From patchwork Mon Oct 9 19:52:45 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Gustavo A. R. Silva" X-Patchwork-Id: 13414386 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6B4343B7A6 for ; Mon, 9 Oct 2023 19:52:54 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="mhdPJ8Hq" Received: by smtp.kernel.org (Postfix) with ESMTPSA id B98E3C433C8; Mon, 9 Oct 2023 19:52:47 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1696881173; bh=kgSu1Cqs2OuHn6PG4+EYDe0mVAXd0o16yDhpNDyy/To=; h=Date:From:To:Cc:Subject:From; b=mhdPJ8HqdLGlIJNxp5NZVxMUyfblvMGfJcgBLM0kNarSBE75oieRwZWrOIO27fbc6 l0atd0yFegWWyHlQfkdsxSbycNJlTb0v04VY3kDgV7PoBm/t8xrdTEy7A4G4clJheF oHJuOjuOB76WiT5tHFPqQWbJySM3f675Yif/JuxgcRyYt3dEGfI/PAGClsLDn1KPzS IU7YB7Z1KKoyr2D/ThRqwfXZdFAGRUJ/Lt+cn7xgb0p4NWOsYcrpCFrwzhsgA4M0MS f+Kp7rQ7WL0KoYbH0IjnPkVAXI1xcR0qVBj/Eltue5vb8Tx9Cw6x3pTOfVOqoWjb3Q YALHEZ71AkBfQ== Date: Mon, 9 Oct 2023 13:52:45 -0600 From: "Gustavo A. R. Silva" To: Mimi Zohar , Dmitry Kasatkin , Paul Moore , James Morris , "Serge E. Hallyn" Cc: linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, "Gustavo A. R. Silva" , linux-hardening@vger.kernel.org Subject: [PATCH] ima: Add __counted_by for struct modsig and use struct_size() Message-ID: Precedence: bulk X-Mailing-List: linux-hardening@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Disposition: inline Prepare for the coming implementation by GCC and Clang of the __counted_by attribute. Flexible array members annotated with __counted_by can have their accesses bounds-checked at run-time via CONFIG_UBSAN_BOUNDS (for array indexing) and CONFIG_FORTIFY_SOURCE (for strcpy/memcpy-family functions). Also, relocate `hdr->raw_pkcs7_len = sig_len;` so that the __counted_by annotation has effect, and flex-array member `raw_pkcs7` can be properly bounds-checked at run-time. While there, use struct_size() helper, instead of the open-coded version, to calculate the size for the allocation of the whole flexible structure, including of course, the flexible-array member. This code was found with the help of Coccinelle, and audited and fixed manually. Signed-off-by: Gustavo A. R. Silva Reviewed-by: Kees Cook Reviewed-by: Mimi Zohar --- security/integrity/ima/ima_modsig.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/security/integrity/ima/ima_modsig.c b/security/integrity/ima/ima_modsig.c index 3e7bee30080f..3265d744d5ce 100644 --- a/security/integrity/ima/ima_modsig.c +++ b/security/integrity/ima/ima_modsig.c @@ -29,7 +29,7 @@ struct modsig { * storing the signature. */ int raw_pkcs7_len; - u8 raw_pkcs7[]; + u8 raw_pkcs7[] __counted_by(raw_pkcs7_len); }; /* @@ -65,10 +65,11 @@ int ima_read_modsig(enum ima_hooks func, const void *buf, loff_t buf_len, buf_len -= sig_len + sizeof(*sig); /* Allocate sig_len additional bytes to hold the raw PKCS#7 data. */ - hdr = kzalloc(sizeof(*hdr) + sig_len, GFP_KERNEL); + hdr = kzalloc(struct_size(hdr, raw_pkcs7, sig_len), GFP_KERNEL); if (!hdr) return -ENOMEM; + hdr->raw_pkcs7_len = sig_len; hdr->pkcs7_msg = pkcs7_parse_message(buf + buf_len, sig_len); if (IS_ERR(hdr->pkcs7_msg)) { rc = PTR_ERR(hdr->pkcs7_msg); @@ -77,7 +78,6 @@ int ima_read_modsig(enum ima_hooks func, const void *buf, loff_t buf_len, } memcpy(hdr->raw_pkcs7, buf + buf_len, sig_len); - hdr->raw_pkcs7_len = sig_len; /* We don't know the hash algorithm yet. */ hdr->hash_algo = HASH_ALGO__LAST;