[SRU][F][PATCH 0/2] CVE-2022-48740

[Koichiro Den]

[Impact]

selinux: fix double free of cond_list on error paths

On error path from cond_read_list() and duplicate_policydb_cond_list()
the cond_list_destroy() gets called a second time in caller functions,
resulting in NULL pointer deref.  Fix this by resetting the
cond_list_len to 0 in cond_list_destroy(), making subsequent calls a
noop.

Also consistently reset the cond_list pointer to NULL after freeing.

[Backport]

Before the primary fix commit, I backported commit 60abd3181db2
("selinux: convert cond_list to array") seperately since otherwise
the primary fix commit's message description would not make sense,
and also it does not introduce any new features. To backport it,
I adjusted the context due to another missing commit 06c2efe2cf3a
("selinux: simplify evaluate_cond_node()"). After that, the primary
fix could be cleanly applied (i.e., just cherry-picked it).

Note that the double free issue seems to have been also present in
the older linked list version of cond_list in a different way.

[Fix]

Noble:  not affected
Jammy:  not affected
Focal:  Backport - one dependent commit backported as well, see [Backport]
Bionic: fix sent to esm ML
Xenial: fix sent to esm ML
Trusty: won't fix

[Test Case]

Compile and boot tested

[Where problems could occur]

This fix affects selinux enabled environment, an issue with this fix would
be visible to user via unpredicted system behavior or a system crash.


Ondrej Mosnacek (1):
  selinux: convert cond_list to array

Vratislav Bendel (1):
  selinux: fix double free of cond_list on error paths

 security/selinux/include/conditional.h |  6 +--
 security/selinux/selinuxfs.c           |  4 +-
 security/selinux/ss/conditional.c      | 57 ++++++++++----------------
 security/selinux/ss/conditional.h      |  3 +-
 security/selinux/ss/policydb.c         |  2 +-
 security/selinux/ss/policydb.h         |  3 +-
 security/selinux/ss/services.c         | 28 ++++++-------
 7 files changed, 45 insertions(+), 58 deletions(-)

-- 
2.43.0