| Message ID | 20190808103310.GC30506@mwanda (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | ima: Fix a use after free in ima_read_modsig() | expand |
On Thu, 2019-08-08 at 13:33 +0300, Dan Carpenter wrote: > This code frees "hdr" and then dereferences it on the next line to get > the error code. > > Fixes: 39b07096364a ("ima: Implement support for module-style appended signatures") > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Thanks, Dan. Julia already reported this. Thiago posted a patch last night. Just getting to it now. Can I add your Reviewed-by or Tested- by? Mimi
On Thu, Aug 08, 2019 at 07:17:22AM -0400, Mimi Zohar wrote: > On Thu, 2019-08-08 at 13:33 +0300, Dan Carpenter wrote: > > This code frees "hdr" and then dereferences it on the next line to get > > the error code. > > > > Fixes: 39b07096364a ("ima: Implement support for module-style appended signatures") > > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> > > Thanks, Dan. Julia already reported this. Thiago posted a patch last > night. Just getting to it now. Can I add your Reviewed-by or Tested- > by? I haven't seen the other patch so Reviewed-by seems like the wrong thing. I don't really need any sort of credit. I'm just going through my backlog of warnings from being out of office. Perhaps Reported-by? regards, dan carpenter
On Thu, 2019-08-08 at 14:45 +0300, Dan Carpenter wrote: > On Thu, Aug 08, 2019 at 07:17:22AM -0400, Mimi Zohar wrote: > > On Thu, 2019-08-08 at 13:33 +0300, Dan Carpenter wrote: > > > This code frees "hdr" and then dereferences it on the next line to get > > > the error code. > > > > > > Fixes: 39b07096364a ("ima: Implement support for module-style appended signatures") > > > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> > > > > Thanks, Dan. Julia already reported this. Thiago posted a patch last > > night. Just getting to it now. Can I add your Reviewed-by or Tested- > > by? > > I haven't seen the other patch so Reviewed-by seems like the wrong > thing. I don't really need any sort of credit. I'm just going through > my backlog of warnings from being out of office. Perhaps Reported-by? That works. FYI, your solution and Thiago's are exactly the same.[1] Mimi [1] https://lore.kernel.org/linux-integrity/8736ico5ax.fsf@morokweng.localdomain/T/#u
diff --git a/security/integrity/ima/ima_modsig.c b/security/integrity/ima/ima_modsig.c index c412e31d1714..d106885cc495 100644 --- a/security/integrity/ima/ima_modsig.c +++ b/security/integrity/ima/ima_modsig.c @@ -91,8 +91,9 @@ int ima_read_modsig(enum ima_hooks func, const void *buf, loff_t buf_len, hdr->pkcs7_msg = pkcs7_parse_message(buf + buf_len, sig_len); if (IS_ERR(hdr->pkcs7_msg)) { + rc = PTR_ERR(hdr->pkcs7_msg); kfree(hdr); - return PTR_ERR(hdr->pkcs7_msg); + return rc; } memcpy(hdr->raw_pkcs7, buf + buf_len, sig_len);
This code frees "hdr" and then dereferences it on the next line to get the error code. Fixes: 39b07096364a ("ima: Implement support for module-style appended signatures") Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> --- security/integrity/ima/ima_modsig.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)