2008-01-28 22:09:29

by Adrian Bunk

[permalink] [raw]
Subject: [2.6 patch] security/selinux/netlabel.c: fix double free

This patch fixes a double free (security_netlbl_sid_to_secattr() already
calls netlbl_secattr_destroy() when it returns !0) introduced by
commit 45c950e0f839fded922ebc0bfd59b1081cc71b70 and spotted by the
Coverity checker.

Signed-off-by: Adrian Bunk <[email protected]>

---
--- linux-2.6/security/selinux/netlabel.c.old 2008-01-23 00:38:19.000000000 +0200
+++ linux-2.6/security/selinux/netlabel.c 2008-01-23 00:39:09.000000000 +0200
@@ -58,22 +58,22 @@ static int selinux_netlbl_sock_setsid(st
rc = security_netlbl_sid_to_secattr(sid, &secattr);
if (rc != 0)
goto sock_setsid_return;
rc = netlbl_sock_setattr(sk, &secattr);
if (rc == 0) {
spin_lock_bh(&sksec->nlbl_lock);
sksec->nlbl_state = NLBL_LABELED;
spin_unlock_bh(&sksec->nlbl_lock);
}

-sock_setsid_return:
netlbl_secattr_destroy(&secattr);
+sock_setsid_return:
return rc;
}

/**
* selinux_netlbl_cache_invalidate - Invalidate the NetLabel cache
*
* Description:
* Invalidate the NetLabel security attribute mapping cache.
*
*/


2008-01-28 22:24:28

by Paul Moore

[permalink] [raw]
Subject: Re: [2.6 patch] security/selinux/netlabel.c: fix double free

On Monday 28 January 2008 5:09:38 pm Adrian Bunk wrote:
> This patch fixes a double free (security_netlbl_sid_to_secattr()
> already calls netlbl_secattr_destroy() when it returns !0) introduced
> by commit 45c950e0f839fded922ebc0bfd59b1081cc71b70 and spotted by the
> Coverity checker.

Hi Adrian,

Thanks for finding this mistake, however, I'd rather see it fixed by
removing the netlbl_secattr_destroy() call in
security_netlbl_sid_to_secattr() as it really shouldn't be there
anymore. We moved the matching _init() call into
selinux_netlbl_sock_setsid() and I'd like to see the _init() and
_destroy() calls done in the same function. I can push a revised patch
for this if you would prefer, otherwise I'll be happy to ack an updated
version ...

> Signed-off-by: Adrian Bunk <[email protected]>
>
> ---
> --- linux-2.6/security/selinux/netlabel.c.old 2008-01-23
> 00:38:19.000000000 +0200 +++
> linux-2.6/security/selinux/netlabel.c 2008-01-23 00:39:09.000000000
> +0200 @@ -58,22 +58,22 @@ static int selinux_netlbl_sock_setsid(st rc
> = security_netlbl_sid_to_secattr(sid, &secattr);
> if (rc != 0)
> goto sock_setsid_return;
> rc = netlbl_sock_setattr(sk, &secattr);
> if (rc == 0) {
> spin_lock_bh(&sksec->nlbl_lock);
> sksec->nlbl_state = NLBL_LABELED;
> spin_unlock_bh(&sksec->nlbl_lock);
> }
>
> -sock_setsid_return:
> netlbl_secattr_destroy(&secattr);
> +sock_setsid_return:
> return rc;
> }
>
> /**
> * selinux_netlbl_cache_invalidate - Invalidate the NetLabel cache
> *
> * Description:
> * Invalidate the NetLabel security attribute mapping cache.
> *
> */



--
paul moore
linux security @ hp

2008-01-28 22:39:31

by Paul Moore

[permalink] [raw]
Subject: Re: [2.6 patch] security/selinux/netlabel.c: fix double free

On Monday 28 January 2008 5:35:40 pm Adrian Bunk wrote:
> On Mon, Jan 28, 2008 at 05:23:46PM -0500, Paul Moore wrote:
> > Thanks for finding this mistake, however, I'd rather see it fixed
> > by removing the netlbl_secattr_destroy() call in
> > security_netlbl_sid_to_secattr() as it really shouldn't be there
> > anymore. We moved the matching _init() call into
> > selinux_netlbl_sock_setsid() and I'd like to see the _init() and
> > _destroy() calls done in the same function. I can push a revised
> > patch for this if you would prefer, otherwise I'll be happy to ack
> > an updated version ...
>
> doing the patch is trivial but you are able to write a better
> changelog for it - just push a revised patch.

Will do, thanks.

--
paul moore
linux security @ hp

2008-01-28 22:35:30

by Adrian Bunk

[permalink] [raw]
Subject: Re: [2.6 patch] security/selinux/netlabel.c: fix double free

On Mon, Jan 28, 2008 at 05:23:46PM -0500, Paul Moore wrote:
> On Monday 28 January 2008 5:09:38 pm Adrian Bunk wrote:
> > This patch fixes a double free (security_netlbl_sid_to_secattr()
> > already calls netlbl_secattr_destroy() when it returns !0) introduced
> > by commit 45c950e0f839fded922ebc0bfd59b1081cc71b70 and spotted by the
> > Coverity checker.
>
> Hi Adrian,

Hi Paul,

> Thanks for finding this mistake, however, I'd rather see it fixed by
> removing the netlbl_secattr_destroy() call in
> security_netlbl_sid_to_secattr() as it really shouldn't be there
> anymore. We moved the matching _init() call into
> selinux_netlbl_sock_setsid() and I'd like to see the _init() and
> _destroy() calls done in the same function. I can push a revised patch
> for this if you would prefer, otherwise I'll be happy to ack an updated
> version ...

doing the patch is trivial but you are able to write a better
changelog for it - just push a revised patch.

> paul moore

cu
Adrian

--

"Is there not promise of rain?" Ling Tan asked suddenly out
of the darkness. There had been need of rain for many days.
"Only a promise," Lao Er said.
Pearl S. Buck - Dragon Seed