[ima-evm-utils,v4,17/17] Fix d2i_x509_fp failure

Message ID	20221101201803.372652-18-zohar@linux.ibm.com (mailing list archive)
State	New, archived
Headers	show Return-Path: <linux-integrity-owner@kernel.org> From: Mimi Zohar <zohar@linux.ibm.com> To: linux-integrity@vger.kernel.org Cc: Mimi Zohar <zohar@linux.ibm.com>, Petr Vorel <pvorel@suse.cz>, Vitaly Chikunov <vt@altlinux.org>, Stefan Berger <stefanb@linux.ibm.com> Subject: [PATCH ima-evm-utils v4 17/17] Fix d2i_x509_fp failure Date: Tue, 1 Nov 2022 16:18:03 -0400 Message-Id: <20221101201803.372652-18-zohar@linux.ibm.com> In-Reply-To: <20221101201803.372652-1-zohar@linux.ibm.com> References: <20221101201803.372652-1-zohar@linux.ibm.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk
Series	address deprecated warnings \| expand [ima-evm-utils,v4,00/17] address deprecated warnings [ima-evm-utils,v4,01/17] Revert "Reset 'errno' after failure to open or access a file" [ima-evm-utils,v4,02/17] log and reset 'errno' after failure to open non-critical files [ima-evm-utils,v4,03/17] Log and reset 'errno' on lsetxattr failure [ima-evm-utils,v4,04/17] travis: update dist=focal [ima-evm-utils,v4,05/17] Update configure.ac to address a couple of obsolete warnings [ima-evm-utils,v4,06/17] Deprecate IMA signature version 1 [ima-evm-utils,v4,07/17] Replace the low level SHA1 calls when calculating the TPM 1.2 PCRs [ima-evm-utils,v4,08/17] Replace the low level HMAC calls when calculating the EVM HMAC [ima-evm-utils,v4,09/17] Add missing EVP_MD_CTX_free() call in calc_evm_hash() [ima-evm-utils,v4,10/17] Disable use of OpenSSL "engine" support [ima-evm-utils,v4,11/17] Fix potential use after free in read_tpm_banks() [ima-evm-utils,v4,12/17] Limit the file hash algorithm name length [ima-evm-utils,v4,13/17] Missing template data size lower bounds checking [ima-evm-utils,v4,14/17] Base sm2/sm3 test on openssl version installed [ima-evm-utils,v4,15/17] Compile a newer version of OpenSSL [ima-evm-utils,v4,16/17] Build OpenSSL without engine support [ima-evm-utils,v4,17/17] Fix d2i_x509_fp failure

Message ID

20221101201803.372652-18-zohar@linux.ibm.com (mailing list archive)

State

New, archived

Headers

From: Mimi Zohar <zohar@linux.ibm.com>
To: linux-integrity@vger.kernel.org
Cc: Mimi Zohar <zohar@linux.ibm.com>, Petr Vorel <pvorel@suse.cz>,
        Vitaly Chikunov <vt@altlinux.org>,
        Stefan Berger <stefanb@linux.ibm.com>
Subject: [PATCH ima-evm-utils v4 17/17] Fix d2i_x509_fp failure
Date: Tue,  1 Nov 2022 16:18:03 -0400
Message-Id: <20221101201803.372652-18-zohar@linux.ibm.com>
In-Reply-To: <20221101201803.372652-1-zohar@linux.ibm.com>
References: <20221101201803.372652-1-zohar@linux.ibm.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Precedence: bulk

Series

address deprecated warnings | expand

Comments

Stefan Berger Nov. 2, 2022, 12:44 a.m. UTC | #1

On 11/1/22 16:18, Mimi Zohar wrote:
> Before calling d2i_x509_fp(), make sure the keyfile is a regular file.
> 
> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
> ---
>   src/libimaevm.c | 11 +++++++++++
>   1 file changed, 11 insertions(+)
> 
> diff --git a/src/libimaevm.c b/src/libimaevm.c
> index 8070ffd61a2c..e6fbec5bc17b 100644
> --- a/src/libimaevm.c
> +++ b/src/libimaevm.c
> @@ -250,6 +250,7 @@ EVP_PKEY *read_pub_pkey(const char *keyfile, int x509)
>   {
>   	FILE *fp;
>   	EVP_PKEY *pkey = NULL;
> +	struct stat st;
>   
>   	if (!keyfile)
>   		return NULL;
> @@ -262,6 +263,16 @@ EVP_PKEY *read_pub_pkey(const char *keyfile, int x509)
>   	}
>   
>   	if (x509) {
> +		if (fstat(fileno(fp), &st) == -1)
> +			goto out;
> +

If this was to ever happen evmctl may just terminate without an error message.

> +		if ((st.st_mode & S_IFMT) != S_IFREG) {

This function can also read plain public keys in the else branch. Should this test cover both cases?



> +			if (imaevm_params.verbose > LOG_INFO)
> +				log_err("Keyfile is not regular file: %s\n",
> +					 keyfile);
> +			goto out;
> +		}
> +
>   		X509 *crt = d2i_X509_fp(fp, NULL);
>   
>   		if (!crt) {

diff --git a/src/libimaevm.c b/src/libimaevm.c
index 8070ffd61a2c..e6fbec5bc17b 100644
--- a/src/libimaevm.c
+++ b/src/libimaevm.c
@@ -250,6 +250,7 @@  EVP_PKEY *read_pub_pkey(const char *keyfile, int x509)
 {
 	FILE *fp;
 	EVP_PKEY *pkey = NULL;
+	struct stat st;
 
 	if (!keyfile)
 		return NULL;
@@ -262,6 +263,16 @@  EVP_PKEY *read_pub_pkey(const char *keyfile, int x509)
 	}
 
 	if (x509) {
+		if (fstat(fileno(fp), &st) == -1)
+			goto out;
+
+		if ((st.st_mode & S_IFMT) != S_IFREG) {
+			if (imaevm_params.verbose > LOG_INFO)
+				log_err("Keyfile is not regular file: %s\n",
+					 keyfile);
+			goto out;
+		}
+
 		X509 *crt = d2i_X509_fp(fp, NULL);
 
 		if (!crt) {

[ima-evm-utils,v4,17/17] Fix d2i_x509_fp failure

Commit Message

Comments

Patch