selinux: fix bad cleanup on error in hashtab_duplicate()

WOnder93 · pcmoore · commit 6254bd3db316 · 2022-05-17T18:34:35.000-04:00
The code attempts to free the 'new' pointer using kmem_cache_free(), which is wrong because this function isn't responsible of freeing it. Instead, the function should free new->htable and clear the contents of *new (to prevent double-free). Cc: stable@vger.kernel.org Fixes: c7c556f ("selinux: refactor changing booleans") Reported-by: Wander Lairson Costa <wander@redhat.com> Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> Signed-off-by: Paul Moore <paul@paul-moore.com>
diff --git a/security/selinux/ss/hashtab.c b/security/selinux/ss/hashtab.c
@@ -179,7 +179,8 @@ int hashtab_duplicate(struct hashtab *new, struct hashtab *orig,
 			kmem_cache_free(hashtab_node_cachep, cur);
 		}
 	}
-	kmem_cache_free(hashtab_node_cachep, new);
+	kfree(new->htable);
+	memset(new, 0, sizeof(*new));
 	return -ENOMEM;
 }
 

Original file line number	Diff line number	Diff line change
`@@ -179,7 +179,8 @@ int hashtab_duplicate(struct hashtab new, struct hashtab orig,`
`179`	`179`	`kmem_cache_free(hashtab_node_cachep, cur);`
`180`	`180`	`}`
`181`	`181`	`}`
`182`		`- kmem_cache_free(hashtab_node_cachep, new);`
	`182`	`+ kfree(new->htable);`
	`183`	`+ memset(new, 0, sizeof(*new));`
`183`	`184`	`return -ENOMEM;`
`184`	`185`	`}`
`185`	`186`