From: Vratislav Bendel <vbendel@xxxxxxxxxx> On error path from cond_read_list() and duplicate_policydb_cond_list() the cond_list_destroy() gets called a second time in caller functions, resulting in NULL pointer deref. Fix this by resetting the cond_list_len to 0 in cond_list_destroy(), making subsequent calls a noop. Signed-off-by: Vratislav Bendel <vbendel@xxxxxxxxxx> --- security/selinux/ss/conditional.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/security/selinux/ss/conditional.c b/security/selinux/ss/conditional.c index 1d0e5f326b62..8bc16ad3af9e 100644 --- a/security/selinux/ss/conditional.c +++ b/security/selinux/ss/conditional.c @@ -151,6 +151,8 @@ static void cond_list_destroy(struct policydb *p) for (i = 0; i < p->cond_list_len; i++) cond_node_destroy(&p->cond_list[i]); + p->cond_list_len = 0; + kfree(p->cond_list); p->cond_list = NULL; } -- 2.26.3
