* [PATCH v2 1/5] ima-evm-utils: Fix null dereference from file2bin to memcpy
@ 2019-07-15 20:05 Vitaly Chikunov
2019-07-15 20:05 ` [PATCH v2 2/5] ima-evm-utils: Fix possible xattr_value overflows in calc_evm_hash Vitaly Chikunov
` (4 more replies)
0 siblings, 5 replies; 7+ messages in thread
From: Vitaly Chikunov @ 2019-07-15 20:05 UTC (permalink / raw)
To: Mimi Zohar, Dmitry Kasatkin, linux-integrity
file2bin() may return NULL, which is set to tmp, which is passed to
memcpy. Add explicit check for it.
Fixes: CID 229904.
---
src/evmctl.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/src/evmctl.c b/src/evmctl.c
index a6d07c9..d6e0b2c 100644
--- a/src/evmctl.c
+++ b/src/evmctl.c
@@ -821,7 +821,15 @@ static int verify_ima(const char *file)
if (sigfile) {
void *tmp = file2bin(file, "sig", &len);
- assert(len <= sizeof(sig));
+ if (!tmp) {
+ log_err("Failed reading: %s\n", file);
+ return -1;
+ }
+ if (len > sizeof(sig)) {
+ log_err("Signature file is too big: %s\n", file);
+ free(tmp);
+ return -1;
+ }
memcpy(sig, tmp, len);
free(tmp);
} else {
--
2.11.0
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH v2 2/5] ima-evm-utils: Fix possible xattr_value overflows in calc_evm_hash
2019-07-15 20:05 [PATCH v2 1/5] ima-evm-utils: Fix null dereference from file2bin to memcpy Vitaly Chikunov
@ 2019-07-15 20:05 ` Vitaly Chikunov
2019-07-15 20:05 ` [PATCH v2 3/5] ima-evm-utils: Fix memory leak in get_password Vitaly Chikunov
` (3 subsequent siblings)
4 siblings, 0 replies; 7+ messages in thread
From: Vitaly Chikunov @ 2019-07-15 20:05 UTC (permalink / raw)
To: Mimi Zohar, Dmitry Kasatkin, linux-integrity
`selinux_str',`caps_str', and `ima_str' are passed from the command line
but copied into the fixed-size buffer.
Yes, length of `selinux_str' is calculated differently than of `caps_str'.
Fixes: CID 229895.
---
src/evmctl.c | 21 ++++++++++++++++++---
1 file changed, 18 insertions(+), 3 deletions(-)
diff --git a/src/evmctl.c b/src/evmctl.c
index d6e0b2c..04dc546 100644
--- a/src/evmctl.c
+++ b/src/evmctl.c
@@ -401,16 +401,31 @@ static int calc_evm_hash(const char *file, unsigned char *hash)
for (xattrname = evm_config_xattrnames; *xattrname != NULL; xattrname++) {
if (!strcmp(*xattrname, XATTR_NAME_SELINUX) && selinux_str) {
- strcpy(xattr_value, selinux_str);
err = strlen(selinux_str) + 1;
+ if (err > sizeof(xattr_value)) {
+ log_err("selinux[%u] value is too long to fit into xattr[%zu]\n",
+ err, sizeof(xattr_value));
+ return -1;
+ }
+ strcpy(xattr_value, selinux_str);
} else if (!strcmp(*xattrname, XATTR_NAME_IMA) && ima_str) {
- hex2bin(xattr_value, ima_str, strlen(ima_str) / 2);
err = strlen(ima_str) / 2;
+ if (err > sizeof(xattr_value)) {
+ log_err("ima[%u] value is too long to fit into xattr[%zu]\n",
+ err, sizeof(xattr_value));
