selinux: do not leave dangling pointer behind

In case mls_context_cpy() fails due to OOM set the free'd pointer in context_cpy() to NULL to avoid it potentially being dereferenced or free'd again in future. Freeing a NULL pointer is well-defined and a hard NULL dereference crash is at least not exploitable and should give a workable stack trace. Fixes: 12b29f34558b ("selinux: support deferred mapping of contexts") Signed-off-by: Christian Göttsche <cgzones@googlemail.com> Signed-off-by: Paul Moore <paul@paul-moore.com>
author: Christian Göttsche <cgzones@googlemail.com> 2023-04-20 17:04:58 +0200
committer: Paul Moore <paul@paul-moore.com> 2023-05-08 16:37:42 -0400
commit: 53f3517ae0870fcb398afbba8ff901d0267772b3 (patch)
tree: 894f95d339a535f8ad246ddc84d9d9691a2a0231 /security
parent: 6f933aa7dfd0bb84b7935168f1d45abec4f702c1 (diff)
1 files changed, 1 insertions, 0 deletions
diff --git a/security/selinux/ss/context.h b/security/selinux/ss/context.h
index eda32c3d4c0a..44179977f434 100644
--- a/security/selinux/ss/context.h
+++ b/security/selinux/ss/context.h
@@ -167,6 +167,7 @@ static inline int context_cpy(struct context *dst, const struct context *src)
 	rc = mls_context_cpy(dst, src);
 	if (rc) {
 		kfree(dst->str);
+		dst->str = NULL;
 		return rc;
 	}
 	return 0;
author	Christian Göttsche <cgzones@googlemail.com>	2023-04-20 17:04:58 +0200
committer	Paul Moore <paul@paul-moore.com>	2023-05-08 16:37:42 -0400
commit	53f3517ae0870fcb398afbba8ff901d0267772b3 (patch)
tree	894f95d339a535f8ad246ddc84d9d9691a2a0231 /security
parent	6f933aa7dfd0bb84b7935168f1d45abec4f702c1 (diff)