From: roberto.sassu@huawei.com (Roberto Sassu)
To: linux-security-module@vger.kernel.org
Subject: [RFC][PATCH v2 1/9] ima: pass filename to ima_rdwr_violation_check()
Date: Thu, 30 Nov 2017 11:56:02 +0100 [thread overview]
Message-ID: <20171130105610.15761-2-roberto.sassu@huawei.com> (raw)
In-Reply-To: <20171130105610.15761-1-roberto.sassu@huawei.com>
ima_rdwr_violation_check() retrieves the full path of a measured file by
calling ima_d_path(). If process_measurement() calls this function, it
reuses the pointer and passes it to the functions to measure/appraise/audit
an accessed file.
After commit bc15ed663e7e ("ima: fix ima_d_path() possible race with
rename"), ima_d_path() first tries to retrieve the full path by calling
d_absolute_path() and, if there is an error, copies the dentry name to the
buffer passed as argument.
However, ima_rdwr_violation_check() passes to ima_d_path() the pointer of a
local variable. process_measurement() might be reusing the pointer to an
area in the stack which may have been already overwritten after
ima_rdwr_violation_check() returned.
Correct this issue by passing to ima_rdwr_violation_check() the pointer of
a buffer declared in process_measurement().
Fixes: bc15ed663e7e ("ima: fix ima_d_path() possible race with rename")
Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
---
security/integrity/ima/ima_main.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index 294b2fe69334..5a7321bc325c 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -84,10 +84,10 @@ static void ima_rdwr_violation_check(struct file *file,
struct integrity_iint_cache *iint,
int must_measure,
char **pathbuf,
- const char **pathname)
+ const char **pathname,
+ char *filename)
{
struct inode *inode = file_inode(file);
- char filename[NAME_MAX];
fmode_t mode = file->f_mode;
bool send_tomtou = false, send_writers = false;
@@ -205,7 +205,7 @@ static int process_measurement(struct file *file, const struct cred *cred,
if (violation_check) {
ima_rdwr_violation_check(file, iint, action & IMA_MEASURE,
- &pathbuf, &pathname);
+ &pathbuf, &pathname, filename);
if (!action) {
rc = 0;
goto out_free;
--
2.11.0
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
WARNING: multiple messages have this Message-ID (diff)
From: Roberto Sassu <roberto.sassu@huawei.com>
To: <linux-integrity@vger.kernel.org>
Cc: <linux-security-module@vger.kernel.org>,
<silviu.vlasceanu@huawei.com>,
Roberto Sassu <roberto.sassu@huawei.com>
Subject: [RFC][PATCH v2 1/9] ima: pass filename to ima_rdwr_violation_check()
Date: Thu, 30 Nov 2017 11:56:02 +0100 [thread overview]
Message-ID: <20171130105610.15761-2-roberto.sassu@huawei.com> (raw)
In-Reply-To: <20171130105610.15761-1-roberto.sassu@huawei.com>
ima_rdwr_violation_check() retrieves the full path of a measured file by
calling ima_d_path(). If process_measurement() calls this function, it
reuses the pointer and passes it to the functions to measure/appraise/audit
an accessed file.
After commit bc15ed663e7e ("ima: fix ima_d_path() possible race with
rename"), ima_d_path() first tries to retrieve the full path by calling
d_absolute_path() and, if there is an error, copies the dentry name to the
buffer passed as argument.
However, ima_rdwr_violation_check() passes to ima_d_path() the pointer of a
local variable. process_measurement() might be reusing the pointer to an
area in the stack which may have been already overwritten after
ima_rdwr_violation_check() returned.
Correct this issue by passing to ima_rdwr_violation_check() the pointer of
a buffer declared in process_measurement().
Fixes: bc15ed663e7e ("ima: fix ima_d_path() possible race with rename")
Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
---
security/integrity/ima/ima_main.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index 294b2fe69334..5a7321bc325c 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -84,10 +84,10 @@ static void ima_rdwr_violation_check(struct file *file,
struct integrity_iint_cache *iint,
int must_measure,
char **pathbuf,
- const char **pathname)
+ const char **pathname,
+ char *filename)
{
struct inode *inode = file_inode(file);
- char filename[NAME_MAX];
fmode_t mode = file->f_mode;
bool send_tomtou = false, send_writers = false;
@@ -205,7 +205,7 @@ static int process_measurement(struct file *file, const struct cred *cred,
if (violation_check) {
ima_rdwr_violation_check(file, iint, action & IMA_MEASURE,
- &pathbuf, &pathname);
+ &pathbuf, &pathname, filename);
if (!action) {
rc = 0;
goto out_free;
--
2.11.0
next prev parent reply other threads:[~2017-11-30 10:56 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-11-30 10:56 [RFC][PATCH v2 0/9] ima: integrity models for appraised files Roberto Sassu
2017-11-30 10:56 ` Roberto Sassu
2017-11-30 10:56 ` Roberto Sassu [this message]
2017-11-30 10:56 ` [RFC][PATCH v2 1/9] ima: pass filename to ima_rdwr_violation_check() Roberto Sassu
2017-12-01 17:38 ` Mimi Zohar
2017-12-01 17:38 ` Mimi Zohar
2017-11-30 10:56 ` [RFC][PATCH v2 2/9] ima: preserve flags in ima_inode_post_setattr() if file must be appraised Roberto Sassu
2017-11-30 10:56 ` Roberto Sassu
2017-12-01 16:31 ` Mimi Zohar
2017-12-01 16:31 ` Mimi Zohar
2017-11-30 10:56 ` [RFC][PATCH v2 3/9] ima: preserve iint flags if security.ima update is successful Roberto Sassu
2017-11-30 10:56 ` Roberto Sassu
2017-12-01 18:06 ` Mimi Zohar
2017-12-01 18:06 ` Mimi Zohar
2017-11-30 10:56 ` [RFC][PATCH v2 4/9] ima: introduce ima_mk_null_file() Roberto Sassu
2017-11-30 10:56 ` Roberto Sassu
2017-11-30 10:56 ` [RFC][PATCH v2 5/9] ima: measure/appraise/audit inherited file descriptors Roberto Sassu
2017-11-30 10:56 ` Roberto Sassu
2017-11-30 10:56 ` [RFC][PATCH v2 6/9] ima: enforce the Biba strict policy on appraised files Roberto Sassu
2017-11-30 10:56 ` Roberto Sassu
2017-11-30 10:56 ` [RFC][PATCH v2 7/9] ima: enforce the Biba low watermark for objects " Roberto Sassu
2017-11-30 10:56 ` Roberto Sassu
2017-11-30 10:56 ` [RFC][PATCH v2 8/9] ima: introduce policy action try_appraise Roberto Sassu
2017-11-30 10:56 ` Roberto Sassu
2017-11-30 10:56 ` [RFC][PATCH v2 9/9] ima: don't measure files with valid appraisal status Roberto Sassu
2017-11-30 10:56 ` Roberto Sassu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20171130105610.15761-2-roberto.sassu@huawei.com \
--to=roberto.sassu@huawei.com \
--cc=linux-security-module@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.