From 3c3b47029654c6ca862af7a246c253a4d2c59f2c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thi=C3=A9baud=20Weksteen?= Date: Mon, 7 Jul 2025 09:36:42 +0800 Subject: [PATCH] selinux: ignore unknown extended permissions MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit stable inclusion from stable-v5.10.233 commit 712137b177b45f255ce5687e679d950fcb218256 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBJ6OD CVE: CVE-2024-57931 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=712137b177b45f255ce5687e679d950fcb218256 -------------------------------- commit 900f83cf376bdaf798b6f5dcb2eae0c822e908b6 upstream. When evaluating extended permissions, ignore unknown permissions instead of calling BUG(). This commit ensures that future permissions can be added without interfering with older kernels. Cc: stable@vger.kernel.org Fixes: fa1aa143ac4a ("selinux: extended permissions for ioctls") Signed-off-by: ThiƩbaud Weksteen Signed-off-by: Paul Moore Acked-by: Paul Moore Signed-off-by: Greg Kroah-Hartman Signed-off-by: GONG Ruiqi --- security/selinux/ss/services.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index d35bdbf05d22..73face8afa42 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c @@ -971,7 +971,10 @@ void services_compute_xperms_decision(struct extended_perms_decision *xpermd, xpermd->driver)) return; } else { - BUG(); + pr_warn_once( + "SELinux: unknown extended permission (%u) will be ignored\n", + node->datum.u.xperms->specified); + return; } if (node->key.specified == AVTAB_XPERMS_ALLOWED) { @@ -1008,7 +1011,8 @@ void services_compute_xperms_decision(struct extended_perms_decision *xpermd, node->datum.u.xperms->perms.p[i]; } } else { - BUG(); + pr_warn_once("SELinux: unknown specified key (%u)\n", + node->key.specified); } } -- Gitee