* [PATCH] IMA: set a default value for unknown digsig algorithms
@ 2021-08-20 12:18 THOBY Simon
2021-08-20 15:31 ` Lakshmi Ramasubramanian
2021-08-20 20:40 ` Mimi Zohar
0 siblings, 2 replies; 3+ messages in thread
From: THOBY Simon @ 2021-08-20 12:18 UTC (permalink / raw)
To: zohar, dmitry.kasatkin, linux-integrity
Cc: THOBY Simon, syzbot+e8bafe7b82c739eaf153
When adding new protections against writing invalid data in
the security.ima xattr, I erroneously expected ima_get_hash_algo()
to always return a valid 'enum hash_algo', but it turns out it trusts
the user-supplied digital signatures and return it without any checks.
It didn't affect process_measurement() because that function
(indirectly) calls into ima_alloc_atfm() that fallback silently
on the default hash algorithm, but it did affect ima_inode_setxattr
as that new function didn't perform a bounds check.
Update ima_get_hash_algo() to always return a valid hash algorithm,
defaulting on 'ima_hash_algo' when the user-supplied value inside
the xattr is invalid.
This patch was successfully tested by syszbot, see
https://syzkaller.appspot.com/bug?extid=e8bafe7b82c739eaf153.
Signed-off-by: THOBY Simon <Simon.THOBY@viveris.fr>
Reported-by: syzbot+e8bafe7b82c739eaf153@syzkaller.appspotmail.com
---
security/integrity/ima/ima_appraise.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
index 8f1eb7ef041e..dbba51583e7c 100644
--- a/security/integrity/ima/ima_appraise.c
+++ b/security/integrity/ima/ima_appraise.c
@@ -185,7 +185,8 @@ enum hash_algo ima_get_hash_algo(const struct evm_ima_xattr_data *xattr_value,
switch (xattr_value->type) {
case EVM_IMA_XATTR_DIGSIG:
sig = (typeof(sig))xattr_value;
- if (sig->version != 2 || xattr_len <= sizeof(*sig))
+ if (sig->version != 2 || xattr_len <= sizeof(*sig)
+ || sig->hash_algo >= HASH_ALGO__LAST)
return ima_hash_algo;
return sig->hash_algo;
break;
--
2.31.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH] IMA: set a default value for unknown digsig algorithms
2021-08-20 12:18 [PATCH] IMA: set a default value for unknown digsig algorithms THOBY Simon
@ 2021-08-20 15:31 ` Lakshmi Ramasubramanian
2021-08-20 20:40 ` Mimi Zohar
1 sibling, 0 replies; 3+ messages in thread
From: Lakshmi Ramasubramanian @ 2021-08-20 15:31 UTC (permalink / raw)
To: THOBY Simon, zohar, dmitry.kasatkin, linux-integrity
Cc: syzbot+e8bafe7b82c739eaf153
On 8/20/2021 5:18 AM, THOBY Simon wrote:
> When adding new protections against writing invalid data in
> the security.ima xattr, I erroneously expected ima_get_hash_algo()
> to always return a valid 'enum hash_algo', but it turns out it trusts
> the user-supplied digital signatures and return it without any checks.
> It didn't affect process_measurement() because that function
> (indirectly) calls into ima_alloc_atfm() that fallback silently
> on the default hash algorithm, but it did affect ima_inode_setxattr
> as that new function didn't perform a bounds check.
>
> Update ima_get_hash_algo() to always return a valid hash algorithm,
> defaulting on 'ima_hash_algo' when the user-supplied value inside
> the xattr is invalid.
>
> This patch was successfully tested by syszbot, see
> https://syzkaller.appspot.com/bug?extid=e8bafe7b82c739eaf153.
