[PATCH v2 1/5] ima-evm-utils: Fix null dereference from file2bin to memcpy

[PATCH v2 1/5] ima-evm-utils: Fix null dereference from file2bin to memcpy

[Vitaly Chikunov]

file2bin() may return NULL, which is set to tmp, which is passed to
memcpy. Add explicit check for it.

Fixes: CID 229904.
---
 src/evmctl.c | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/src/evmctl.c b/src/evmctl.c
index a6d07c9..d6e0b2c 100644
--- a/src/evmctl.c
+++ b/src/evmctl.c
@@ -821,7 +821,15 @@ static int verify_ima(const char *file)
 	if (sigfile) {
 		void *tmp = file2bin(file, "sig", &len);
 
-		assert(len <= sizeof(sig));
+		if (!tmp) {
+			log_err("Failed reading: %s\n", file);
+			return -1;
+		}
+		if (len > sizeof(sig)) {
+			log_err("Signature file is too big: %s\n", file);
+			free(tmp);
+			return -1;
+		}
 		memcpy(sig, tmp, len);
 		free(tmp);
 	} else {
-- 
2.11.0

[PATCH v2 2/5] ima-evm-utils: Fix possible xattr_value overflows in calc_evm_hash

[Vitaly Chikunov]

`selinux_str',`caps_str', and `ima_str' are passed from the command line
but copied into the fixed-size buffer.

Yes, length of `selinux_str' is calculated differently than of `caps_str'.

Fixes: CID 229895.
---
 src/evmctl.c | 21 ++++++++++++++++++---
 1 file changed, 18 insertions(+), 3 deletions(-)

diff --git a/src/evmctl.c b/src/evmctl.c
index d6e0b2c..04dc546 100644
--- a/src/evmctl.c
+++ b/src/evmctl.c
@@ -401,16 +401,31 @@ static int calc_evm_hash(const char *file, unsigned char *hash)
 
 	for (xattrname = evm_config_xattrnames; *xattrname != NULL; xattrname++) {
 		if (!strcmp(*xattrname, XATTR_NAME_SELINUX) && selinux_str) {
-			strcpy(xattr_value, selinux_str);
 			err = strlen(selinux_str) + 1;
+			if (err > sizeof(xattr_value)) {
+				log_err("selinux[%u] value is too long to fit into xattr[%zu]\n",
+					err, sizeof(xattr_value));
+				return -1;
+			}
+			strcpy(xattr_value, selinux_str);
 		} else if (!strcmp(*xattrname, XATTR_NAME_IMA) && ima_str) {
-			hex2bin(xattr_value, ima_str, strlen(ima_str) / 2);
 			err = strlen(ima_str) / 2;
+			if (err > sizeof(xattr_value)) {
+				log_err("ima[%u] value is too long to fit into xattr[%zu]\n",
+					err, sizeof(xattr_value));
+				return -1;
+			}
+			hex2bin(xattr_value, ima_str, err);
 		} else if (!strcmp(*xattrname, XATTR_NAME_CAPS) && (hmac_flags & HMAC_FLAG_CAPS_SET)) {
 			if (!caps_str)
 				continue;
-			strcpy(xattr_value, caps_str);
 			err = strlen(caps_str);
+			if (err >= sizeof(xattr_value)) {
+				log_err("caps[%u] value is too long to fit into xattr[%zu]\n",
+					err + 1, sizeof(xattr_value));
+				return -1;
+			}
+			strcpy(xattr_value, caps_str);
 		} else {
 			err = lgetxattr(file, *xattrname, xattr_value, sizeof(xattr_value));
 			if (err < 0) {
-- 
2.11.0

[PATCH v2 3/5] ima-evm-utils: Fix memory leak in get_password

[Vitaly Chikunov]

Free allocated password buffer when returning NULL.

Fixes: CID 229894 (partially).
---
 src/evmctl.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/evmctl.c b/src/evmctl.c
index 04dc546..f15056b 100644
--- a/src/evmctl.c
+++ b/src/evmctl.c
@@ -1841,6 +1841,7 @@ static char *get_password(void)
 
 	if (tcsetattr(fileno(stdin), TCSANOW, &tmp_flags) != 0) {
 		perror("tcsetattr");
+		free(password);
 		return NULL;
 	}
 
@@ -1850,6 +1851,7 @@ static char *get_password(void)
 	/* restore terminal */
 	if (tcsetattr(fileno(stdin), TCSANOW, &flags) != 0) {
 		perror("tcsetattr");
+		free(password);
 		return NULL;
 	}
 
-- 
2.11.0

[PATCH v2 4/5] ima-evm-utils: Fix file2bin stat and fopen relations

[Vitaly Chikunov]

Check stat(2) return value, use fstat(2) to avoid race between
stat() and fopen(), remove now unused get_filesize().

