selinux: fix NULL dereference in policydb_destroy() (6a1afffb) · Commits · e / devices / android_kernel_fairphone_FP5

The conversion to kvmalloc() forgot to account for the possibility that p->type_attr_map_array might be null in policydb_destroy(). Fix this by destroying its contents only if it is not NULL. Also make sure ebitmap_init() is called on all entries before policydb_destroy() can be called. Right now this is a no-op, because both kvcalloc() and ebitmap_init() just zero out the whole struct, but let's rather not rely on a specific implementation. Reported-by:

<syzbot+a57b2aff60832666fc28@syzkaller.appspotmail.com> Fixes: ("selinux: convert to kvmalloc") Signed-off-by:

Ondrej Mosnacek <omosnace@redhat.com> Acked-by:

Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by:

Paul Moore <paul@paul-moore.com>

security/selinux/ss/policydb.c

+9 −4

Original line number	Diff line number	Diff line
		@@ -828,9 +828,11 @@ void policydb_destroy(struct policydb *p)
		hashtab_map(p->range_tr, range_tr_destroy, NULL);
		hashtab_destroy(p->range_tr);

		if (p->type_attr_map_array) {
		for (i = 0; i < p->p_types.nprim; i++)
		ebitmap_destroy(&p->type_attr_map_array[i]);
		kvfree(p->type_attr_map_array);
		}

		ebitmap_destroy(&p->filename_trans_ttypes);
		ebitmap_destroy(&p->policycaps);
		@@ -2496,10 +2498,13 @@ int policydb_read(struct policydb p, void fp)
		if (!p->type_attr_map_array)
		goto bad;

		/* just in case ebitmap_init() becomes more than just a memset(0): */
		for (i = 0; i < p->p_types.nprim; i++)
		ebitmap_init(&p->type_attr_map_array[i]);

		for (i = 0; i < p->p_types.nprim; i++) {
		struct ebitmap *e = &p->type_attr_map_array[i];

		ebitmap_init(e);
		if (p->policyvers >= POLICYDB_VERSION_AVTAB) {
		rc = ebitmap_read(e, fp);
		if (rc)