ima: fix a possible null pointer dereference

Commit Message

cuigaosheng Oct. 25, 2022, 7:45 a.m. UTC

In restore_template_fmt(), template_desc->fmt will be NULL if kstrdup
fails, but the return value of restore_template_fmt() will not be null,
then in ima_restore_measurement_list(), template_desc->fmt will continue
to be used in below logic:
  |-- restore_template_fmt(...);	<-- template_desc->fmt = NULL
  |-- ret = template_desc_init_fields(template_desc->fmt,
				      &(template_desc->fields),
				      &(template_desc->num_fields));
    |-- template_num_fields = template_fmt_size(template_fmt);
      |--int template_fmt_len = strlen(template_fmt); <-- null-pre-def

So we need return NULL and free template_desc's memory if kstrdup fails
to fix it.

Fixes: c7d09367702e ("ima: support restoring multiple template formats")
Signed-off-by: Gaosheng Cui <cuigaosheng1@huawei.com>
---
 security/integrity/ima/ima_template.c | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

Patch

diff --git a/security/integrity/ima/ima_template.c b/security/integrity/ima/ima_template.c
index c25079faa208..dc6e8a5194da 100644
--- a/security/integrity/ima/ima_template.c
+++ b/security/integrity/ima/ima_template.c
@@ -331,23 +331,26 @@  static struct ima_template_desc *restore_template_fmt(char *template_name)
 	if (ret < 0) {
 		pr_err("attempting to initialize the template \"%s\" failed\n",
 			template_name);
-		goto out;
+		goto err;
 	}
 
 	template_desc = kzalloc(sizeof(*template_desc), GFP_KERNEL);
 	if (!template_desc)
-		goto out;
+		goto err;
 
 	template_desc->name = "";
 	template_desc->fmt = kstrdup(template_name, GFP_KERNEL);
 	if (!template_desc->fmt)
-		goto out;
+		goto err;
 
 	spin_lock(&template_list);
 	list_add_tail_rcu(&template_desc->list, &defined_templates);
 	spin_unlock(&template_list);
-out:
 	return template_desc;
+err:
+	if (template_desc != NULL)
+		kfree(template_desc);
+	return NULL;
 }
 
 static int ima_restore_template_data(struct ima_template_desc *template_desc,