From: Eugene Teo <eteo@redhat.com>
Date: Mon, 21 Jul 2008 17:16:38 +0800
Subject: [selinux] prevent illegal selinux options when mounting
Message-id: 20080721091638.GA14131@kernel.sg
O-Subject: [RHEL5.3 PATCH] kernel: fix array out of bounds when mounting with selinux options
Bugzilla: 456052
RH-Acked-by: Anton Arapov <aarapov@redhat.com>
RH-Acked-by: Eric Sandeen <sandeen@redhat.com>
This is for bz#456052.
Backport of upstream commit 31e879309474d1666d645b96de99d0b682fa055f
Given an illegal selinux option it was possible for match_token to work
in random memory at the end of the match_table_t array.
Note that privilege is required to perform a context mount, so this
issue is effectively limited to root only.
Signed-off-by: Eugene Teo <eteo@redhat.com>
--
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 5425f88..7ede861 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -317,6 +317,7 @@ static inline int inode_doinit(struct inode *inode)
}
enum {
+ Opt_error = -1,
Opt_context = 1,
Opt_fscontext = 2,
Opt_defcontext = 4,
@@ -328,6 +329,7 @@ static match_table_t tokens = {
{Opt_fscontext, "fscontext=%s"},
{Opt_defcontext, "defcontext=%s"},
{Opt_rootcontext, "rootcontext=%s"},
+ {Opt_error, NULL},
};
#define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
distrib
>
Scientific%20Linux
>
5x
>
x86_64
>
by-pkgid
>
89877e42827f16fa5f86b1df0c2860b1
>
files
>
2290
