aboutsummaryrefslogtreecommitdiffstats
path: root/security
diff options
context:
space:
mode:
authorEric Paris <eparis@redhat.com>2008-10-31 17:40:00 -0400
committerJames Morris <jmorris@namei.org>2008-10-31 18:38:48 -0400
commit37dd0bd04a3240d2922786d501e2f12cec858fbf (patch)
treed4fa5a124a95d33bf22276429a82822ec8d4810a /security
parent721d5dfe7e516954c501d5e9d0dfab379cf4241a (diff)
SELinux: properly handle empty tty_files list
SELinux has wrongly (since 2004) had an incorrect test for an empty tty->tty_files list. With an empty list selinux would be pointing to part of the tty struct itself and would then proceed to dereference that value and again dereference that result. An F10 change to plymouth on a ppc64 system is actually currently triggering this bug. This patch uses list_empty() to handle empty lists rather than looking at a meaningless location. [note, this fixes the oops reported in https://bugzilla.redhat.com/show_bug.cgi?id=469079] Signed-off-by: Eric Paris <eparis@redhat.com> Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'security')
-rw-r--r--security/selinux/hooks.c8
1 files changed, 5 insertions, 3 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 3e3fde7c1d2b..f85597a4d733 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -2126,14 +2126,16 @@ static inline void flush_unauthorized_files(struct files_struct *files)
2126 tty = get_current_tty(); 2126 tty = get_current_tty();
2127 if (tty) { 2127 if (tty) {
2128 file_list_lock(); 2128 file_list_lock();
2129 file = list_entry(tty->tty_files.next, typeof(*file), f_u.fu_list); 2129 if (!list_empty(&tty->tty_files)) {
2130 if (file) { 2130 struct inode *inode;
2131
2131 /* Revalidate access to controlling tty. 2132 /* Revalidate access to controlling tty.
2132 Use inode_has_perm on the tty inode directly rather 2133 Use inode_has_perm on the tty inode directly rather
2133 than using file_has_perm, as this particular open 2134 than using file_has_perm, as this particular open
2134 file may belong to another process and we are only 2135 file may belong to another process and we are only
2135 interested in the inode-based check here. */ 2136 interested in the inode-based check here. */
2136 struct inode *inode = file->f_path.dentry->d_inode; 2137 file = list_first_entry(&tty->tty_files, struct file, f_u.fu_list);
2138 inode = file->f_path.dentry->d_inode;
2137 if (inode_has_perm(current, inode, 2139 if (inode_has_perm(current, inode,
2138 FILE__READ | FILE__WRITE, NULL)) { 2140 FILE__READ | FILE__WRITE, NULL)) {
2139 drop_tty = 1; 2141 drop_tty = 1;