linux-integrity.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH 1/4] evm: check hash algorithm passed to init_desc()
@ 2019-05-16 16:12 Roberto Sassu
  2019-05-16 16:12 ` [PATCH 2/4] evm: reset status in evm_inode_post_setattr() Roberto Sassu
                   ` (3 more replies)
  0 siblings, 4 replies; 13+ messages in thread
From: Roberto Sassu @ 2019-05-16 16:12 UTC (permalink / raw)
  To: zohar, dmitry.kasatkin, mjg59
  Cc: linux-integrity, linux-doc, linux-security-module, linux-kernel,
	silviu.vlasceanu, Roberto Sassu, stable

This patch prevents memory access beyond the evm_tfm array by checking the
validity of the index (hash algorithm) passed to init_desc(). The hash
algorithm can be arbitrarily set if the security.ima xattr type is not
EVM_XATTR_HMAC.

Fixes: 5feeb61183dde ("evm: Allow non-SHA1 digital signatures")
Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
Cc: stable@vger.kernel.org
---
 security/integrity/evm/evm_crypto.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/security/integrity/evm/evm_crypto.c b/security/integrity/evm/evm_crypto.c
index e11564eb645b..82a38e801ee4 100644
--- a/security/integrity/evm/evm_crypto.c
+++ b/security/integrity/evm/evm_crypto.c
@@ -89,6 +89,9 @@ static struct shash_desc *init_desc(char type, uint8_t hash_algo)
 		tfm = &hmac_tfm;
 		algo = evm_hmac;
 	} else {
+		if (hash_algo >= HASH_ALGO__LAST)
+			return ERR_PTR(-EINVAL);
+
 		tfm = &evm_tfm[hash_algo];
 		algo = hash_algo_name[hash_algo];
 	}
-- 
2.17.1


^ permalink raw reply related	[flat|nested] 13+ messages in thread

end of thread, other threads:[~2019-05-21 11:49 UTC | newest]

Thread overview: 13+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-05-16 16:12 [PATCH 1/4] evm: check hash algorithm passed to init_desc() Roberto Sassu
2019-05-16 16:12 ` [PATCH 2/4] evm: reset status in evm_inode_post_setattr() Roberto Sassu
2019-05-20 21:19   ` Mimi Zohar
2019-05-16 16:12 ` [PATCH 3/4] ima: don't ignore INTEGRITY_UNKNOWN EVM status Roberto Sassu
     [not found]   ` <20190517001001.9BEF620848@mail.kernel.org>
2019-05-17  0:30     ` Mimi Zohar
2019-05-17  1:07       ` Sasha Levin
2019-05-20 21:20   ` Mimi Zohar
2019-05-21  7:26     ` Roberto Sassu
2019-05-21 11:48       ` Mimi Zohar
2019-05-16 16:12 ` [PATCH 4/4] ima: only audit failed appraisal verifications Roberto Sassu
2019-05-20 21:20   ` Mimi Zohar
2019-05-21  7:32     ` Roberto Sassu
2019-05-20 21:19 ` [PATCH 1/4] evm: check hash algorithm passed to init_desc() Mimi Zohar

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).