>
> Signed-off-by: THOBY Simon <Simon.THOBY@viveris.fr>
> Reported-by: syzbot+e8bafe7b82c739eaf153@syzkaller.appspotmail.com
> ---
> security/integrity/ima/ima_appraise.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
Reviewed-by: Lakshmi Ramasubramanian <nramas@linux.microsoft.com>
-lakshmi
>
> diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
> index 8f1eb7ef041e..dbba51583e7c 100644
> --- a/security/integrity/ima/ima_appraise.c
> +++ b/security/integrity/ima/ima_appraise.c
> @@ -185,7 +185,8 @@ enum hash_algo ima_get_hash_algo(const struct evm_ima_xattr_data *xattr_value,
> switch (xattr_value->type) {
> case EVM_IMA_XATTR_DIGSIG:
> sig = (typeof(sig))xattr_value;
> - if (sig->version != 2 || xattr_len <= sizeof(*sig))
> + if (sig->version != 2 || xattr_len <= sizeof(*sig)
> + || sig->hash_algo >= HASH_ALGO__LAST)
> return ima_hash_algo;
> return sig->hash_algo;
> break;
>
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] IMA: set a default value for unknown digsig algorithms
2021-08-20 12:18 [PATCH] IMA: set a default value for unknown digsig algorithms THOBY Simon
2021-08-20 15:31 ` Lakshmi Ramasubramanian
@ 2021-08-20 20:40 ` Mimi Zohar
1 sibling, 0 replies; 3+ messages in thread
From: Mimi Zohar @ 2021-08-20 20:40 UTC (permalink / raw)
To: THOBY Simon, dmitry.kasatkin, linux-integrity; +Cc: syzbot+e8bafe7b82c739eaf153
Hi Simon,
On Fri, 2021-08-20 at 12:18 +0000, THOBY Simon wrote:
> When adding new protections against writing invalid data in
> the security.ima xattr, I erroneously expected ima_get_hash_algo()
> to always return a valid 'enum hash_algo', but it turns out it trusts
> the user-supplied digital signatures and return it without any checks.
> It didn't affect process_measurement() because that function
> (indirectly) calls into ima_alloc_atfm() that fallback silently
> on the default hash algorithm, but it did affect ima_inode_setxattr
> as that new function didn't perform a bounds check.
Please update patch description something like:
The new function validate_hash_algo() assumed that ima_get_hash_algo()
always return a valid 'enum hash_algo', but returned the user-supplied hash algorithm from the digital signature without any checks.
>
> Update ima_get_hash_algo() to always return a valid hash algorithm,
> defaulting on 'ima_hash_algo' when the user-supplied value inside
> the xattr is invalid.
>
> This patch was successfully tested by syszbot, see
> https://syzkaller.appspot.com/bug?extid=e8bafe7b82c739eaf153.
Thank you for the pointer.
>
> Signed-off-by: THOBY Simon <Simon.THOBY@viveris.fr>
> Reported-by: syzbot+e8bafe7b82c739eaf153@syzkaller.appspotmail.com
Fixes: 50f742dd9147 ("IMA: block writes of the security.ima xattr with
unsupported algorithms")
thanks,
Mimi
> ---
> security/integrity/ima/ima_appraise.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
> index 8f1eb7ef041e..dbba51583e7c 100644
> --- a/security/integrity/ima/ima_appraise.c
> +++ b/security/integrity/ima/ima_appraise.c
> @@ -185,7 +185,8 @@ enum hash_algo ima_get_hash_algo(const struct evm_ima_xattr_data *xattr_value,
> switch (xattr_value->type) {
> case EVM_IMA_XATTR_DIGSIG:
> sig = (typeof(sig))xattr_value;
> - if (sig->version != 2 || xattr_len <= sizeof(*sig))
> + if (sig->version != 2 || xattr_len <= sizeof(*sig)
> + || sig->hash_algo >= HASH_ALGO__LAST)
> return ima_hash_algo;
> return sig->hash_algo;
> break;
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-08-20 20:40 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-08-20 12:18 [PATCH] IMA: set a default value for unknown digsig algorithms THOBY Simon
2021-08-20 15:31 ` Lakshmi Ramasubramanian
2021-08-20 20:40 ` Mimi Zohar
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.