In security_read_policy(), the policy length is computed using security_policydb_len(), which does a separate transaction, and then another transaction is done to write the policydb into a buffer of this length. The bug is that the policy might be re-loaded in between the two transactions and so the length can be wrong. In case the new length is lower than the old length, the length is corrected at the end of the function. In case the new length is higher than the old one, an error is returned. Fix it by doing everything in a single transaction and getting the length directly from policydb instead of calling security_policydb_len(). Fixes: cee74f47a6ba ("SELinux: allow userspace to read policy back out of the kernel") Signed-off-by: Ondrej Mosnacek <omosnace@xxxxxxxxxx> --- security/selinux/ss/services.c | 19 +++++++++++-------- 1 file changed, 11 insertions(+), 8 deletions(-) diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index a48fc1b337ba9..ab4de2a01634a 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c @@ -3842,22 +3842,25 @@ int security_read_policy(struct selinux_state *state, void **data, size_t *len) { int rc; + struct policydb *policydb; struct policy_file fp; if (!selinux_initialized(state)) return -EINVAL; - *len = security_policydb_len(state); + read_lock(&state->ss->policy_rwlock); + policydb = &state->ss->policy->policydb; + *len = policydb->len; *data = vmalloc_user(*len); - if (!*data) - return -ENOMEM; - - fp.data = *data; - fp.len = *len; + if (!*data) { + rc = -ENOMEM; + } else { + fp.data = *data; + fp.len = *len; - read_lock(&state->ss->policy_rwlock); - rc = policydb_write(&state->ss->policy->policydb, &fp); + rc = policydb_write(policydb, &fp); + } read_unlock(&state->ss->policy_rwlock); if (rc) -- 2.26.2