From: Eric Paris Date: Wed, 19 Sep 2007 21:19:12 +0000 (-0400) Subject: SELinux: fix array out of bounds when mounting with selinux options X-Git-Tag: v2.6.23-rc7~2 X-Git-Url: https://err.no/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=31e879309474d1666d645b96de99d0b682fa055f;p=linux-2.6 SELinux: fix array out of bounds when mounting with selinux options Given an illegal selinux option it was possible for match_token to work in random memory at the end of the match_table_t array. Note that privilege is required to perform a context mount, so this issue is effectively limited to root only. Signed-off-by: Eric Paris Acked-by: Stephen Smalley Signed-off-by: James Morris --- diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 36946629b6..0753b20e23 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -316,6 +316,7 @@ static inline int inode_doinit(struct inode *inode) } enum { + Opt_error = -1, Opt_context = 1, Opt_fscontext = 2, Opt_defcontext = 4, @@ -327,6 +328,7 @@ static match_table_t tokens = { {Opt_fscontext, "fscontext=%s"}, {Opt_defcontext, "defcontext=%s"}, {Opt_rootcontext, "rootcontext=%s"}, + {Opt_error, NULL}, }; #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"