From: Ondrej Mosnacek omosnace@redhat.com
mainline inclusion from master commit 6a1afffb08ce5f9fb9ccc20f7ab24846c0142984 category: bugfix bugzilla: 120851 CVE: NA
---------------------------
The conversion to kvmalloc() forgot to account for the possibility that p->type_attr_map_array might be null in policydb_destroy().
Fix this by destroying its contents only if it is not NULL.
Also make sure ebitmap_init() is called on all entries before policydb_destroy() can be called. Right now this is a no-op, because both kvcalloc() and ebitmap_init() just zero out the whole struct, but let's rather not rely on a specific implementation.
Reported-by: syzbot+a57b2aff60832666fc28@syzkaller.appspotmail.com Fixes: acdf52d97f82 ("selinux: convert to kvmalloc") Signed-off-by: Ondrej Mosnacek omosnace@redhat.com Acked-by: Stephen Smalley sds@tycho.nsa.gov Signed-off-by: Paul Moore paul@paul-moore.com Signed-off-by: Wang Weiyang wangweiyang2@huawei.com Conflicts: security/selinux/ss/policydb.c [ acdf52d97f82 is not applied so only half of this commit is used ] Reviewed-by: Xiu Jianfeng xiujianfeng@huawei.com Signed-off-by: Yang Yingliang yangyingliang@huawei.com --- security/selinux/ss/policydb.c | 6 ++++++ 1 file changed, 6 insertions(+)
diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c index 91d259c87d10c..7fae43da8a647 100644 --- a/security/selinux/ss/policydb.c +++ b/security/selinux/ss/policydb.c @@ -2552,11 +2552,17 @@ int policydb_read(struct policydb *p, void *fp) if (rc) goto bad;
+ /* just in case ebitmap_init() becomes more than just a memset(0): */ for (i = 0; i < p->p_types.nprim; i++) { struct ebitmap *e = flex_array_get(p->type_attr_map_array, i);
BUG_ON(!e); ebitmap_init(e); + } + + for (i = 0; i < p->p_types.nprim; i++) { + struct ebitmap *e = flex_array_get(p->type_attr_map_array, i); + if (p->policyvers >= POLICYDB_VERSION_AVTAB) { rc = ebitmap_read(e, fp); if (rc)