From: Mimi Zohar <zohar@linux.vnet.ibm.com>
To: Tycho Andersen <tycho@tycho.ws>
Cc: Andy Shevchenko <andy.shevchenko@gmail.com>,
Dmitry Kasatkin <dmitry.kasatkin@gmail.com>,
linux-integrity@vger.kernel.org,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
kernel-hardening@lists.openwall.com,
Richard Guy Briggs <rgb@redhat.com>
Subject: Re: [PATCH] ima: drop vla in ima_audit_measurement()
Date: Thu, 08 Mar 2018 14:20:17 -0500 [thread overview]
Message-ID: <1520536817.3605.74.camel@linux.vnet.ibm.com> (raw)
In-Reply-To: <20180308190431.5fstqsjmbpquzqii@smitten>
On Thu, 2018-03-08 at 12:04 -0700, Tycho Andersen wrote:
> On Thu, Mar 08, 2018 at 01:50:30PM -0500, Mimi Zohar wrote:
> > On Thu, 2018-03-08 at 11:37 -0700, Tycho Andersen wrote:
> > > On Thu, Mar 08, 2018 at 07:47:37PM +0200, Andy Shevchenko wrote:
> > > > On Thu, Mar 8, 2018 at 7:14 PM, Tycho Andersen <tycho@tycho.ws> wrote:
> > > > > In keeping with the directive to get rid of VLAs [1], let's drop the VLA
> > > > > from ima_audit_measurement(). We need to adjust the return type of
> > > > > ima_audit_measurement, because now this function can fail if an allocation
> > > > > fails.
> > > >
> > > >
> > > >
> > > > > + algo_hash_len = hash_len + strlen(algo_name) + 2;
> > > > > + algo_hash = kzalloc(algo_hash_len, GFP_KERNEL);
> > > >
> > > > > - snprintf(algo_hash, sizeof(algo_hash), "%s:%s", algo_name, hash);
> > > > > + snprintf(algo_hash, algo_hash_len, "%s:%s", algo_name, hash);
> > > >
> > > > kasprintf() ?
> > >
> > > Sure, in fact I think we could just do:
> > >
> > > - snprintf(algo_hash, algo_hash_len, "%s:%s", algo_name, hash);
> > > - audit_log_untrustedstring(ab, algo_hash);
> > > + audit_log_untrustedstring(ab, algo_name);
> > > + audit_log_format(ab, ":");
> > > + audit_log_untrustedstring(ab, hash);
> > >
> > > and get rid of the allocation entirely. I'll test and make sure it
> > > works and then re-send.
> >
> > The hash algorithm name is an enumeration that comes from the kernel.
> > It's defined in crypto/hash_info.c: hash_algo_name. Why do we need
> > to use audit_log_untrustedstring()?
>
> Yes, I suppose we don't need it for the hash either, since we're
> generating that and we know it's just hex digits and not any audit
> control characters or "s or anything.
>
> It looks like we could get rid of the other allocation too by just
> using audit_log_n_hex, but that uses hex_byte_pack_upper, vs. the
> hex_byte_pack that's currently in use in this function. Is that too
> much of a breakage?
Based on the discussion with Richard Briggs, we need to differentiate
between the ima_audit_measurement() and the ima_parse_rule() usage of
AUDIT_INTEGRITY_RULE. The ima_parse_rule() will continue to use
AUDIT_INTEGRITY_RULE. ima_audit_measurement() will need to define and
use a new number. Auidt name suggestions would be appreciated.
When we make that sort of change, any other changes are insignificant.
How different are the two formats?
