| Message ID | 20240620194632.3996068-1-samasth.norway.ananda@oracle.com (mailing list archive) |
|---|---|
| State | New |
| Headers | show |
| Series | ima: fix buffer overrun in ima_eventdigest_init_common | expand |
On 6/20/2024 9:46 PM, Samasth Norway Ananda wrote: > Function ima_eventdigest_init() can call ima_eventdigest_init_common() > with HASH_ALGO__LAST which is then used to access the array > hash_digest_size[] leading to buffer overrun. Have a conditional > statement to handle this. > > Fixes: 9fab303a2cb3 ("ima: fix violation measurement list record") > Signed-off-by: Samasth Norway Ananda <samasth.norway.ananda@oracle.com> Tested-by: Enrico Bravi (PhD at polito.it) <enrico.bravi@huawei.com> > --- > security/integrity/ima/ima_template_lib.c | 8 ++++++-- > 1 file changed, 6 insertions(+), 2 deletions(-) > > diff --git a/security/integrity/ima/ima_template_lib.c b/security/integrity/ima/ima_template_lib.c > index 4183956c53af..14c000fe8312 100644 > --- a/security/integrity/ima/ima_template_lib.c > +++ b/security/integrity/ima/ima_template_lib.c > @@ -320,13 +320,17 @@ static int ima_eventdigest_init_common(const u8 *digest, u32 digestsize, > > if (digest) > memcpy(buffer + offset, digest, digestsize); > - else > + else { > /* > * If digest is NULL, the event being recorded is a violation. > * Make room for the digest by increasing the offset by the > * hash algorithm digest size. > */ > - offset += hash_digest_size[hash_algo]; > + if (hash_algo < HASH_ALGO__LAST) > + offset += hash_digest_size[hash_algo]; > + else > + offset += IMA_DIGEST_SIZE; > + } > > return ima_write_template_field_data(buffer, offset + digestsize, > fmt, field_data);
Hi Samasth, On Thu, 2024-06-20 at 12:46 -0700, Samasth Norway Ananda wrote: > Function ima_eventdigest_init() can call ima_eventdigest_init_common() > with HASH_ALGO__LAST which is then used to access the array > hash_digest_size[] leading to buffer overrun. Have a conditional > statement to handle this. The original 'ima' template ("d|n") digest is not prefixed with the digest algorithm, since it is hard coded to sha1. ima_eventdigest_init() intentionally calls ima_eventdigest_init_common() with HASH_ALGO__LAST. To avoid ... > > Fixes: 9fab303a2cb3 ("ima: fix violation measurement list record") > Signed-off-by: Samasth Norway Ananda <samasth.norway.ananda@oracle.com> > --- > security/integrity/ima/ima_template_lib.c | 8 ++++++-- > 1 file changed, 6 insertions(+), 2 deletions(-) > > diff --git a/security/integrity/ima/ima_template_lib.c b/security/integrity/ima/ima_template_lib.c > index 4183956c53af..14c000fe8312 100644 > --- a/security/integrity/ima/ima_template_lib.c > +++ b/security/integrity/ima/ima_template_lib.c > @@ -320,13 +320,17 @@ static int ima_eventdigest_init_common(const u8 *digest, u32 digestsize, > > if (digest) Please add a brace after "digest" and before "else". Refer to the section titled "3) Placing Braces and Spaces" in " https://www.kernel.org/doc/html/v4.10/process/coding-style.html. > memcpy(buffer + offset, digest, digestsize); > - else > + else { > /* > * If digest is NULL, the event being recorded is a violation. > * Make room for the digest by increasing the offset by the > * hash algorithm digest size. > */ Please update the comment to reflect the case when the hash algorithm isn't specified. > - offset += hash_digest_size[hash_algo]; > + if (hash_algo < HASH_ALGO__LAST) > + offset += hash_digest_size[hash_algo]; > + else > + offset += IMA_DIGEST_SIZE; > + } > > return ima_write_template_field_data(buffer, offset + digestsize, > fmt, field_data); Please fix the other scripts/checkpatch.pl complaints. thanks, Mimi
