selinux: fix a missing-check bug in selinux_sb_eat_lsm_opts() (fec63753) · Commits · e / devices / android_kernel_fairphone_FP5

security/selinux/hooks.c

+14 −6

Original line number	Original line	Diff line number	Diff line
	@@ -2625,10 +2625,11 @@ static int selinux_sb_eat_lsm_opts(char options, void *mnt_opts)
	char *from = options;		char *from = options;
	char *to = options;		char *to = options;
	bool first = true;		bool first = true;
			int rc;

	while (1) {		while (1) {
	int len = opt_len(from);		int len = opt_len(from);
	int token, rc;		int token;
	char *arg = NULL;		char *arg = NULL;

	token = match_opt_prefix(from, len, &arg);		token = match_opt_prefix(from, len, &arg);
	@@ -2644,15 +2645,15 @@ static int selinux_sb_eat_lsm_opts(char options, void *mnt_opts)
	*q++ = c;		*q++ = c;
	}		}
	arg = kmemdup_nul(arg, q - arg, GFP_KERNEL);		arg = kmemdup_nul(arg, q - arg, GFP_KERNEL);
			if (!arg) {
			rc = -ENOMEM;
			goto free_opt;
			}
	}		}
	rc = selinux_add_opt(token, arg, mnt_opts);		rc = selinux_add_opt(token, arg, mnt_opts);
	if (unlikely(rc)) {		if (unlikely(rc)) {
	kfree(arg);		kfree(arg);
	if (*mnt_opts) {		goto free_opt;
	selinux_free_mnt_opts(*mnt_opts);
	*mnt_opts = NULL;
	}
	return rc;
	}		}
	} else {		} else {
	if (!first) { // copy with preceding comma		if (!first) { // copy with preceding comma
	@@ -2670,6 +2671,13 @@ static int selinux_sb_eat_lsm_opts(char options, void *mnt_opts)
	}		}
	*to = '\0';		*to = '\0';
	return 0;		return 0;

			free_opt:
			if (*mnt_opts) {
			selinux_free_mnt_opts(*mnt_opts);
			*mnt_opts = NULL;
			}
			return rc;
	}		}

	static int selinux_sb_remount(struct super_block sb, void mnt_opts)		static int selinux_sb_remount(struct super_block sb, void mnt_opts)