[PATCH v1 1/5] ima-evm-utils: Fix EVP_MD_CTX leak in ima_calc_hash

From: Vitaly Chikunov <vt@altlinux.org>
To: Mimi Zohar <zohar@linux.vnet.ibm.com>,
	Dmitry Kasatkin <dmitry.kasatkin@gmail.com>,
	linux-integrity@vger.kernel.org
Subject: [PATCH v1 1/5] ima-evm-utils: Fix EVP_MD_CTX leak in ima_calc_hash
Date: Mon,  8 Jul 2019 02:48:33 +0300	[thread overview]
Message-ID: <20190707234837.4866-2-vt@altlinux.org> (raw)
In-Reply-To: <20190707234837.4866-1-vt@altlinux.org>

When pctx is allocated using EVP_MD_CTX_new() it should be freed.
Found with ASan.

Fixes: 81010f0 ("ima-evm-utils: Add backward compatible support for openssl 1.1")
Signed-off-by: Vitaly Chikunov <vt@altlinux.org>
---
 src/libimaevm.c | 24 ++++++++++++++++--------
 1 file changed, 16 insertions(+), 8 deletions(-)

diff --git a/src/libimaevm.c b/src/libimaevm.c
index 51d6c33..fe1962b 100644
--- a/src/libimaevm.c
+++ b/src/libimaevm.c
@@ -252,19 +252,21 @@ int ima_calc_hash(const char *file, uint8_t *hash)
 	err = lstat(file, &st);
 	if (err < 0) {
 		log_err("Failed to stat: %s\n", file);
-		return err;
+		goto err;
 	}
 
 	md = EVP_get_digestbyname(params.hash_algo);
 	if (!md) {
 		log_err("EVP_get_digestbyname(%s) failed\n", params.hash_algo);
-		return 1;
+		err = 1;
+		goto err;
 	}
 
 	err = EVP_DigestInit(pctx, md);
 	if (!err) {
 		log_err("EVP_DigestInit() failed\n");
-		return 1;
+		err = 1;
+		goto err;
 	}
 
 	switch (st.st_mode & S_IFMT) {
@@ -283,19 +285,25 @@ int ima_calc_hash(const char *file, uint8_t *hash)
 		break;
 	default:
 		log_errno("Unsupported file type");
-		return -1;
+		err = -1;
+		goto err;
 	}
 
 	if (err)
-		return err;
+		goto err;
 
 	err = EVP_DigestFinal(pctx, hash, &mdlen);
 	if (!err) {
 		log_err("EVP_DigestFinal() failed\n");
-		return 1;
+		err = 1;
+		goto err;
 	}
-
-	return mdlen;
+	err = mdlen;
+err:
+#if OPENSSL_VERSION_NUMBER >= 0x10100000
+	EVP_MD_CTX_free(pctx);
+#endif
+	return err;
 }
 
 EVP_PKEY *read_pub_pkey(const char *keyfile, int x509)
-- 
2.11.0

