From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1161845AbdEWVA7 (ORCPT ); Tue, 23 May 2017 17:00:59 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:53111 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1033305AbdEWVAs (ORCPT ); Tue, 23 May 2017 17:00:48 -0400 Subject: Re: [Linux-ima-devel] [PATCH 0/7] IMA: new parser for ima_restore_measurement_list() To: linux-ima-devel@lists.sourceforge.net Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org References: <20170516125347.10574-1-roberto.sassu@huawei.com> <4f5bc289-92cb-1ce2-4496-387efbb11769@linux.vnet.ibm.com> <42b629dd-0d1f-b066-03e4-c013d0891ba7@huawei.com> <4b536b04-0e61-aea4-fc27-8dd12f2e3a1b@linux.vnet.ibm.com> <3b204e09-c1c0-b3bc-90fe-a8dfb86baadc@huawei.com> From: Ken Goldman Date: Tue, 23 May 2017 17:00:27 -0400 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.1.1 MIME-Version: 1.0 In-Reply-To: <3b204e09-c1c0-b3bc-90fe-a8dfb86baadc@huawei.com> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-TM-AS-GCONF: 00 x-cbid: 17052321-0012-0000-0000-0000144CF2BA X-IBM-SpamModules-Scores: X-IBM-SpamModules-Versions: BY=3.00007107; HX=3.00000241; KW=3.00000007; PH=3.00000004; SC=3.00000212; SDB=6.00864640; UDB=6.00429246; IPR=6.00644421; BA=6.00005369; NDR=6.00000001; ZLA=6.00000005; ZF=6.00000009; ZB=6.00000000; ZP=6.00000000; ZH=6.00000000; ZU=6.00000002; MB=3.00015555; XFM=3.00000015; UTC=2017-05-23 21:00:29 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 17052321-0013-0000-0000-00004DCBF351 Message-Id: <96385c1f-26f9-989b-3b68-0ad261e927b5@linux.vnet.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:,, definitions=2017-05-23_08:,, signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=1 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1703280000 definitions=main-1705230106 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 5/18/2017 5:38 AM, Roberto Sassu wrote: > > There cannot be buffer overflow, because the length of each digest > field is known. Crypto Agile: pcr[4] total_digest_len[4] digest1_len[4] digest1[digest1_len] ... The way I read this, the digest length is supplied by the caller, which is slightly different from "known". For example, if I supply a digest length of 0xffffffff, a too trusting (buggy) parser could overflow the buffer. total_digest_len is similarly untrusted. The attacker can send invalid values. From mboxrd@z Thu Jan 1 00:00:00 1970 From: kgold@linux.vnet.ibm.com (Ken Goldman) Date: Tue, 23 May 2017 17:00:27 -0400 Subject: [Linux-ima-devel] [PATCH 0/7] IMA: new parser for ima_restore_measurement_list() In-Reply-To: <3b204e09-c1c0-b3bc-90fe-a8dfb86baadc@huawei.com> References: <20170516125347.10574-1-roberto.sassu@huawei.com> <4f5bc289-92cb-1ce2-4496-387efbb11769@linux.vnet.ibm.com> <42b629dd-0d1f-b066-03e4-c013d0891ba7@huawei.com> <4b536b04-0e61-aea4-fc27-8dd12f2e3a1b@linux.vnet.ibm.com> <3b204e09-c1c0-b3bc-90fe-a8dfb86baadc@huawei.com> Message-ID: <96385c1f-26f9-989b-3b68-0ad261e927b5@linux.vnet.ibm.com> To: linux-security-module@vger.kernel.org List-Id: linux-security-module.vger.kernel.org On 5/18/2017 5:38 AM, Roberto Sassu wrote: > > There cannot be buffer overflow, because the length of each digest > field is known. Crypto Agile: pcr[4] total_digest_len[4] digest1_len[4] digest1[digest1_len] ... The way I read this, the digest length is supplied by the caller, which is slightly different from "known". For example, if I supply a digest length of 0xffffffff, a too trusting (buggy) parser could overflow the buffer. total_digest_len is similarly untrusted. The attacker can send invalid values. -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo at vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html