+ return -1;
+ }
+ hex2bin(xattr_value, ima_str, err);
} else if (!strcmp(*xattrname, XATTR_NAME_CAPS) && (hmac_flags & HMAC_FLAG_CAPS_SET)) {
if (!caps_str)
continue;
- strcpy(xattr_value, caps_str);
err = strlen(caps_str);
+ if (err >= sizeof(xattr_value)) {
+ log_err("caps[%u] value is too long to fit into xattr[%zu]\n",
+ err + 1, sizeof(xattr_value));
+ return -1;
+ }
+ strcpy(xattr_value, caps_str);
} else {
err = lgetxattr(file, *xattrname, xattr_value, sizeof(xattr_value));
if (err < 0) {
--
2.11.0
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH v2 3/5] ima-evm-utils: Fix memory leak in get_password
2019-07-15 20:05 [PATCH v2 1/5] ima-evm-utils: Fix null dereference from file2bin to memcpy Vitaly Chikunov
2019-07-15 20:05 ` [PATCH v2 2/5] ima-evm-utils: Fix possible xattr_value overflows in calc_evm_hash Vitaly Chikunov
@ 2019-07-15 20:05 ` Vitaly Chikunov
2019-07-15 20:05 ` [PATCH v2 4/5] ima-evm-utils: Fix file2bin stat and fopen relations Vitaly Chikunov
` (2 subsequent siblings)
4 siblings, 0 replies; 7+ messages in thread
From: Vitaly Chikunov @ 2019-07-15 20:05 UTC (permalink / raw)
To: Mimi Zohar, Dmitry Kasatkin, linux-integrity
Free allocated password buffer when returning NULL.
Fixes: CID 229894 (partially).
---
src/evmctl.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/src/evmctl.c b/src/evmctl.c
index 04dc546..f15056b 100644
--- a/src/evmctl.c
+++ b/src/evmctl.c
@@ -1841,6 +1841,7 @@ static char *get_password(void)
if (tcsetattr(fileno(stdin), TCSANOW, &tmp_flags) != 0) {
perror("tcsetattr");
+ free(password);
return NULL;
}
@@ -1850,6 +1851,7 @@ static char *get_password(void)
/* restore terminal */
if (tcsetattr(fileno(stdin), TCSANOW, &flags) != 0) {
perror("tcsetattr");
+ free(password);
return NULL;
}
--
2.11.0
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH v2 4/5] ima-evm-utils: Fix file2bin stat and fopen relations
2019-07-15 20:05 [PATCH v2 1/5] ima-evm-utils: Fix null dereference from file2bin to memcpy Vitaly Chikunov
2019-07-15 20:05 ` [PATCH v2 2/5] ima-evm-utils: Fix possible xattr_value overflows in calc_evm_hash Vitaly Chikunov
2019-07-15 20:05 ` [PATCH v2 3/5] ima-evm-utils: Fix memory leak in get_password Vitaly Chikunov
@ 2019-07-15 20:05 ` Vitaly Chikunov
2019-07-15 20:05 ` [PATCH v2 5/5] ima-evm-utils: Add more error checking in add_file_hash Vitaly Chikunov
2019-07-16 14:46 ` [PATCH v2 1/5] ima-evm-utils: Fix null dereference from file2bin to memcpy Mimi Zohar
4 siblings, 0 replies; 7+ messages in thread
From: Vitaly Chikunov @ 2019-07-15 20:05 UTC (permalink / raw)
To: Mimi Zohar, Dmitry Kasatkin, linux-integrity
Check stat(2) return value, use fstat(2) to avoid race between
stat() and fopen(), remove now unused get_filesize().
Fixes: CID 229889.
