ACK: [SRU][F][PATCH 0/2] CVE-2022-48740

Thibault Ferrante thibault.ferrante at canonical.com
Mon Sep 9 12:01:05 UTC 2024 

Acked-by: Thibault Ferrante <thibault.ferrante at canonical.com>

On 09-09-2024 04:03, Koichiro Den wrote:
> [Impact]
> 
> selinux: fix double free of cond_list on error paths
> 
> On error path from cond_read_list() and duplicate_policydb_cond_list()
> the cond_list_destroy() gets called a second time in caller functions,
> resulting in NULL pointer deref.  Fix this by resetting the
> cond_list_len to 0 in cond_list_destroy(), making subsequent calls a
> noop.
> 
> Also consistently reset the cond_list pointer to NULL after freeing.
> 
> [Backport]
> 
> Before the primary fix commit, I backported commit 60abd3181db2
> ("selinux: convert cond_list to array") seperately since otherwise
> the primary fix commit's message description would not make sense,
> and also it does not introduce any new features. To backport it,
> I adjusted the context due to another missing commit 06c2efe2cf3a
> ("selinux: simplify evaluate_cond_node()"). After that, the primary
> fix could be cleanly applied (i.e., just cherry-picked it).
> 
> Note that the double free issue seems to have been also present in
> the older linked list version of cond_list in a different way.
> 
> [Fix]
> 
> Noble:  not affected
> Jammy:  not affected
> Focal:  Backport - one dependent commit backported as well, see [Backport]
> Bionic: fix sent to esm ML
> Xenial: fix sent to esm ML
> Trusty: won't fix
> 
> [Test Case]
> 
> Compile and boot tested
> 
> [Where problems could occur]
> 
> This fix affects selinux enabled environment, an issue with this fix would
> be visible to user via unpredicted system behavior or a system crash.
> 
> 
> Ondrej Mosnacek (1):
>    selinux: convert cond_list to array
> 
> Vratislav Bendel (1):
>    selinux: fix double free of cond_list on error paths
> 
>   security/selinux/include/conditional.h |  6 +--
>   security/selinux/selinuxfs.c           |  4 +-
>   security/selinux/ss/conditional.c      | 57 ++++++++++----------------
>   security/selinux/ss/conditional.h      |  3 +-
>   security/selinux/ss/policydb.c         |  2 +-
>   security/selinux/ss/policydb.h         |  3 +-
>   security/selinux/ss/services.c         | 28 ++++++-------
>   7 files changed, 45 insertions(+), 58 deletions(-)
> 


-- 
--
Thibault

More information about the kernel-team mailing list