[Home]

Issue of the Implementation # L0004

Brief

security/selinux/hooks.c: Memory leak in inode_doinit_with_dentry()

Detailed Description

SUBJECT: in function inode_doinit_with_dentry memory is not released on error path (if rc<0). DESCRIBE: In ./security/selinux/hooks.c in function inode_doinit_with_dentry:

1. If in the line 1278 we successfully allocate memory and assign it to context variablehen
2. if in the line 1284 getxattr returns -ERANGE and
3. if in the line 1288 getxattr returns rc<0 then we go to out_unlock without releasing memory pointed to by context variable.

Possible solutions

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 15c2a08..1e8cfc4 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -1285,6 +1285,8 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent
 		rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
 					   context, len);
 		if (rc == -ERANGE) {
+			kfree(context);
+
 			/* Need a larger buffer.  Query for the right size. */
 			rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
 						   NULL, 0);
@@ -1292,7 +1294,6 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent
 				dput(dentry);
 				goto out_unlock;
 			}
-			kfree(context);
 			len = rc;
 			context = kmalloc(len+1, GFP_NOFS);
 			if (!context) {
-- 

Component

linux-kernel 2.6.30.4

Accepted

http://lkml.org/lkml/2009/8/10/119
commit

Status

Fixed in kernel 2.6.31

[Home]