---
src/evmctl.c | 26 +++++++++++++++++++++-----
src/imaevm.h | 1 -
src/libimaevm.c | 8 --------
3 files changed, 21 insertions(+), 14 deletions(-)
diff --git a/src/evmctl.c b/src/evmctl.c
index f15056b..61808d2 100644
--- a/src/evmctl.c
+++ b/src/evmctl.c
@@ -175,9 +175,10 @@ static int bin2file(const char *file, const char *ext, const unsigned char *data
static unsigned char *file2bin(const char *file, const char *ext, int *size)
{
FILE *fp;
- int len;
+ size_t len;
unsigned char *data;
char name[strlen(file) + (ext ? strlen(ext) : 0) + 2];
+ struct stat stats;
if (ext)
sprintf(name, "%s.%s", file, ext);
@@ -186,18 +187,33 @@ static unsigned char *file2bin(const char *file, const char *ext, int *size)
log_info("Reading to %s\n", name);
- len = get_filesize(name);
fp = fopen(name, "r");
if (!fp) {
log_err("Failed to open: %s\n", name);
return NULL;
}
+ if (fstat(fileno(fp), &stats) == -1) {
+ log_err("Failed to fstat: %s (%s)\n", name, strerror(errno));
+ fclose(fp);
+ return NULL;
+ }
+ len = stats.st_size;
+
data = malloc(len);
- if (!fread(data, len, 1, fp))
- len = 0;
+ if (!data) {
+ log_err("Failed to malloc %zu bytes: %s\n", len, name);
+ fclose(fp);
+ return NULL;
+ }
+ if (fread(data, len, 1, fp) != len) {
+ log_err("Failed to fread %zu bytes: %s\n", len, name);
+ fclose(fp);
+ free(data);
+ return NULL;
+ }
fclose(fp);
- *size = len;
+ *size = (int)len;
return data;
}
diff --git a/src/imaevm.h b/src/imaevm.h
index dc81a3a..36050f4 100644
--- a/src/imaevm.h
+++ b/src/imaevm.h
@@ -211,7 +211,6 @@ extern struct libevm_params params;
void do_dump(FILE *fp, const void *ptr, int len, bool cr);
void dump(const void *ptr, int len);
-int get_filesize(const char *filename);
int ima_calc_hash(const char *file, uint8_t *hash);
int get_hash_algo(const char *algo);
RSA *read_pub_key(const char *keyfile, int x509);
diff --git a/src/libimaevm.c b/src/libimaevm.c
index f8ab812..1562aaf 100644
--- a/src/libimaevm.c
+++ b/src/libimaevm.c
@@ -116,14 +116,6 @@ const char *get_hash_algo_by_id(int algo)
return "unknown";
}
-int get_filesize(const char *filename)
-{
- struct stat stats;
- /* Need to know the file length */
- stat(filename, &stats);
- return (int)stats.st_size;
-}
-
static inline off_t get_fdsize(int fd)
{
struct stat stats;
--
2.11.0
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH v2 5/5] ima-evm-utils: Add more error checking in add_file_hash
2019-07-15 20:05 [PATCH v2 1/5] ima-evm-utils: Fix null dereference from file2bin to memcpy Vitaly Chikunov
` (2 preceding siblings ...)
2019-07-15 20:05 ` [PATCH v2 4/5] ima-evm-utils: Fix file2bin stat and fopen relations Vitaly Chikunov
@ 2019-07-15 20:05 ` Vitaly Chikunov
2019-07-16 14:46 ` [PATCH v2 1/5] ima-evm-utils: Fix null dereference from file2bin to memcpy Mimi Zohar
4 siblings, 0 replies; 7+ messages in thread
From: Vitaly Chikunov @ 2019-07-15 20:05 UTC (permalink / raw)
To: Mimi Zohar, Dmitry Kasatkin, linux-integrity
Check return value of fstat(2) in add_file_hash() and remove
now unused get_fdsize().
