Commit 9a59daa0 authored by Stephen Smalley's avatar Stephen Smalley Committed by James Morris

SELinux: fix sleeping allocation in security_context_to_sid

Fix a sleeping function called from invalid context bug by moving allocation
to the callers prior to taking the policy rdlock.
Signed-off-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: default avatarJames Morris <jmorris@namei.org>
parent 12b29f34
...@@ -730,15 +730,16 @@ int security_sid_to_context_force(u32 sid, char **scontext, u32 *scontext_len) ...@@ -730,15 +730,16 @@ int security_sid_to_context_force(u32 sid, char **scontext, u32 *scontext_len)
return security_sid_to_context_core(sid, scontext, scontext_len, 1); return security_sid_to_context_core(sid, scontext, scontext_len, 1);
} }
/*
* Caveat: Mutates scontext.
*/
static int string_to_context_struct(struct policydb *pol, static int string_to_context_struct(struct policydb *pol,
struct sidtab *sidtabp, struct sidtab *sidtabp,
const char *scontext, char *scontext,
u32 scontext_len, u32 scontext_len,
struct context *ctx, struct context *ctx,
u32 def_sid, u32 def_sid)
gfp_t gfp_flags)
{ {
char *scontext2 = NULL;
struct role_datum *role; struct role_datum *role;
struct type_datum *typdatum; struct type_datum *typdatum;
struct user_datum *usrdatum; struct user_datum *usrdatum;
...@@ -747,19 +748,10 @@ static int string_to_context_struct(struct policydb *pol, ...@@ -747,19 +748,10 @@ static int string_to_context_struct(struct policydb *pol,
context_init(ctx); context_init(ctx);
/* Copy the string so that we can modify the copy as we parse it. */
scontext2 = kmalloc(scontext_len+1, gfp_flags);
if (!scontext2) {
rc = -ENOMEM;
goto out;
}
memcpy(scontext2, scontext, scontext_len);
scontext2[scontext_len] = 0;
/* Parse the security context. */ /* Parse the security context. */
rc = -EINVAL; rc = -EINVAL;
scontextp = (char *) scontext2; scontextp = (char *) scontext;
/* Extract the user. */ /* Extract the user. */
p = scontextp; p = scontextp;
...@@ -809,7 +801,7 @@ static int string_to_context_struct(struct policydb *pol, ...@@ -809,7 +801,7 @@ static int string_to_context_struct(struct policydb *pol,
if (rc) if (rc)
goto out; goto out;
if ((p - scontext2) < scontext_len) { if ((p - scontext) < scontext_len) {
rc = -EINVAL; rc = -EINVAL;
goto out; goto out;
} }
...@@ -822,7 +814,6 @@ static int string_to_context_struct(struct policydb *pol, ...@@ -822,7 +814,6 @@ static int string_to_context_struct(struct policydb *pol,
} }
rc = 0; rc = 0;
out: out:
kfree(scontext2);
return rc; return rc;
} }
...@@ -830,6 +821,7 @@ static int security_context_to_sid_core(const char *scontext, u32 scontext_len, ...@@ -830,6 +821,7 @@ static int security_context_to_sid_core(const char *scontext, u32 scontext_len,
u32 *sid, u32 def_sid, gfp_t gfp_flags, u32 *sid, u32 def_sid, gfp_t gfp_flags,
int force) int force)
{ {
char *scontext2, *str = NULL;
struct context context; struct context context;
int rc = 0; int rc = 0;
...@@ -839,27 +831,38 @@ static int security_context_to_sid_core(const char *scontext, u32 scontext_len, ...@@ -839,27 +831,38 @@ static int security_context_to_sid_core(const char *scontext, u32 scontext_len,
for (i = 1; i < SECINITSID_NUM; i++) { for (i = 1; i < SECINITSID_NUM; i++) {
if (!strcmp(initial_sid_to_string[i], scontext)) { if (!strcmp(initial_sid_to_string[i], scontext)) {
*sid = i; *sid = i;
goto out; return 0;
} }
} }
*sid = SECINITSID_KERNEL; *sid = SECINITSID_KERNEL;
goto out; return 0;
} }
*sid = SECSID_NULL; *sid = SECSID_NULL;
/* Copy the string so that we can modify the copy as we parse it. */
scontext2 = kmalloc(scontext_len+1, gfp_flags);
if (!scontext2)
return -ENOMEM;
memcpy(scontext2, scontext, scontext_len);
scontext2[scontext_len] = 0;
if (force) {
/* Save another copy for storing in uninterpreted form */
str = kstrdup(scontext2, gfp_flags);
if (!str) {
kfree(scontext2);
return -ENOMEM;
}
}
POLICY_RDLOCK; POLICY_RDLOCK;
rc = string_to_context_struct(&policydb, &sidtab, rc = string_to_context_struct(&policydb, &sidtab,
scontext, scontext_len, scontext2, scontext_len,
&context, def_sid, gfp_flags); &context, def_sid);
if (rc == -EINVAL && force) { if (rc == -EINVAL && force) {
context.str = kmalloc(scontext_len+1, gfp_flags); context.str = str;
if (!context.str) {
rc = -ENOMEM;
goto out;
}
memcpy(context.str, scontext, scontext_len);
context.str[scontext_len] = 0;
context.len = scontext_len; context.len = scontext_len;
str = NULL;
} else if (rc) } else if (rc)
goto out; goto out;
rc = sidtab_context_to_sid(&sidtab, &context, sid); rc = sidtab_context_to_sid(&sidtab, &context, sid);
...@@ -867,6 +870,8 @@ static int security_context_to_sid_core(const char *scontext, u32 scontext_len, ...@@ -867,6 +870,8 @@ static int security_context_to_sid_core(const char *scontext, u32 scontext_len,
context_destroy(&context); context_destroy(&context);
out: out:
POLICY_RDUNLOCK; POLICY_RDUNLOCK;
kfree(scontext2);
kfree(str);
return rc; return rc;
} }
...@@ -1339,9 +1344,14 @@ static int convert_context(u32 key, ...@@ -1339,9 +1344,14 @@ static int convert_context(u32 key,
if (c->str) { if (c->str) {
struct context ctx; struct context ctx;
rc = string_to_context_struct(args->newp, NULL, c->str, s = kstrdup(c->str, GFP_KERNEL);
c->len, &ctx, SECSID_NULL, if (!s) {
GFP_KERNEL); rc = -ENOMEM;
goto out;
}
rc = string_to_context_struct(args->newp, NULL, s,
c->len, &ctx, SECSID_NULL);
kfree(s);
if (!rc) { if (!rc) {
printk(KERN_INFO printk(KERN_INFO
"SELinux: Context %s became valid (mapped).\n", "SELinux: Context %s became valid (mapped).\n",
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment