SELinux: fix array out of bounds when mounting with selinux options Given an illegal selinux option it was possible for match_token to work in random memory at the end of the match_table_t array. Note that privilege is required to perform a context mount, so this issue is effectively limited to root only. Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: James Morris <jmorris@namei.org>

commit: 31e879309474d1666d645b96de99d0b682fa055f [log] [tgz]
author: Eric Paris <eparis@redhat.com> Wed Sep 19 17:19:12 2007 -0400
committer: James Morris <jmorris@namei.org> Thu Sep 20 08:06:40 2007 +1000
tree: bb9d45dc85e03044b5ee7635f3646774bcbb30d4
parent: a88a8eff1e6e32d3288986a9d36c6a449c032d3a [diff]
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 3694662..0753b20 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c

@@ -316,6 +316,7 @@
 }
 
 enum {
+	Opt_error = -1,
 	Opt_context = 1,
 	Opt_fscontext = 2,
 	Opt_defcontext = 4,
@@ -327,6 +328,7 @@
 	{Opt_fscontext, "fscontext=%s"},
 	{Opt_defcontext, "defcontext=%s"},
 	{Opt_rootcontext, "rootcontext=%s"},
+	{Opt_error, NULL},
 };
 
 #define SEL_MOUNT_FAIL_MSG "SELinux:  duplicate or incompatible mount options\n"
commit	31e879309474d1666d645b96de99d0b682fa055f	[log] [tgz]
author	Eric Paris <eparis@redhat.com>	Wed Sep 19 17:19:12 2007 -0400
committer	James Morris <jmorris@namei.org>	Thu Sep 20 08:06:40 2007 +1000
tree	bb9d45dc85e03044b5ee7635f3646774bcbb30d4
parent	a88a8eff1e6e32d3288986a9d36c6a449c032d3a [diff]