linux-bl808/security/selinux
Vratislav Bendel 186edf7e36 selinux: fix double free of cond_list on error paths
On error path from cond_read_list() and duplicate_policydb_cond_list()
the cond_list_destroy() gets called a second time in caller functions,
resulting in NULL pointer deref.  Fix this by resetting the
cond_list_len to 0 in cond_list_destroy(), making subsequent calls a
noop.

Also consistently reset the cond_list pointer to NULL after freeing.

Cc: stable@vger.kernel.org
Signed-off-by: Vratislav Bendel <vbendel@redhat.com>
[PM: fix line lengths in the description]
Signed-off-by: Paul Moore <paul@paul-moore.com>
2022-02-02 11:02:10 -05:00
..
include
ss selinux: fix double free of cond_list on error paths 2022-02-02 11:02:10 -05:00
.gitignore
avc.c
hooks.c selinux/stable-5.17 PR 20220110 2022-01-11 13:03:06 -08:00
ibpkey.c
ima.c
Kconfig
Makefile
netif.c
netlabel.c
netlink.c
netnode.c
netport.c
nlmsgtab.c
selinuxfs.c
status.c
xfrm.c selinux: Use struct_size() helper in kmalloc() 2021-12-05 21:58:32 -05:00