We don't need to crash the machine in these cases. Let's just detect the buggy state early and error out with a warning.
Signed-off-by: Ondrej Mosnacek <[email protected]> --- security/selinux/avc.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/security/selinux/avc.c b/security/selinux/avc.c index 502162eeb3a0..5ebad47391c9 100644 --- a/security/selinux/avc.c +++ b/security/selinux/avc.c @@ -678,7 +678,6 @@ static void avc_audit_pre_callback(struct audit_buffer *ab, void *a) return; } - BUG_ON(!sad->tclass || sad->tclass >= ARRAY_SIZE(secclass_map)); perms = secclass_map[sad->tclass-1].perms; audit_log_string(ab, " {"); @@ -731,7 +730,6 @@ static void avc_audit_post_callback(struct audit_buffer *ab, void *a) kfree(scontext); } - BUG_ON(!sad->tclass || sad->tclass >= ARRAY_SIZE(secclass_map)); audit_log_format(ab, " tclass=%s", secclass_map[sad->tclass-1].name); if (sad->denied) @@ -748,6 +746,9 @@ noinline int slow_avc_audit(struct selinux_state *state, struct common_audit_data stack_data; struct selinux_audit_data sad; + if (WARN_ON(!tclass || tclass >= ARRAY_SIZE(secclass_map))) + return -EINVAL; + if (!a) { a = &stack_data; a->type = LSM_AUDIT_DATA_NONE; -- 2.20.1 -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
