Essential Products - PH-1 8.1 - May 2018 Security patch
·
7779 commits
to android-4.4.y
since this release
selinux: fix double free in selinux_parse_opts_str()
This patch is based on a discussion generated by an earlier patch
from Tetsuo Handa:
* https://marc.info/?t=149035659300001&r=1&w=2
The double free problem involves the mnt_opts field of the
security_mnt_opts struct, selinux_parse_opts_str() frees the memory
on error, but doesn't set the field to NULL so if the caller later
attempts to call security_free_mnt_opts() we trigger the problem.
In order to play it safe we change selinux_parse_opts_str() to call
security_free_mnt_opts() on error instead of free'ing the memory
directly. This should ensure that everything is handled correctly,
regardless of what the caller may do.
Change-Id: Ibc2dd57e914203e97dfe301f04adee0084830c85
Fixes: e0007529893c1c06 ("LSM/SELinux: Interfaces to allow FS to control mount options")
Cc: [email protected]
Cc: Tetsuo Handa <[email protected]>
Reported-by: Dmitry Vyukov <[email protected]>
Signed-off-by: Paul Moore <[email protected]>
Signed-off-by: James Morris <[email protected]>