ima: Fix a use after free in ima_read_modsig()
diff mbox series

Message ID 20190808103310.GC30506@mwanda
State New
Headers show
Series
  • ima: Fix a use after free in ima_read_modsig()
Related show

Commit Message

Dan Carpenter Aug. 8, 2019, 10:33 a.m. UTC
This code frees "hdr" and then dereferences it on the next line to get
the error code.

Fixes: 39b07096364a ("ima: Implement support for module-style appended signatures")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
 security/integrity/ima/ima_modsig.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

Comments

Mimi Zohar Aug. 8, 2019, 11:17 a.m. UTC | #1
On Thu, 2019-08-08 at 13:33 +0300, Dan Carpenter wrote:
> This code frees "hdr" and then dereferences it on the next line to get
> the error code.
> 
> Fixes: 39b07096364a ("ima: Implement support for module-style appended signatures")
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>

Thanks, Dan.  Julia already reported this.  Thiago posted a patch last
night.  Just getting to it now.  Can I add your Reviewed-by or Tested-
by?

Mimi
Dan Carpenter Aug. 8, 2019, 11:45 a.m. UTC | #2
On Thu, Aug 08, 2019 at 07:17:22AM -0400, Mimi Zohar wrote:
> On Thu, 2019-08-08 at 13:33 +0300, Dan Carpenter wrote:
> > This code frees "hdr" and then dereferences it on the next line to get
> > the error code.
> > 
> > Fixes: 39b07096364a ("ima: Implement support for module-style appended signatures")
> > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> 
> Thanks, Dan.  Julia already reported this.  Thiago posted a patch last
> night.  Just getting to it now.  Can I add your Reviewed-by or Tested-
> by?

I haven't seen the other patch so Reviewed-by seems like the wrong
thing.  I don't really need any sort of credit.  I'm just going through
my backlog of warnings from being out of office.  Perhaps Reported-by?

regards,
dan carpenter
Mimi Zohar Aug. 8, 2019, 11:55 a.m. UTC | #3
On Thu, 2019-08-08 at 14:45 +0300, Dan Carpenter wrote:
> On Thu, Aug 08, 2019 at 07:17:22AM -0400, Mimi Zohar wrote:
> > On Thu, 2019-08-08 at 13:33 +0300, Dan Carpenter wrote:
> > > This code frees "hdr" and then dereferences it on the next line to get
> > > the error code.
> > > 
> > > Fixes: 39b07096364a ("ima: Implement support for module-style appended signatures")
> > > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> > 
> > Thanks, Dan.  Julia already reported this.  Thiago posted a patch last
> > night.  Just getting to it now.  Can I add your Reviewed-by or Tested-
> > by?
> 
> I haven't seen the other patch so Reviewed-by seems like the wrong
> thing.  I don't really need any sort of credit.  I'm just going through
> my backlog of warnings from being out of office.  Perhaps Reported-by?

That works.  FYI, your solution and Thiago's are exactly the same.[1]

Mimi

[1] https://lore.kernel.org/linux-integrity/8736ico5ax.fsf@morokweng.localdomain/T/#u

Patch
diff mbox series

diff --git a/security/integrity/ima/ima_modsig.c b/security/integrity/ima/ima_modsig.c
index c412e31d1714..d106885cc495 100644
--- a/security/integrity/ima/ima_modsig.c
+++ b/security/integrity/ima/ima_modsig.c
@@ -91,8 +91,9 @@  int ima_read_modsig(enum ima_hooks func, const void *buf, loff_t buf_len,
 
 	hdr->pkcs7_msg = pkcs7_parse_message(buf + buf_len, sig_len);
 	if (IS_ERR(hdr->pkcs7_msg)) {
+		rc = PTR_ERR(hdr->pkcs7_msg);
 		kfree(hdr);
-		return PTR_ERR(hdr->pkcs7_msg);
+		return rc;
 	}
 
 	memcpy(hdr->raw_pkcs7, buf + buf_len, sig_len);