Linux-Security-Module Archive on lore.kernel.org
 help / color / Atom feed
* [PATCH] ima: Fix a use after free in ima_read_modsig()
@ 2019-08-08 10:33 Dan Carpenter
  2019-08-08 11:17 ` Mimi Zohar
  0 siblings, 1 reply; 4+ messages in thread
From: Dan Carpenter @ 2019-08-08 10:33 UTC (permalink / raw)
  To: Mimi Zohar, Thiago Jung Bauermann
  Cc: Dmitry Kasatkin, James Morris, Serge E. Hallyn, linux-integrity,
	linux-security-module, kernel-janitors

This code frees "hdr" and then dereferences it on the next line to get
the error code.

Fixes: 39b07096364a ("ima: Implement support for module-style appended signatures")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
 security/integrity/ima/ima_modsig.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/security/integrity/ima/ima_modsig.c b/security/integrity/ima/ima_modsig.c
index c412e31d1714..d106885cc495 100644
--- a/security/integrity/ima/ima_modsig.c
+++ b/security/integrity/ima/ima_modsig.c
@@ -91,8 +91,9 @@ int ima_read_modsig(enum ima_hooks func, const void *buf, loff_t buf_len,
 
 	hdr->pkcs7_msg = pkcs7_parse_message(buf + buf_len, sig_len);
 	if (IS_ERR(hdr->pkcs7_msg)) {
+		rc = PTR_ERR(hdr->pkcs7_msg);
 		kfree(hdr);
-		return PTR_ERR(hdr->pkcs7_msg);
+		return rc;
 	}
 
 	memcpy(hdr->raw_pkcs7, buf + buf_len, sig_len);
-- 
2.20.1


^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] ima: Fix a use after free in ima_read_modsig()
  2019-08-08 10:33 [PATCH] ima: Fix a use after free in ima_read_modsig() Dan Carpenter
@ 2019-08-08 11:17 ` Mimi Zohar
  2019-08-08 11:45   ` Dan Carpenter
  0 siblings, 1 reply; 4+ messages in thread
From: Mimi Zohar @ 2019-08-08 11:17 UTC (permalink / raw)
  To: Dan Carpenter, Thiago Jung Bauermann
  Cc: Dmitry Kasatkin, James Morris, Serge E. Hallyn, linux-integrity,
	linux-security-module, kernel-janitors

On Thu, 2019-08-08 at 13:33 +0300, Dan Carpenter wrote:
> This code frees "hdr" and then dereferences it on the next line to get
> the error code.
> 
> Fixes: 39b07096364a ("ima: Implement support for module-style appended signatures")
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>

Thanks, Dan.  Julia already reported this.  Thiago posted a patch last
night.  Just getting to it now.  Can I add your Reviewed-by or Tested-
by?

Mimi

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] ima: Fix a use after free in ima_read_modsig()
  2019-08-08 11:17 ` Mimi Zohar
@ 2019-08-08 11:45   ` Dan Carpenter
  2019-08-08 11:55     ` Mimi Zohar
  0 siblings, 1 reply; 4+ messages in thread
From: Dan Carpenter @ 2019-08-08 11:45 UTC (permalink / raw)
  To: Mimi Zohar
  Cc: Thiago Jung Bauermann, Dmitry Kasatkin, James Morris,
	Serge E. Hallyn, linux-integrity, linux-security-module,
	kernel-janitors

On Thu, Aug 08, 2019 at 07:17:22AM -0400, Mimi Zohar wrote:
> On Thu, 2019-08-08 at 13:33 +0300, Dan Carpenter wrote:
> > This code frees "hdr" and then dereferences it on the next line to get
> > the error code.
> > 
> > Fixes: 39b07096364a ("ima: Implement support for module-style appended signatures")
> > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> 
> Thanks, Dan.  Julia already reported this.  Thiago posted a patch last
> night.  Just getting to it now.  Can I add your Reviewed-by or Tested-
> by?

I haven't seen the other patch so Reviewed-by seems like the wrong
thing.  I don't really need any sort of credit.  I'm just going through
my backlog of warnings from being out of office.  Perhaps Reported-by?

regards,
dan carpenter


^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] ima: Fix a use after free in ima_read_modsig()
  2019-08-08 11:45   ` Dan Carpenter
@ 2019-08-08 11:55     ` Mimi Zohar
  0 siblings, 0 replies; 4+ messages in thread
From: Mimi Zohar @ 2019-08-08 11:55 UTC (permalink / raw)
  To: Dan Carpenter
  Cc: Thiago Jung Bauermann, Dmitry Kasatkin, James Morris,
	Serge E. Hallyn, linux-integrity, linux-security-module,
	kernel-janitors

On Thu, 2019-08-08 at 14:45 +0300, Dan Carpenter wrote:
> On Thu, Aug 08, 2019 at 07:17:22AM -0400, Mimi Zohar wrote:
> > On Thu, 2019-08-08 at 13:33 +0300, Dan Carpenter wrote:
> > > This code frees "hdr" and then dereferences it on the next line to get
> > > the error code.
> > > 
> > > Fixes: 39b07096364a ("ima: Implement support for module-style appended signatures")
> > > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> > 
> > Thanks, Dan.  Julia already reported this.  Thiago posted a patch last
> > night.  Just getting to it now.  Can I add your Reviewed-by or Tested-
> > by?
> 
> I haven't seen the other patch so Reviewed-by seems like the wrong
> thing.  I don't really need any sort of credit.  I'm just going through
> my backlog of warnings from being out of office.  Perhaps Reported-by?

That works.  FYI, your solution and Thiago's are exactly the same.[1]

Mimi

[1] https://lore.kernel.org/linux-integrity/8736ico5ax.fsf@morokweng.localdomain/T/#u

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, back to index

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-08-08 10:33 [PATCH] ima: Fix a use after free in ima_read_modsig() Dan Carpenter
2019-08-08 11:17 ` Mimi Zohar
2019-08-08 11:45   ` Dan Carpenter
2019-08-08 11:55     ` Mimi Zohar

Linux-Security-Module Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/linux-security-module/0 linux-security-module/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-security-module linux-security-module/ https://lore.kernel.org/linux-security-module \
		linux-security-module@vger.kernel.org linux-security-module@archiver.kernel.org
	public-inbox-index linux-security-module


Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.linux-security-module


AGPL code for this site: git clone https://public-inbox.org/ public-inbox