---
src/libimaevm.c | 16 +++++++---------
1 file changed, 7 insertions(+), 9 deletions(-)
diff --git a/src/libimaevm.c b/src/libimaevm.c
index 1562aaf..ae487f9 100644
--- a/src/libimaevm.c
+++ b/src/libimaevm.c
@@ -116,20 +116,13 @@ const char *get_hash_algo_by_id(int algo)
return "unknown";
}
-static inline off_t get_fdsize(int fd)
-{
- struct stat stats;
- /* Need to know the file length */
- fstat(fd, &stats);
- return stats.st_size;
-}
-
static int add_file_hash(const char *file, EVP_MD_CTX *ctx)
{
uint8_t *data;
int err = -1, bs = DATA_SIZE;
off_t size, len;
FILE *fp;
+ struct stat stats;
fp = fopen(file, "r");
if (!fp) {
@@ -143,7 +136,12 @@ static int add_file_hash(const char *file, EVP_MD_CTX *ctx)
goto out;
}
- for (size = get_fdsize(fileno(fp)); size; size -= len) {
+ if (fstat(fileno(fp), &stats) == -1) {
+ log_err("Failed to fstat: %s (%s)\n", file, strerror(errno));
+ goto out;
+ }
+
+ for (size = stats.st_size; size; size -= len) {
len = MIN(size, bs);
if (!fread(data, len, 1, fp)) {
if (ferror(fp)) {
--
2.11.0
^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH v2 1/5] ima-evm-utils: Fix null dereference from file2bin to memcpy
2019-07-15 20:05 [PATCH v2 1/5] ima-evm-utils: Fix null dereference from file2bin to memcpy Vitaly Chikunov
` (3 preceding siblings ...)
2019-07-15 20:05 ` [PATCH v2 5/5] ima-evm-utils: Add more error checking in add_file_hash Vitaly Chikunov
@ 2019-07-16 14:46 ` Mimi Zohar
2019-07-16 14:59 ` Vitaly Chikunov
4 siblings, 1 reply; 7+ messages in thread
From: Mimi Zohar @ 2019-07-16 14:46 UTC (permalink / raw)
To: Vitaly Chikunov, Mimi Zohar, Dmitry Kasatkin, linux-integrity
Hi Vitaly,
On Mon, 2019-07-15 at 23:05 +0300, Vitaly Chikunov wrote:
> file2bin() may return NULL, which is set to tmp, which is passed to
> memcpy. Add explicit check for it.
>
> Fixes: CID 229904.
Other than the missing tag, this and the other patches look good.
thanks!
Mimi
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH v2 1/5] ima-evm-utils: Fix null dereference from file2bin to memcpy
2019-07-16 14:46 ` [PATCH v2 1/5] ima-evm-utils: Fix null dereference from file2bin to memcpy Mimi Zohar
@ 2019-07-16 14:59 ` Vitaly Chikunov
0 siblings, 0 replies; 7+ messages in thread
From: Vitaly Chikunov @ 2019-07-16 14:59 UTC (permalink / raw)
To: Mimi Zohar; +Cc: Mimi Zohar, Dmitry Kasatkin, linux-integrity
Mimi,
On Tue, Jul 16, 2019 at 10:46:58AM -0400, Mimi Zohar wrote:
> On Mon, 2019-07-15 at 23:05 +0300, Vitaly Chikunov wrote:
> > file2bin() may return NULL, which is set to tmp, which is passed to
> > memcpy. Add explicit check for it.
> >
> > Fixes: CID 229904.
>
> Other than the missing tag, this and the other patches look good.
Sorry I forgot to add Signed-off-by tag. You may add to all these commits:
Signed-off-by: Vitaly Chikunov <vt@altlinux.org>
Thanks,
>
> thanks!
>
> Mimi
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2019-07-16 14:59 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-07-15 20:05 [PATCH v2 1/5] ima-evm-utils: Fix null dereference from file2bin to memcpy Vitaly Chikunov
2019-07-15 20:05 ` [PATCH v2 2/5] ima-evm-utils: Fix possible xattr_value overflows in calc_evm_hash Vitaly Chikunov
2019-07-15 20:05 ` [PATCH v2 3/5] ima-evm-utils: Fix memory leak in get_password Vitaly Chikunov
2019-07-15 20:05 ` [PATCH v2 4/5] ima-evm-utils: Fix file2bin stat and fopen relations Vitaly Chikunov
2019-07-15 20:05 ` [PATCH v2 5/5] ima-evm-utils: Add more error checking in add_file_hash Vitaly Chikunov
2019-07-16 14:46 ` [PATCH v2 1/5] ima-evm-utils: Fix null dereference from file2bin to memcpy Mimi Zohar
2019-07-16 14:59 ` Vitaly Chikunov
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).