linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH] ima: Fix potential NULL pointer access in ima_match_rules()
@ 2023-03-14 18:03 Roman Danilov
  2023-03-15  0:17 ` Mimi Zohar
  2023-03-28  3:46 ` Guozihua (Scott)
  0 siblings, 2 replies; 3+ messages in thread
From: Roman Danilov @ 2023-03-14 18:03 UTC (permalink / raw)
  To: Mimi Zohar
  Cc: Roman Danilov, Dmitry Kasatkin, Paul Moore, James Morris,
	Serge E. Hallyn, Roberto Sassu, GUO Zihua, linux-integrity,
	linux-security-module, linux-kernel, lvc-project,
	Alexey Khoroshilov

In ima_match_rules(), when ima_lsm_copy_rule() fails, NULL pointer
is assigned to lsm_rule. After that, in the next step of the loop
NULL pointer is dereferenced in lsm_rule->lsm[i].rule.

As far as ima_match_rules() is not designed to return error code,
add __GFP_NOFAIL to make sure memory allocation succeeds.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Fixes: c7423dbdbc9e ("ima: Handle -ESTALE returned by ima_filter_rule_match()")
Signed-off-by: Roman Danilov <romanosauce57@gmail.com>
Reviewed-by: Alexey Khoroshilov <khoroshilov@ispras.ru>
---
 security/integrity/ima/ima_policy.c | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index 3ca8b7348c2e..1b6bfcbcdeac 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -401,7 +401,8 @@ static void ima_free_rule(struct ima_rule_entry *entry)
 	kfree(entry);
 }
 
-static struct ima_rule_entry *ima_lsm_copy_rule(struct ima_rule_entry *entry)
+static struct ima_rule_entry *ima_lsm_copy_rule(struct ima_rule_entry *entry,
+						gfp_t gfp)
 {
 	struct ima_rule_entry *nentry;
 	int i;
@@ -410,7 +411,7 @@ static struct ima_rule_entry *ima_lsm_copy_rule(struct ima_rule_entry *entry)
 	 * Immutable elements are copied over as pointers and data; only
 	 * lsm rules can change
 	 */
-	nentry = kmemdup(entry, sizeof(*nentry), GFP_KERNEL);
+	nentry = kmemdup(entry, sizeof(*nentry), gfp);
 	if (!nentry)
 		return NULL;
 
@@ -438,7 +439,7 @@ static int ima_lsm_update_rule(struct ima_rule_entry *entry)
 	int i;
 	struct ima_rule_entry *nentry;
 
-	nentry = ima_lsm_copy_rule(entry);
+	nentry = ima_lsm_copy_rule(entry, GFP_KERNEL);
 	if (!nentry)
 		return -ENOMEM;
 
@@ -664,11 +665,10 @@ static bool ima_match_rules(struct ima_rule_entry *rule,
 		}
 
 		if (rc == -ESTALE && !rule_reinitialized) {
-			lsm_rule = ima_lsm_copy_rule(rule);
-			if (lsm_rule) {
-				rule_reinitialized = true;
-				goto retry;
-			}
+			lsm_rule = ima_lsm_copy_rule(rule,
+						     GFP_KERNEL | __GFP_NOFAIL);
+			rule_reinitialized = true;
+			goto retry;
 		}
 		if (!rc) {
 			result = false;
-- 
2.34.1


^ permalink raw reply related	[flat|nested] 3+ messages in thread
* Re: [PATCH] ima: Fix potential NULL pointer access in ima_match_rules()
  2023-03-14 18:03 [PATCH] ima: Fix potential NULL pointer access in ima_match_rules() Roman Danilov
@ 2023-03-15  0:17 ` Mimi Zohar
  2023-03-28  3:46 ` Guozihua (Scott)
  1 sibling, 0 replies; 3+ messages in thread
From: Mimi Zohar @ 2023-03-15  0:17 UTC (permalink / raw)
  To: Roman Danilov
  Cc: Dmitry Kasatkin, Paul Moore, James Morris, Serge E. Hallyn,
	Roberto Sassu, GUO Zihua, linux-integrity, linux-security-module,
	linux-kernel, lvc-project, Alexey Khoroshilov

On Tue, 2023-03-14 at 21:03 +0300, Roman Danilov wrote:
> In ima_match_rules(), when ima_lsm_copy_rule() fails, NULL pointer
> is assigned to lsm_rule. After that, in the next step of the loop
> NULL pointer is dereferenced in lsm_rule->lsm[i].rule.

I must being missing something.  The next step of the loop tests
whether rule_reinitialized is set before accessing lsm_rule-
>lsm[i].rule.

> 
> As far as ima_match_rules() is not designed to return error code,
> add __GFP_NOFAIL to make sure memory allocation succeeds.

Using  __GFP_NOFAIL here would be safer.

> 
> Found by Linux Verification Center (linuxtesting.org) with SVACE.
> 
> Fixes: c7423dbdbc9e ("ima: Handle -ESTALE returned by ima_filter_rule_match()")
> Signed-off-by: Roman Danilov <romanosauce57@gmail.com>
> Reviewed-by: Alexey Khoroshilov <khoroshilov@ispras.ru>

-- 
thanks,

Mimi


^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: [PATCH] ima: Fix potential NULL pointer access in ima_match_rules()
  2023-03-14 18:03 [PATCH] ima: Fix potential NULL pointer access in ima_match_rules() Roman Danilov
  2023-03-15  0:17 ` Mimi Zohar
@ 2023-03-28  3:46 ` Guozihua (Scott)
  1 sibling, 0 replies; 3+ messages in thread
From: Guozihua (Scott) @ 2023-03-28  3:46 UTC (permalink / raw)
  To: romanosauce57
  Cc: dmitry.kasatkin, guozihua, jmorris, khoroshilov, linux-integrity,
	linux-kernel, linux-security-module, lvc-project, paul,
	roberto.sassu, serge, zohar

Tested-by: GUO Zihua <guozihua@huawei.com>

-- 
Best
GUO Zihua

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2023-03-28  3:46 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-03-14 18:03 [PATCH] ima: Fix potential NULL pointer access in ima_match_rules() Roman Danilov
2023-03-15  0:17 ` Mimi Zohar
2023-03-28  3:46 ` Guozihua (Scott)

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).