On 6/21/24 3:44 PM, Mimi Zohar wrote: > Hi Samasth, > > On Thu, 2024-06-20 at 12:46 -0700, Samasth Norway Ananda wrote: >> Function ima_eventdigest_init() can call ima_eventdigest_init_common() >> with HASH_ALGO__LAST which is then used to access the array >> hash_digest_size[] leading to buffer overrun. Have a conditional >> statement to handle this. > > The original 'ima' template ("d|n") digest is not prefixed with the digest > algorithm, since it is hard coded to sha1. ima_eventdigest_init() intentionally > calls ima_eventdigest_init_common() with HASH_ALGO__LAST. To avoid ... > >> >> Fixes: 9fab303a2cb3 ("ima: fix violation measurement list record") >> Signed-off-by: Samasth Norway Ananda <samasth.norway.ananda@oracle.com> >> --- >> security/integrity/ima/ima_template_lib.c | 8 ++++++-- >> 1 file changed, 6 insertions(+), 2 deletions(-) >> >> diff --git a/security/integrity/ima/ima_template_lib.c b/security/integrity/ima/ima_template_lib.c >> index 4183956c53af..14c000fe8312 100644 >> --- a/security/integrity/ima/ima_template_lib.c >> +++ b/security/integrity/ima/ima_template_lib.c >> @@ -320,13 +320,17 @@ static int ima_eventdigest_init_common(const u8 *digest, u32 digestsize, >> >> if (digest) > > Please add a brace after "digest" and before "else". > > Refer to the section titled "3) Placing Braces and Spaces" in " > https://www.kernel.org/doc/html/v4.10/process/coding-style.html. > > >> memcpy(buffer + offset, digest, digestsize); >> - else >> + else { >> /* >> * If digest is NULL, the event being recorded is a violation. >> * Make room for the digest by increasing the offset by the >> * hash algorithm digest size. >> */ > > Please update the comment to reflect the case when the hash algorithm isn't > specified. > >> - offset += hash_digest_size[hash_algo]; >> + if (hash_algo < HASH_ALGO__LAST) >> + offset += hash_digest_size[hash_algo]; >> + else >> + offset += IMA_DIGEST_SIZE; >> + } >> >> return ima_write_template_field_data(buffer, offset + digestsize, >> fmt, field_data); > > Please fix the other scripts/checkpatch.pl complaints. Thanks for correcting me Mimi. I should have checked that before sending. I will make the changes and send a v2 of the patch. > > thanks, > > Mimi >
diff --git a/security/integrity/ima/ima_template_lib.c b/security/integrity/ima/ima_template_lib.c index 4183956c53af..14c000fe8312 100644 --- a/security/integrity/ima/ima_template_lib.c +++ b/security/integrity/ima/ima_template_lib.c @@ -320,13 +320,17 @@ static int ima_eventdigest_init_common(const u8 *digest, u32 digestsize, if (digest) memcpy(buffer + offset, digest, digestsize); - else + else { /* * If digest is NULL, the event being recorded is a violation. * Make room for the digest by increasing the offset by the * hash algorithm digest size. */ - offset += hash_digest_size[hash_algo]; + if (hash_algo < HASH_ALGO__LAST) + offset += hash_digest_size[hash_algo]; + else + offset += IMA_DIGEST_SIZE; + } return ima_write_template_field_data(buffer, offset + digestsize, fmt, field_data);
Function ima_eventdigest_init() can call ima_eventdigest_init_common() with HASH_ALGO__LAST which is then used to access the array hash_digest_size[] leading to buffer overrun. Have a conditional statement to handle this. Fixes: 9fab303a2cb3 ("ima: fix violation measurement list record") Signed-off-by: Samasth Norway Ananda <samasth.norway.ananda@oracle.com> --- security/integrity/ima/ima_template_lib.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-)