Fixes: CID 229889.
---
 src/evmctl.c    | 26 +++++++++++++++++++++-----
 src/imaevm.h    |  1 -
 src/libimaevm.c |  8 --------
 3 files changed, 21 insertions(+), 14 deletions(-)

diff --git a/src/evmctl.c b/src/evmctl.c
index f15056b..61808d2 100644
--- a/src/evmctl.c
+++ b/src/evmctl.c
@@ -175,9 +175,10 @@ static int bin2file(const char *file, const char *ext, const unsigned char *data
 static unsigned char *file2bin(const char *file, const char *ext, int *size)
 {
 	FILE *fp;
-	int len;
+	size_t len;
 	unsigned char *data;
 	char name[strlen(file) + (ext ? strlen(ext) : 0) + 2];
+	struct stat stats;
 
 	if (ext)
 		sprintf(name, "%s.%s", file, ext);
@@ -186,18 +187,33 @@ static unsigned char *file2bin(const char *file, const char *ext, int *size)
 
 	log_info("Reading to %s\n", name);
 
-	len = get_filesize(name);
 	fp = fopen(name, "r");
 	if (!fp) {
 		log_err("Failed to open: %s\n", name);
 		return NULL;
 	}
+	if (fstat(fileno(fp), &stats) == -1) {
+		log_err("Failed to fstat: %s (%s)\n", name, strerror(errno));
+		fclose(fp);
+		return NULL;
+	}
+	len = stats.st_size;
+
 	data = malloc(len);
-	if (!fread(data, len, 1, fp))
-		len = 0;
+	if (!data) {
+		log_err("Failed to malloc %zu bytes: %s\n", len, name);
+		fclose(fp);
+		return NULL;
+	}
+	if (fread(data, len, 1, fp) != len) {
+		log_err("Failed to fread %zu bytes: %s\n", len, name);
+		fclose(fp);
+		free(data);
+		return NULL;
+	}
 	fclose(fp);
 
-	*size = len;
+	*size = (int)len;
 	return data;
 }
 
diff --git a/src/imaevm.h b/src/imaevm.h
index dc81a3a..36050f4 100644
--- a/src/imaevm.h
+++ b/src/imaevm.h
@@ -211,7 +211,6 @@ extern struct libevm_params params;
 
 void do_dump(FILE *fp, const void *ptr, int len, bool cr);
 void dump(const void *ptr, int len);
-int get_filesize(const char *filename);
 int ima_calc_hash(const char *file, uint8_t *hash);
 int get_hash_algo(const char *algo);
 RSA *read_pub_key(const char *keyfile, int x509);
diff --git a/src/libimaevm.c b/src/libimaevm.c
index f8ab812..1562aaf 100644
--- a/src/libimaevm.c
+++ b/src/libimaevm.c
@@ -116,14 +116,6 @@ const char *get_hash_algo_by_id(int algo)
 	return "unknown";
 }
 
-int get_filesize(const char *filename)
-{
-	struct stat stats;
-	/*  Need to know the file length */
-	stat(filename, &stats);
-	return (int)stats.st_size;
-}
-
 static inline off_t get_fdsize(int fd)
 {
 	struct stat stats;
-- 
2.11.0

[PATCH v2 5/5] ima-evm-utils: Add more error checking in add_file_hash

[Vitaly Chikunov]

Check return value of fstat(2) in add_file_hash() and remove
now unused get_fdsize().
---
 src/libimaevm.c | 16 +++++++---------
 1 file changed, 7 insertions(+), 9 deletions(-)

diff --git a/src/libimaevm.c b/src/libimaevm.c
index 1562aaf..ae487f9 100644
--- a/src/libimaevm.c
+++ b/src/libimaevm.c
@@ -116,20 +116,13 @@ const char *get_hash_algo_by_id(int algo)
 	return "unknown";
 }
 
-static inline off_t get_fdsize(int fd)
-{
-	struct stat stats;
-	/*  Need to know the file length */
-	fstat(fd, &stats);
-	return stats.st_size;
-}
-
 static int add_file_hash(const char *file, EVP_MD_CTX *ctx)
 {
 	uint8_t *data;
 	int err = -1, bs = DATA_SIZE;
 	off_t size, len;
 	FILE *fp;
+	struct stat stats;
 
 	fp = fopen(file, "r");
 	if (!fp) {
@@ -143,7 +136,12 @@ static int add_file_hash(const char *file, EVP_MD_CTX *ctx)
 		goto out;
 	}
 
-	for (size = get_fdsize(fileno(fp)); size; size -= len) {
+	if (fstat(fileno(fp), &stats) == -1) {
+		log_err("Failed to fstat: %s (%s)\n", file, strerror(errno));
+		goto out;
+	}
+
+	for (size = stats.st_size; size; size -= len) {
 		len = MIN(size, bs);
 		if (!fread(data, len, 1, fp)) {
 			if (ferror(fp)) {
-- 
2.11.0

Re: [PATCH v2 1/5] ima-evm-utils: Fix null dereference from file2bin to memcpy

[Mimi Zohar]

Hi Vitaly,

On Mon, 2019-07-15 at 23:05 +0300, Vitaly Chikunov wrote:
> file2bin() may return NULL, which is set to tmp, which is passed to
> memcpy. Add explicit check for it.
> 
> Fixes: CID 229904.

Other than the missing tag, this and the other patches look good.

thanks!

Mimi

Re: [PATCH v2 1/5] ima-evm-utils: Fix null dereference from file2bin to memcpy

[Vitaly Chikunov]

Mimi,

On Tue, Jul 16, 2019 at 10:46:58AM -0400, Mimi Zohar wrote:
> On Mon, 2019-07-15 at 23:05 +0300, Vitaly Chikunov wrote:
> > file2bin() may return NULL, which is set to tmp, which is passed to
> > memcpy. Add explicit check for it.
> > 
> > Fixes: CID 229904.
> 
> Other than the missing tag, this and the other patches look good.

Sorry I forgot to add Signed-off-by tag. You may add to all these commits:

Signed-off-by: Vitaly Chikunov <vt@altlinux.org>

Thanks,

> 
> thanks!
> 
> Mimi