| Message ID | 20210820121847.34087-1-Simon.THOBY@viveris.fr (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | IMA: set a default value for unknown digsig algorithms | expand |
On 8/20/2021 5:18 AM, THOBY Simon wrote: > When adding new protections against writing invalid data in > the security.ima xattr, I erroneously expected ima_get_hash_algo() > to always return a valid 'enum hash_algo', but it turns out it trusts > the user-supplied digital signatures and return it without any checks. > It didn't affect process_measurement() because that function > (indirectly) calls into ima_alloc_atfm() that fallback silently > on the default hash algorithm, but it did affect ima_inode_setxattr > as that new function didn't perform a bounds check. > > Update ima_get_hash_algo() to always return a valid hash algorithm, > defaulting on 'ima_hash_algo' when the user-supplied value inside > the xattr is invalid. > > This patch was successfully tested by syszbot, see > https://syzkaller.appspot.com/bug?extid=e8bafe7b82c739eaf153. > > Signed-off-by: THOBY Simon <Simon.THOBY@viveris.fr> > Reported-by: syzbot+e8bafe7b82c739eaf153@syzkaller.appspotmail.com > --- > security/integrity/ima/ima_appraise.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) Reviewed-by: Lakshmi Ramasubramanian <nramas@linux.microsoft.com> -lakshmi > > diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c > index 8f1eb7ef041e..dbba51583e7c 100644 > --- a/security/integrity/ima/ima_appraise.c > +++ b/security/integrity/ima/ima_appraise.c > @@ -185,7 +185,8 @@ enum hash_algo ima_get_hash_algo(const struct evm_ima_xattr_data *xattr_value, > switch (xattr_value->type) { > case EVM_IMA_XATTR_DIGSIG: > sig = (typeof(sig))xattr_value; > - if (sig->version != 2 || xattr_len <= sizeof(*sig)) > + if (sig->version != 2 || xattr_len <= sizeof(*sig) > + || sig->hash_algo >= HASH_ALGO__LAST) > return ima_hash_algo; > return sig->hash_algo; > break; >
Hi Simon, On Fri, 2021-08-20 at 12:18 +0000, THOBY Simon wrote: > When adding new protections against writing invalid data in > the security.ima xattr, I erroneously expected ima_get_hash_algo() > to always return a valid 'enum hash_algo', but it turns out it trusts > the user-supplied digital signatures and return it without any checks. > It didn't affect process_measurement() because that function > (indirectly) calls into ima_alloc_atfm() that fallback silently > on the default hash algorithm, but it did affect ima_inode_setxattr > as that new function didn't perform a bounds check. Please update patch description something like: The new function validate_hash_algo() assumed that ima_get_hash_algo() always return a valid 'enum hash_algo', but returned the user-supplied hash algorithm from the digital signature without any checks. > > Update ima_get_hash_algo() to always return a valid hash algorithm, > defaulting on 'ima_hash_algo' when the user-supplied value inside > the xattr is invalid. > > This patch was successfully tested by syszbot, see > https://syzkaller.appspot.com/bug?extid=e8bafe7b82c739eaf153. Thank you for the pointer. > > Signed-off-by: THOBY Simon <Simon.THOBY@viveris.fr> > Reported-by: syzbot+e8bafe7b82c739eaf153@syzkaller.appspotmail.com Fixes: 50f742dd9147 ("IMA: block writes of the security.ima xattr with unsupported algorithms") thanks, Mimi > --- > security/integrity/ima/ima_appraise.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c > index 8f1eb7ef041e..dbba51583e7c 100644 > --- a/security/integrity/ima/ima_appraise.c > +++ b/security/integrity/ima/ima_appraise.c > @@ -185,7 +185,8 @@ enum hash_algo ima_get_hash_algo(const struct evm_ima_xattr_data *xattr_value, > switch (xattr_value->type) { > case EVM_IMA_XATTR_DIGSIG: > sig = (typeof(sig))xattr_value; > - if (sig->version != 2 || xattr_len <= sizeof(*sig)) > + if (sig->version != 2 || xattr_len <= sizeof(*sig) > + || sig->hash_algo >= HASH_ALGO__LAST) > return ima_hash_algo; > return sig->hash_algo; > break;
diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c index 8f1eb7ef041e..dbba51583e7c 100644 --- a/security/integrity/ima/ima_appraise.c +++ b/security/integrity/ima/ima_appraise.c @@ -185,7 +185,8 @@ enum hash_algo ima_get_hash_algo(const struct evm_ima_xattr_data *xattr_value, switch (xattr_value->type) { case EVM_IMA_XATTR_DIGSIG: sig = (typeof(sig))xattr_value; - if (sig->version != 2 || xattr_len <= sizeof(*sig)) + if (sig->version != 2 || xattr_len <= sizeof(*sig) + || sig->hash_algo >= HASH_ALGO__LAST) return ima_hash_algo; return sig->hash_algo; break;
When adding new protections against writing invalid data in the security.ima xattr, I erroneously expected ima_get_hash_algo() to always return a valid 'enum hash_algo', but it turns out it trusts the user-supplied digital signatures and return it without any checks. It didn't affect process_measurement() because that function (indirectly) calls into ima_alloc_atfm() that fallback silently on the default hash algorithm, but it did affect ima_inode_setxattr as that new function didn't perform a bounds check. Update ima_get_hash_algo() to always return a valid hash algorithm, defaulting on 'ima_hash_algo' when the user-supplied value inside the xattr is invalid. This patch was successfully tested by syszbot, see https://syzkaller.appspot.com/bug?extid=e8bafe7b82c739eaf153. Signed-off-by: THOBY Simon <Simon.THOBY@viveris.fr> Reported-by: syzbot+e8bafe7b82c739eaf153@syzkaller.appspotmail.com --- security/integrity/ima/ima_appraise.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)