In the Linux kernel, the following vulnerability has been resolved: selinux: fix double free of cond_list on error paths On error path from cond_read_list() and duplicate_policydb_cond_list() the cond_list_destroy() gets called a second time in caller functions, resulting in NULL pointer deref. Fix this by resetting the cond_list_len to 0 in cond_list_destroy(), making subsequent calls a noop. Also consistently reset the cond_list pointer to NULL after freeing. [PM: fix line lengths in the description]
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
Debian | 12 | all | linux | < 5.16.10-1 | linux_5.16.10-1_all.deb |
Debian | 11 | all | linux | < 5.10.103-1 | linux_5.10.103-1_all.deb |
Debian | 10 | all | linux | <= 4.19.249-2 | linux_4.19.249-2_all.deb |
Debian | 999 | all | linux | < 5.16.10-1 | linux_5.16.10-1_all.deb |
Debian | 13 | all | linux | < 5.16.10-1 | linux_5.16.10-1_all.deb |