Mimi
WARNING: multiple messages have this Message-ID (diff)
From: Mimi Zohar <zohar@linux.vnet.ibm.com>
To: Tycho Andersen <tycho@tycho.ws>
Cc: Andy Shevchenko <andy.shevchenko@gmail.com>,
Dmitry Kasatkin <dmitry.kasatkin@gmail.com>,
linux-integrity@vger.kernel.org,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
kernel-hardening@lists.openwall.com,
Richard Guy Briggs <rgb@redhat.com>
Subject: Re: [PATCH] ima: drop vla in ima_audit_measurement()
Date: Thu, 08 Mar 2018 14:20:17 -0500 [thread overview]
Message-ID: <1520536817.3605.74.camel@linux.vnet.ibm.com> (raw)
In-Reply-To: <20180308190431.5fstqsjmbpquzqii@smitten>
On Thu, 2018-03-08 at 12:04 -0700, Tycho Andersen wrote:
> On Thu, Mar 08, 2018 at 01:50:30PM -0500, Mimi Zohar wrote:
> > On Thu, 2018-03-08 at 11:37 -0700, Tycho Andersen wrote:
> > > On Thu, Mar 08, 2018 at 07:47:37PM +0200, Andy Shevchenko wrote:
> > > > On Thu, Mar 8, 2018 at 7:14 PM, Tycho Andersen <tycho@tycho.ws> wrote:
> > > > > In keeping with the directive to get rid of VLAs [1], let's drop the VLA
> > > > > from ima_audit_measurement(). We need to adjust the return type of
> > > > > ima_audit_measurement, because now this function can fail if an allocation
> > > > > fails.
> > > >
> > > >
> > > >
> > > > > + algo_hash_len = hash_len + strlen(algo_name) + 2;
> > > > > + algo_hash = kzalloc(algo_hash_len, GFP_KERNEL);
> > > >
> > > > > - snprintf(algo_hash, sizeof(algo_hash), "%s:%s", algo_name, hash);
> > > > > + snprintf(algo_hash, algo_hash_len, "%s:%s", algo_name, hash);
> > > >
> > > > kasprintf() ?
> > >
> > > Sure, in fact I think we could just do:
> > >
> > > - snprintf(algo_hash, algo_hash_len, "%s:%s", algo_name, hash);
> > > - audit_log_untrustedstring(ab, algo_hash);
> > > + audit_log_untrustedstring(ab, algo_name);
> > > + audit_log_format(ab, ":");
> > > + audit_log_untrustedstring(ab, hash);
> > >
> > > and get rid of the allocation entirely. I'll test and make sure it
> > > works and then re-send.
> >
> > The hash algorithm name is an enumeration that comes from the kernel.
> > It's defined in crypto/hash_info.c: hash_algo_name. Why do we need
> > to use audit_log_untrustedstring()?
>
> Yes, I suppose we don't need it for the hash either, since we're
> generating that and we know it's just hex digits and not any audit
> control characters or "s or anything.
>
> It looks like we could get rid of the other allocation too by just
> using audit_log_n_hex, but that uses hex_byte_pack_upper, vs. the
> hex_byte_pack that's currently in use in this function. Is that too
> much of a breakage?
Based on the discussion with Richard Briggs, we need to differentiate
between the ima_audit_measurement() and the ima_parse_rule() usage of
AUDIT_INTEGRITY_RULE. The ima_parse_rule() will continue to use
AUDIT_INTEGRITY_RULE. ima_audit_measurement() will need to define and
use a new number. Auidt name suggestions would be appreciated.
When we make that sort of change, any other changes are insignificant.
How different are the two formats?
Mimi
next prev parent reply other threads:[~2018-03-08 19:20 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-03-08 17:14 [PATCH] ima: drop vla in ima_audit_measurement() Tycho Andersen
2018-03-08 17:47 ` Andy Shevchenko
2018-03-08 18:37 ` Tycho Andersen
2018-03-08 18:50 ` Mimi Zohar
2018-03-08 18:50 ` Mimi Zohar
2018-03-08 19:04 ` Tycho Andersen
2018-03-08 19:04 ` Tycho Andersen
2018-03-08 19:20 ` Mimi Zohar [this message]
2018-03-08 19:20 ` Mimi Zohar
2018-03-08 19:47 ` Tycho Andersen
2018-03-08 19:47 ` Tycho Andersen
2018-03-08 19:50 ` Mimi Zohar
2018-03-08 19:50 ` Mimi Zohar
-- strict thread matches above, loose matches on Subject: below --
2018-03-08 17:00 Tycho Andersen
2018-03-08 17:12 ` Tycho Andersen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1520536817.3605.74.camel@linux.vnet.ibm.com \
--to=zohar@linux.vnet.ibm.com \
--cc=andy.shevchenko@gmail.com \
--cc=dmitry.kasatkin@gmail.com \
--cc=kernel-hardening@lists.openwall.com \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=rgb@redhat.com \
--cc=tycho@tycho.ws \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.