From: Zhen Lei <thunder.leizhen@xxxxxxxxxx>
commit 6dd1e4c045afa6a4ba5d46f044c83bd357c593c2 upstream.
When avc_add_xperms_decision() fails, the information recorded by the new
avc node is incomplete. In this case, the new avc node should be released
instead of replacing the old avc node.
Cc: stable@xxxxxxxxxxxxxxx
Fixes: fa1aa143ac4a ("selinux: extended permissions for ioctls")
Suggested-by: Stephen Smalley <stephen.smalley.work@xxxxxxxxx>
Signed-off-by: Zhen Lei <thunder.leizhen@xxxxxxxxxx>
Acked-by: Stephen Smalley <stephen.smalley.work@xxxxxxxxx>
Signed-off-by: Paul Moore <paul@xxxxxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
security/selinux/avc.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
--- a/security/selinux/avc.c
+++ b/security/selinux/avc.c
@@ -925,7 +925,11 @@ static int avc_update_node(struct selinu
node->ae.avd.auditdeny &= ~perms;
break;
case AVC_CALLBACK_ADD_XPERMS:
- avc_add_xperms_decision(node, xpd);
+ rc = avc_add_xperms_decision(node, xpd);
+ if (rc) {
+ avc_node_kill(node);
+ goto out_unlock;
+ }
break;
}
avc_node_replace(avc, node, orig);
Patches currently in stable-queue which might be from thunder.leizhen@xxxxxxxxxx are
queue-4.19/selinux-fix-potential-counting-error-in-avc_add_xperms_decision.patch
queue-4.19/selinux-add-the-processing-of-the-failure-of-avc_add_xperms_decision.patch
