From: Ondrej Mosnacek <omosnace(a)redhat.com>
mainline inclusion
from master
commit 6a1afffb08ce5f9fb9ccc20f7ab24846c0142984
category: bugfix
bugzilla: 120851
CVE: NA
---------------------------
The conversion to kvmalloc() forgot to account for the possibility that
p->type_attr_map_array might be null in policydb_destroy().
Fix this by destroying its contents only if it is not NULL.
Also make sure ebitmap_init() is called on all entries before
policydb_destroy() can be called. Right now this is a no-op, because
both kvcalloc() and ebitmap_init() just zero out the whole struct, but
let's rather not rely on a specific implementation.
Reported-by: syzbot+a57b2aff60832666fc28(a)syzkaller.appspotmail.com
Fixes: acdf52d97f82 ("selinux: convert to kvmalloc")
Signed-off-by: Ondrej Mosnacek <omosnace(a)redhat.com>
Acked-by: Stephen Smalley <sds(a)tycho.nsa.gov>
Signed-off-by: Paul Moore <paul(a)paul-moore.com>
Signed-off-by: Wang Weiyang <wangweiyang2(a)huawei.com>
Conflicts:
security/selinux/ss/policydb.c
[ acdf52d97f82 is not applied so only half of this commit is used ]
Reviewed-by: Xiu Jianfeng <xiujianfeng(a)huawei.com>
Signed-off-by: Yang Yingliang <yangyingliang(a)huawei.com>
---
security/selinux/ss/policydb.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c
index 91d259c87d10c..7fae43da8a647 100644
--- a/security/selinux/ss/policydb.c
+++ b/security/selinux/ss/policydb.c
@@ -2552,11 +2552,17 @@ int policydb_read(struct policydb *p, void *fp)
if (rc)
goto bad;
+ /* just in case ebitmap_init() becomes more than just a memset(0): */
for (i = 0; i < p->p_types.nprim; i++) {
struct ebitmap *e = flex_array_get(p->type_attr_map_array, i);
BUG_ON(!e);
ebitmap_init(e);
+ }
+
+ for (i = 0; i < p->p_types.nprim; i++) {
+ struct ebitmap *e = flex_array_get(p->type_attr_map_array, i);
+
if (p->policyvers >= POLICYDB_VERSION_AVTAB) {
rc = ebitmap_read(e, fp);
if (rc)
--
2.25.1