SELinux: Bug fix in polidydb_destroy
authorChad Sellers <csellers@tresys.com>
Fri, 6 Oct 2006 20:09:52 +0000 (16:09 -0400)
committerDavid S. Miller <davem@sunset.davemloft.net>
Thu, 12 Oct 2006 06:59:41 +0000 (23:59 -0700)
This patch fixes two bugs in policydb_destroy. Two list pointers
(policydb.ocontexts[i] and policydb.genfs) were not being reset to NULL when
the lists they pointed to were being freed. This caused a problem when the
initial policy load failed, as the policydb being destroyed was not a
temporary new policydb that was thrown away, but rather was the global
(active) policydb. Consequently, later functions, particularly
sys_bind->selinux_socket_bind->security_node_sid and
do_rw_proc->selinux_sysctl->selinux_proc_get_sid->security_genfs_sid tried
to dereference memory that had previously been freed.

Signed-off-by: Chad Sellers <csellers@tresys.com>
Signed-off-by: James Morris <jmorris@namei.org>
security/selinux/ss/policydb.c

index b18895302555618f02ee0d03590bc2e04ee3d1c6..ba48961f9d0593f99a30b0c3983a09c63425f766 100644 (file)
@@ -618,6 +618,7 @@ void policydb_destroy(struct policydb *p)
                        c = c->next;
                        ocontext_destroy(ctmp,i);
                }
+               p->ocontexts[i] = NULL;
        }
 
        g = p->genfs;
@@ -633,6 +634,7 @@ void policydb_destroy(struct policydb *p)
                g = g->next;
                kfree(gtmp);
        }
+       p->genfs = NULL;
 
        cond_policydb_destroy(p);