Bug 488196

Summary: kernel: selinux: selinux_netlbl_inode_permission() null pointer deref
Product: [Other] Security Response Reporter: Eugene Teo (Security Response) <eteo>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: anton, bhu, dhoward, dzickus, eparis, jmorris, jpirko, jskrabal, lgoncalv, lwang, security-response-team, williams
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-03-06 01:33:42 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 488200, 488201, 488202    
Bug Blocks:    
Attachments:
Description Flags
Upstream patch none

Description Eugene Teo (Security Response) 2009-03-03 06:08:41 UTC 
Description of problem:
Rick McNeal from LSI identified a panic in selinux_netlbl_inode_permission() caused by a certain sequence of SUNRPC operations. The problem appears to be due to the lack of NULL pointer checking in the function; the patch for this issue adds the pointer checks so the function will exit safely in the cases where the socket is not completely initialized.
Comment 1 Eugene Teo (Security Response) 2009-03-03 06:15:20 UTC 
Created attachment 333839 [details]
Upstream patch

http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=d7f59dc4642ce2fc7b79fcd4ec02ffce7f21eb02
Comment 10 Eugene Teo (Security Response) 2009-03-06 01:33:42 UTC 
It appears that the problem is caused by the test case/out of tree code. The problem is not in the selinux or the netlabel code. Closing bugs.