From 0af901643fe3f1f8d44e41115d36609ee4bda2bf Mon Sep 17 00:00:00 2001 From: "Geyslan G. Bem" Date: Wed, 4 Dec 2013 16:10:24 -0500 Subject: selinux: fix possible memory leak Free 'ctx_str' when necessary. Signed-off-by: Geyslan G. Bem Signed-off-by: Paul Moore --- security/selinux/xfrm.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) (limited to 'security/selinux/xfrm.c') diff --git a/security/selinux/xfrm.c b/security/selinux/xfrm.c index a91d205ec0c6..cf79a4564e38 100644 --- a/security/selinux/xfrm.c +++ b/security/selinux/xfrm.c @@ -327,19 +327,22 @@ int selinux_xfrm_state_alloc_acquire(struct xfrm_state *x, return rc; ctx = kmalloc(sizeof(*ctx) + str_len, GFP_ATOMIC); - if (!ctx) - return -ENOMEM; + if (!ctx) { + rc = -ENOMEM; + goto out; + } ctx->ctx_doi = XFRM_SC_DOI_LSM; ctx->ctx_alg = XFRM_SC_ALG_SELINUX; ctx->ctx_sid = secid; ctx->ctx_len = str_len; memcpy(ctx->ctx_str, ctx_str, str_len); - kfree(ctx_str); x->security = ctx; atomic_inc(&selinux_xfrm_refcount); - return 0; +out: + kfree(ctx_str); + return rc; } /* -- cgit v1.2.2 From 817eff718dca4e54d5721211ddde0914428fbb7c Mon Sep 17 00:00:00 2001 From: Paul Moore Date: Tue, 10 Dec 2013 14:57:54 -0500 Subject: selinux: look for IPsec labels on both inbound and outbound packets Previously selinux_skb_peerlbl_sid() would only check for labeled IPsec security labels on inbound packets, this patch enables it to check both inbound and outbound traffic for labeled IPsec security labels. Reported-by: Janak Desai Cc: stable@vger.kernel.org Signed-off-by: Paul Moore --- security/selinux/xfrm.c | 51 +++++++++++++++++++++++++++++++++++++++---------- 1 file changed, 41 insertions(+), 10 deletions(-) (limited to 'security/selinux/xfrm.c') diff --git a/security/selinux/xfrm.c b/security/selinux/xfrm.c index cf79a4564e38..0462cb3ff0a7 100644 --- a/security/selinux/xfrm.c +++ b/security/selinux/xfrm.c @@ -209,19 +209,26 @@ int selinux_xfrm_state_pol_flow_match(struct xfrm_state *x, NULL) ? 0 : 1); } -/* - * LSM hook implementation that checks and/or returns the xfrm sid for the - * incoming packet. - */ -int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid, int ckall) +static u32 selinux_xfrm_skb_sid_egress(struct sk_buff *skb) { - u32 sid_session = SECSID_NULL; - struct sec_path *sp; + struct dst_entry *dst = skb_dst(skb); + struct xfrm_state *x; - if (skb == NULL) - goto out; + if (dst == NULL) + return SECSID_NULL; + x = dst->xfrm; + if (x == NULL || !selinux_authorizable_xfrm(x)) + return SECSID_NULL; + + return x->security->ctx_sid; +} + +static int selinux_xfrm_skb_sid_ingress(struct sk_buff *skb, + u32 *sid, int ckall) +{ + u32 sid_session = SECSID_NULL; + struct sec_path *sp = skb->sp; - sp = skb->sp; if (sp) { int i; @@ -247,6 +254,30 @@ out: return 0; } +/* + * LSM hook implementation that checks and/or returns the xfrm sid for the + * incoming packet. + */ +int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid, int ckall) +{ + if (skb == NULL) { + *sid = SECSID_NULL; + return 0; + } + return selinux_xfrm_skb_sid_ingress(skb, sid, ckall); +} + +int selinux_xfrm_skb_sid(struct sk_buff *skb, u32 *sid) +{ + int rc; + + rc = selinux_xfrm_skb_sid_ingress(skb, sid, 0); + if (rc == 0 && *sid == SECSID_NULL) + *sid = selinux_xfrm_skb_sid_egress(skb); + + return rc; +} + /* * LSM hook implementation that allocs and transfers uctx spec to xfrm_policy. */ -- cgit v1.2.2