On Wed, Feb 2, 2022 at 6:25 AM <vbendel@xxxxxxxxxx> wrote: > > From: Vratislav Bendel <vbendel@xxxxxxxxxx> > > On error path from cond_read_list() and duplicate_policydb_cond_list() > the cond_list_destroy() gets called a second time in caller functions, > resulting in NULL pointer deref. > Fix this by resetting the cond_list_len to 0 in cond_list_destroy(), > making subsequent calls a noop. > > Also consistently reset the cond_list pointer to NULL after freeing. > > Signed-off-by: Vratislav Bendel <vbendel@xxxxxxxxxx> > --- > security/selinux/ss/conditional.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) I just merged this into selinux/stable-5.17 and I'll plan on sending this up to Linus tomorrow, thanks Vratislav. -- paul-moore.com
