYDB_VERSION_AVTAB) { rc = ebitmap_read(e, fp); if (rc) -- 2.25.1