Received: by 2002:a25:ab43:0:0:0:0:0 with SMTP id u61csp9036928ybi;
        Fri, 7 Jun 2019 02:28:30 -0700 (PDT)
X-Google-Smtp-Source: APXvYqxp480jcbsNHN3DTrEFXg1rGRYR5l8K0t/nM3UEqC3EkWDzabmTsXl3WngvCjrwB3w2pR7D
X-Received: by 2002:a17:90a:b908:: with SMTP id p8mr4419832pjr.94.1559899710529;
        Fri, 07 Jun 2019 02:28:30 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1559899710; cv=none;
        d=google.com; s=arc-20160816;
        b=MCaVTacj5CjgsD/vbPKt7bEAUMQBDIc8bgFE+8gaTTCB48m3jjX3e/+jGvfDLV7pP1
         9faWYjuMZBZi9pvnUVYEDcDSHe/wpPhntgVO4lFRa09GGhjYp1ulPCtaIG5IRLeSbdGH
         wdDWyEmt+E6i52WCLHjdgfg9aJnKODewHIQe8/U5R9RSlY0e8/8DzLPGDKIS/sTKdRnm
         8gwHUe1+zHZsB90jhow7VuNjsMAOmOleQXOKsbBGkSnpn6YEI0zjDJ/J0ZLcvOK1ngAM
         AOdgdgaz+JRt8AAZ9OYazlmb4c+IRJ81S5H8xrbdBLYkSH3be+3TdR752+Kk+KO/QWjV
         Nn5g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version;
        bh=IEBaZDPZd7L7KgNJ6ypOJKuSsVmtOiA4l4zYpRROEo0=;
        b=fA/99B4iaVpT92IRfc+PdIauvEVYSpf5dH5+jO2h4hRRdAWkWKGiU5Mw0Qc+ctctZU
         z0TPWTxAviLQ+ELQjHq8d2V6/YD0ZzKnc58y+DPSH6s8PpqRTRc1kLzQgrEw8n3+bSBY
         rd8pvOt1JShoyQlz9aRjidFlOPoquEwaagcbzeRVPRTUlwBUQFcPQkfP32IDJUyR4Qap
         x4/zyVV8F2Sg75ZmrXANz8gxvnNjyFdUpdteif0utDm1We0ib/q9Qzxc0TCicI33hcSo
         s7rDoXLGw5yiw0HrN6Pu299lYHHmj/3Tfjy048yUc4y23KCiLKusCf/zT4UPRTnZXhDY
         +Z3g==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id a3si1363566plc.132.2019.06.07.02.28.13;
        Fri, 07 Jun 2019 02:28:30 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727263AbfFGIjR (ORCPT <rfc822;busarih159@gmail.com>
        + 99 others); Fri, 7 Jun 2019 04:39:17 -0400
Received: from mail-ot1-f68.google.com ([209.85.210.68]:46465 "EHLO
        mail-ot1-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726531AbfFGIjR (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 7 Jun 2019 04:39:17 -0400
Received: by mail-ot1-f68.google.com with SMTP id z23so1101662ote.13
        for <linux-kernel@vger.kernel.org>; Fri, 07 Jun 2019 01:39:16 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=IEBaZDPZd7L7KgNJ6ypOJKuSsVmtOiA4l4zYpRROEo0=;
        b=DbdAgu3bYlD/oQ38raLvIjWTZ7zC/dDBv/VSsm2YX532ls+htAGgrnpdrxXDPUlNET
         stzT4uBln9ynZX2SUzP1QMCCoTroHW04EgmNiBfvvP9AW3DNDIKwJLkpfnlJzUu3rWJL
         i9t/cP+PWms9g23XTnIHSQEoGBgyt64RmkPKiPOApghp30EtIR/0gSNnJ/ZrDqjk7O4X
         7nZjCs3NiwbNuxWiF6k/PQH0WHYW2RUQ/nXd3cskZ+R9BRBvuJfWfkTE1XK4jaKjNJD0
         PsoAZ63E9817K/BHM0RXVvdmuoPLESRxDti7Zi7JwCEzdhYUbQ/gYMH0Zh/u2bN8ZJAr
         1HmA==
X-Gm-Message-State: APjAAAVx9CMeI7hwQEtTGgI6S3ZykLFdJaTO84YmbxjIBGbAUgJXJwWo
        lZ3m85PO+MBINXa9nvcHOJdmqE2ji47SxzYC48Mu5tCNdKA=
X-Received: by 2002:a9d:6a8a:: with SMTP id l10mr8355597otq.197.1559896755579;
 Fri, 07 Jun 2019 01:39:15 -0700 (PDT)
MIME-Version: 1.0
References: <20190606092342.GA21672@zhanggen-UX430UQ>
