• Tetsuo Handa's avatar
    CRED: Fix BUG() upon security_cred_alloc_blank() failure · 2edeaa34
    Tetsuo Handa authored
    In cred_alloc_blank() since 2.6.32, abort_creds(new) is called with
    new->security == NULL and new->magic == 0 when security_cred_alloc_blank()
    returns an error.  As a result, BUG() will be triggered if SELinux is enabled
    or CONFIG_DEBUG_CREDENTIALS=y.
    
    If CONFIG_DEBUG_CREDENTIALS=y, BUG() is called from __invalid_creds() because
    cred->magic == 0.  Failing that, BUG() is called from selinux_cred_free()
    because selinux_cred_free() is not expecting cred->security == NULL.  This does
    not affect smack_cred_free(), tomoyo_cred_free() or apparmor_cred_free().
    
    Fix these bugs by
    
    (1) Set new->magic before calling security_cred_alloc_blank().
    
    (2) Handle null cred->security in creds_are_invalid() and selinux_cred_free().
    Signed-off-by: default avatarTetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
    Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
    Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
    2edeaa34
cred.c 21.7 KB