From: Eugene Teo <eteo@redhat.com> Date: Mon, 21 Jul 2008 17:16:38 +0800 Subject: [selinux] prevent illegal selinux options when mounting Message-id: 20080721091638.GA14131@kernel.sg O-Subject: [RHEL5.3 PATCH] kernel: fix array out of bounds when mounting with selinux options Bugzilla: 456052 RH-Acked-by: Anton Arapov <aarapov@redhat.com> RH-Acked-by: Eric Sandeen <sandeen@redhat.com> This is for bz#456052. Backport of upstream commit 31e879309474d1666d645b96de99d0b682fa055f Given an illegal selinux option it was possible for match_token to work in random memory at the end of the match_table_t array. Note that privilege is required to perform a context mount, so this issue is effectively limited to root only. Signed-off-by: Eugene Teo <eteo@redhat.com> -- diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 5425f88..7ede861 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -317,6 +317,7 @@ static inline int inode_doinit(struct inode *inode) } enum { + Opt_error = -1, Opt_context = 1, Opt_fscontext = 2, Opt_defcontext = 4, @@ -328,6 +329,7 @@ static match_table_t tokens = { {Opt_fscontext, "fscontext=%s"}, {Opt_defcontext, "defcontext=%s"}, {Opt_rootcontext, "rootcontext=%s"}, + {Opt_error, NULL}, }; #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"