ima: Fix use after free in ima_read_modsig()

Message ID	8736ico5ax.fsf@morokweng.localdomain (mailing list archive)
State	New, archived
Headers	show Return-Path: <linux-integrity-owner@kernel.org> References: <201908072140.Qep3jWIW%lkp@intel.com> <2ee96e49ade2e30a44fa14840610b432@lip6.fr> User-agent: mu4e 1.2.0; emacs 26.2 From: Thiago Jung Bauermann <bauerman@linux.ibm.com> To: Julia Lawall <Julia.Lawall@lip6.fr> Cc: Mimi Zohar <zohar@linux.ibm.com>, linux-integrity@vger.kernel.org, kbuild-all@01.org Subject: [PATCH] ima: Fix use after free in ima_read_modsig() In-reply-to: <2ee96e49ade2e30a44fa14840610b432@lip6.fr> Date: Wed, 07 Aug 2019 21:43:18 -0300 Message-ID: <8736ico5ax.fsf@morokweng.localdomain> MIME-Version: 1.0 Content-Type: text/plain Sender: linux-integrity-owner@vger.kernel.org Precedence: bulk
Series	ima: Fix use after free in ima_read_modsig() \| expand ima: Fix use after free in ima_read_modsig()

Message ID

8736ico5ax.fsf@morokweng.localdomain (mailing list archive)

State

New, archived

Headers

References: <201908072140.Qep3jWIW%lkp@intel.com>
 <2ee96e49ade2e30a44fa14840610b432@lip6.fr>
User-agent: mu4e 1.2.0; emacs 26.2
From: Thiago Jung Bauermann <bauerman@linux.ibm.com>
To: Julia Lawall <Julia.Lawall@lip6.fr>
Cc: Mimi Zohar <zohar@linux.ibm.com>, linux-integrity@vger.kernel.org,
        kbuild-all@01.org
Subject: [PATCH] ima: Fix use after free in ima_read_modsig()
In-reply-to: <2ee96e49ade2e30a44fa14840610b432@lip6.fr>
Date: Wed, 07 Aug 2019 21:43:18 -0300
Message-ID: <8736ico5ax.fsf@morokweng.localdomain>
MIME-Version: 1.0
Content-Type: text/plain
Sender: linux-integrity-owner@vger.kernel.org
Precedence: bulk

Series

ima: Fix use after free in ima_read_modsig() | expand

Commit Message

Thiago Jung Bauermann Aug. 8, 2019, 12:43 a.m. UTC

Julia Lawall <Julia.Lawall@lip6.fr> writes:

> This looks risky. See lines 80 and 81.

That is indeed a bug. Thanks for spotting it!

Here's the fix:

From 445e9ab15f61dc3b1fa1a30495d233bd2d2ecdaa Mon Sep 17 00:00:00 2001
From: Thiago Jung Bauermann <bauerman@linux.ibm.com>
Date: Wed, 7 Aug 2019 21:29:53 -0300
Subject: [PATCH] ima: Fix use after free in ima_read_modsig()

If we can't parse the PKCS7 in the appended modsig, we will free the modsig
structure and then access one of its members to determine the error value.

Fixes: 39b07096364a ("ima: Implement support for module-style appended signatures")
Reported-by: kbuild test robot <lkp@intel.com>
Reported-by: Julia Lawall <julia.lawall@lip6.fr>
Signed-off-by: Thiago Jung Bauermann <bauerman@linux.ibm.com>
---
 security/integrity/ima/ima_modsig.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/security/integrity/ima/ima_modsig.c b/security/integrity/ima/ima_modsig.c
index c412e31d1714..d106885cc495 100644
--- a/security/integrity/ima/ima_modsig.c
+++ b/security/integrity/ima/ima_modsig.c
@@ -91,8 +91,9 @@  int ima_read_modsig(enum ima_hooks func, const void *buf, loff_t buf_len,
 
 	hdr->pkcs7_msg = pkcs7_parse_message(buf + buf_len, sig_len);
 	if (IS_ERR(hdr->pkcs7_msg)) {
+		rc = PTR_ERR(hdr->pkcs7_msg);
 		kfree(hdr);
-		return PTR_ERR(hdr->pkcs7_msg);
+		return rc;
 	}
 
 	memcpy(hdr->raw_pkcs7, buf + buf_len, sig_len);

ima: Fix use after free in ima_read_modsig()

Commit Message

Patch