Commit 31e87930 authored Sep 19, 2007 by Eric Paris Committed by James Morris Sep 20, 2007

SELinux: fix array out of bounds when mounting with selinux options



Given an illegal selinux option it was possible for match_token to work in
random memory at the end of the match_table_t array.

Note that privilege is required to perform a context mount, so this issue is
effectively limited to root only.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: James Morris <jmorris@namei.org>

parent a88a8eff

security/selinux/hooks.c

+2 −0

Original line number	Diff line number	Diff line
		@@ -316,6 +316,7 @@ static inline int inode_doinit(struct inode *inode)
		}

		enum {
		Opt_error = -1,
		Opt_context = 1,
		Opt_fscontext = 2,
		Opt_defcontext = 4,
		@@ -327,6 +328,7 @@ static match_table_t tokens = {
		{Opt_fscontext, "fscontext=%s"},
		{Opt_defcontext, "defcontext=%s"},
		{Opt_rootcontext, "rootcontext=%s"},
		{Opt_error, NULL},
		};

		#define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"