Commit 6e8c751e authored Oct 06, 2006 by Chad Sellers Committed by David S. Miller Oct 11, 2006

SELinux: Bug fix in polidydb_destroy



This patch fixes two bugs in policydb_destroy. Two list pointers
(policydb.ocontexts[i] and policydb.genfs) were not being reset to NULL when
the lists they pointed to were being freed. This caused a problem when the
initial policy load failed, as the policydb being destroyed was not a
temporary new policydb that was thrown away, but rather was the global
(active) policydb. Consequently, later functions, particularly
sys_bind->selinux_socket_bind->security_node_sid and
do_rw_proc->selinux_sysctl->selinux_proc_get_sid->security_genfs_sid tried
to dereference memory that had previously been freed.

Signed-off-by: Chad Sellers <csellers@tresys.com>
Signed-off-by: James Morris <jmorris@namei.org>

parent 3bccfbc7

security/selinux/ss/policydb.c

+2 −0

Original line number	Diff line number	Diff line
		@@ -618,6 +618,7 @@ void policydb_destroy(struct policydb *p)
		c = c->next;
		ocontext_destroy(ctmp,i);
		}
		p->ocontexts[i] = NULL;
		}

		g = p->genfs;
		@@ -633,6 +634,7 @@ void policydb_destroy(struct policydb *p)
		g = g->next;
		kfree(gtmp);
		}
		p->genfs = NULL;

		cond_policydb_destroy(p);