In-Reply-To: <20190606092342.GA21672@zhanggen-UX430UQ>
From:   Ondrej Mosnacek <omosnace@redhat.com>
Date:   Fri, 7 Jun 2019 10:39:05 +0200
Message-ID: <CAFqZXNuricWOMH3fQiCbPZyz2qwf7Gw1zmx1o+wLeTELSF=CUQ@mail.gmail.com>
Subject: Re: [PATCH v3] selinux: lsm: fix a missing-check bug in
 selinux_add_mnt_opt( )
To:     Gen Zhang <blackgod016574@gmail.com>
Cc:     Paul Moore <paul@paul-moore.com>,
        Stephen Smalley <sds@tycho.nsa.gov>,
        Eric Paris <eparis@parisplace.org>, selinux@vger.kernel.org,
        Linux kernel mailing list <linux-kernel@vger.kernel.org>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Thu, Jun 6, 2019 at 11:23 AM Gen Zhang <blackgod016574@gmail.com> wrote:
> In selinux_add_mnt_opt(), 'val' is allocated by kmemdup_nul(). It returns
> NULL when fails. So 'val' should be checked. And 'mnt_opts' should be
> freed when error.
>
> Signed-off-by: Gen Zhang <blackgod016574@gmail.com>
> Fixes: 757cbe597fe8 ("LSM: new method: ->sb_add_mnt_opt()")
> ---
> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index 3ec702c..4e4c1c6 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -1052,15 +1052,23 @@ static int selinux_add_mnt_opt(const char *option, const char *val, int len,
>         if (token == Opt_error)
>                 return -EINVAL;
>
> -       if (token != Opt_seclabel)
> -               val = kmemdup_nul(val, len, GFP_KERNEL);
> +       if (token != Opt_seclabel) {
> +                       val = kmemdup_nul(val, len, GFP_KERNEL);
> +                       if (!val) {
> +                               rc = -ENOMEM;
> +                               goto free_opt;
> +                       }
> +       }
>         rc = selinux_add_opt(token, val, mnt_opts);
>         if (unlikely(rc)) {
>                 kfree(val);
> -               if (*mnt_opts) {
> -                       selinux_free_mnt_opts(*mnt_opts);
> -                       *mnt_opts = NULL;
> -               }
> +               goto free_opt;
> +       }
> +       return rc;

At this point rc is guaranteed to be 0, so you can just 'return 0' for
clarity. Also, I visually prefer an empty line between a return
statement and a goto label, but I'm not sure what is the
general/maintainer's preference.

Also, you should drop the "lsm: " from the subject - it is redundant
and doesn't follow the SELinux convention. See `git log --oneline --
security/selinux/` for what the subjects usually look like - mostly we
just go with "selinux: <description>" (or "LSM: <description>" when
the changes affect the shared LSM interface).

> +free_opt:
> +       if (*mnt_opts) {
> +               selinux_free_mnt_opts(*mnt_opts);
> +               *mnt_opts = NULL;
>         }
>         return rc;
>  }

--
Ondrej Mosnacek <omosnace at redhat dot com>
Software Engineer, Security Technologies
Red Hat, Inc.