[PATCH 4.11 08/78] selinux: fix double free in selinux_parse_opts_str()

From: Greg Kroah-Hartman
Date: Mon Jun 19 2017 - 11:18:27 EST

4.11-stable review patch. If anyone has any objections, please let me know.


From: Paul Moore <paul@xxxxxxxxxxxxxx>

commit 023f108dcc187e34ef864bf10ed966cf25e14e2a upstream.

This patch is based on a discussion generated by an earlier patch
from Tetsuo Handa:

* https://marc.info/?t=149035659300001&r=1&w=2

The double free problem involves the mnt_opts field of the
security_mnt_opts struct, selinux_parse_opts_str() frees the memory
on error, but doesn't set the field to NULL so if the caller later
attempts to call security_free_mnt_opts() we trigger the problem.

In order to play it safe we change selinux_parse_opts_str() to call
security_free_mnt_opts() on error instead of free'ing the memory
directly. This should ensure that everything is handled correctly,
regardless of what the caller may do.

Fixes: e0007529893c1c06 ("LSM/SELinux: Interfaces to allow FS to control mount options")
Cc: Tetsuo Handa <penguin-kernel@xxxxxxxxxxxxxxxxxxx>
Reported-by: Dmitry Vyukov <dvyukov@xxxxxxxxxx>
Signed-off-by: Paul Moore <paul@xxxxxxxxxxxxxx>
Signed-off-by: James Morris <james.l.morris@xxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>

security/selinux/hooks.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)

--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -1106,10 +1106,8 @@ static int selinux_parse_opts_str(char *

opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int),
- if (!opts->mnt_opts_flags) {
- kfree(opts->mnt_opts);
+ if (!opts->mnt_opts_flags)
goto out_err;
- }

if (fscontext) {
opts->mnt_opts[num_mnt_opts] = fscontext;
@@ -1132,6 +1130,7 @@ static int selinux_parse_opts_str(char *
return 0;

+ security_free_mnt_opts(opts);