Linux-Security-Module Archive on
 help / color / Atom feed
* [PATCH][next] ima: ima_modsig: Fix use-after-free bug in ima_read_modsig
@ 2019-08-11 23:55 Gustavo A. R. Silva
  0 siblings, 0 replies; only message in thread
From: Gustavo A. R. Silva @ 2019-08-11 23:55 UTC (permalink / raw)
  To: Mimi Zohar, Dmitry Kasatkin, James Morris, Serge E. Hallyn,
	Thiago Jung Bauermann
  Cc: linux-integrity, linux-security-module, linux-kernel,
	Gustavo A. R. Silva

hdr is being freed and then dereferenced by accessing hdr->pkcs7_msg

Fix this by copying the value returned by PTR_ERR(hdr->pkcs7_msg) into
automatic variable err for its safe use after freeing hdr.

Addresses-Coverity-ID: 1485813 ("Read from pointer after free")
Fixes: 39b07096364a ("ima: Implement support for module-style appended signatures")
Signed-off-by: Gustavo A. R. Silva <>
 security/integrity/ima/ima_modsig.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/security/integrity/ima/ima_modsig.c b/security/integrity/ima/ima_modsig.c
index c412e31d1714..e681d4326145 100644
--- a/security/integrity/ima/ima_modsig.c
+++ b/security/integrity/ima/ima_modsig.c
@@ -91,8 +91,9 @@ int ima_read_modsig(enum ima_hooks func, const void *buf, loff_t buf_len,
 	hdr->pkcs7_msg = pkcs7_parse_message(buf + buf_len, sig_len);
 	if (IS_ERR(hdr->pkcs7_msg)) {
+		int err = PTR_ERR(hdr->pkcs7_msg);
-		return PTR_ERR(hdr->pkcs7_msg);
+		return err;
 	memcpy(hdr->raw_pkcs7, buf + buf_len, sig_len);

^ permalink raw reply	[flat|nested] only message in thread

only message in thread, back to index

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-08-11 23:55 [PATCH][next] ima: ima_modsig: Fix use-after-free bug in ima_read_modsig Gustavo A. R. Silva

Linux-Security-Module Archive on

Archives are clonable:
	git clone --mirror linux-security-module/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-security-module linux-security-module/ \
	public-inbox-index linux-security-module

Newsgroup available over NNTP:

AGPL code for this site: git clone public-inbox