Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
Merge tag 'selinux-pr-20200621' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux
Pull SELinux fixes from Paul Moore:
"Three small patches to fix problems in the SELinux code, all found via
clang.
Two patches fix potential double-free conditions and one fixes an
undefined return value"
* tag 'selinux-pr-20200621' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux:
selinux: fix undefined return of cond_evaluate_expr
selinux: fix a double free in cond_read_node()/cond_read_list()
selinux: fix double free
+12
-13
+8
-13
security/selinux/ss/conditional.c
+8
-13
security/selinux/ss/conditional.c
···
27
27
int s[COND_EXPR_MAXDEPTH];
28
28
int sp = -1;
29
29
30
+
if (expr->len == 0)
31
+
return -1;
32
+
30
33
for (i = 0; i < expr->len; i++) {
31
34
struct cond_expr_node *node = &expr->nodes[i];
32
35
···
395
392
396
393
rc = next_entry(buf, fp, sizeof(u32) * 2);
397
394
if (rc)
398
-
goto err;
395
+
return rc;
399
396
400
397
expr->expr_type = le32_to_cpu(buf[0]);
401
398
expr->bool = le32_to_cpu(buf[1]);
402
399
403
-
if (!expr_node_isvalid(p, expr)) {
404
-
rc = -EINVAL;
405
-
goto err;
406
-
}
400
+
if (!expr_node_isvalid(p, expr))
401
+
return -EINVAL;
407
402
}
408
403
409
404
rc = cond_read_av_list(p, fp, &node->true_list, NULL);
410
405
if (rc)
411
-
goto err;
412
-
rc = cond_read_av_list(p, fp, &node->false_list, &node->true_list);
413
-
if (rc)
414
-
goto err;
415
-
return 0;
416
-
err:
417
-
cond_node_destroy(node);
418
-
return rc;
406
+
return rc;
407
+
return cond_read_av_list(p, fp, &node->false_list, &node->true_list);
419
408
}
420
409
421
410
int cond_read_list(struct policydb *p, void *fp)