From: roberto.sassu@huawei.com (Roberto Sassu) To: linux-security-module@vger.kernel.org Subject: [RFC][PATCH v2 1/9] ima: pass filename to ima_rdwr_violation_check() Date: Thu, 30 Nov 2017 11:56:02 +0100 [thread overview] Message-ID: <20171130105610.15761-2-roberto.sassu@huawei.com> (raw) In-Reply-To: <20171130105610.15761-1-roberto.sassu@huawei.com> ima_rdwr_violation_check() retrieves the full path of a measured file by calling ima_d_path(). If process_measurement() calls this function, it reuses the pointer and passes it to the functions to measure/appraise/audit an accessed file. After commit bc15ed663e7e ("ima: fix ima_d_path() possible race with rename"), ima_d_path() first tries to retrieve the full path by calling d_absolute_path() and, if there is an error, copies the dentry name to the buffer passed as argument. However, ima_rdwr_violation_check() passes to ima_d_path() the pointer of a local variable. process_measurement() might be reusing the pointer to an area in the stack which may have been already overwritten after ima_rdwr_violation_check() returned. Correct this issue by passing to ima_rdwr_violation_check() the pointer of a buffer declared in process_measurement(). Fixes: bc15ed663e7e ("ima: fix ima_d_path() possible race with rename") Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com> --- security/integrity/ima/ima_main.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index 294b2fe69334..5a7321bc325c 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -84,10 +84,10 @@ static void ima_rdwr_violation_check(struct file *file, struct integrity_iint_cache *iint, int must_measure, char **pathbuf, - const char **pathname) + const char **pathname, + char *filename) { struct inode *inode = file_inode(file); - char filename[NAME_MAX]; fmode_t mode = file->f_mode; bool send_tomtou = false, send_writers = false; @@ -205,7 +205,7 @@ static int process_measurement(struct file *file, const struct cred *cred, if (violation_check) { ima_rdwr_violation_check(file, iint, action & IMA_MEASURE, - &pathbuf, &pathname); + &pathbuf, &pathname, filename); if (!action) { rc = 0; goto out_free; -- 2.11.0 -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo at vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
WARNING: multiple messages have this Message-ID (diff)
From: Roberto Sassu <roberto.sassu@huawei.com> To: <linux-integrity@vger.kernel.org> Cc: <linux-security-module@vger.kernel.org>, <silviu.vlasceanu@huawei.com>, Roberto Sassu <roberto.sassu@huawei.com> Subject: [RFC][PATCH v2 1/9] ima: pass filename to ima_rdwr_violation_check() Date: Thu, 30 Nov 2017 11:56:02 +0100 [thread overview] Message-ID: <20171130105610.15761-2-roberto.sassu@huawei.com> (raw) In-Reply-To: <20171130105610.15761-1-roberto.sassu@huawei.com> ima_rdwr_violation_check() retrieves the full path of a measured file by calling ima_d_path(). If process_measurement() calls this function, it reuses the pointer and passes it to the functions to measure/appraise/audit an accessed file. After commit bc15ed663e7e ("ima: fix ima_d_path() possible race with rename"), ima_d_path() first tries to retrieve the full path by calling d_absolute_path() and, if there is an error, copies the dentry name to the buffer passed as argument. However, ima_rdwr_violation_check() passes to ima_d_path() the pointer of a local variable. process_measurement() might be reusing the pointer to an area in the stack which may have been already overwritten after ima_rdwr_violation_check() returned. Correct this issue by passing to ima_rdwr_violation_check() the pointer of a buffer declared in process_measurement(). Fixes: bc15ed663e7e ("ima: fix ima_d_path() possible race with rename") Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com> --- security/integrity/ima/ima_main.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index 294b2fe69334..5a7321bc325c 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -84,10 +84,10 @@ static void ima_rdwr_violation_check(struct file *file, struct integrity_iint_cache *iint, int must_measure, char **pathbuf, - const char **pathname) + const char **pathname, + char *filename) { struct inode *inode = file_inode(file); - char filename[NAME_MAX]; fmode_t mode = file->f_mode; bool send_tomtou = false, send_writers = false; @@ -205,7 +205,7 @@ static int process_measurement(struct file *file, const struct cred *cred, if (violation_check) { ima_rdwr_violation_check(file, iint, action & IMA_MEASURE, - &pathbuf, &pathname); + &pathbuf, &pathname, filename); if (!action) { rc = 0; goto out_free; -- 2.11.0
next prev parent reply other threads:[~2017-11-30 10:56 UTC|newest] Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top 2017-11-30 10:56 [RFC][PATCH v2 0/9] ima: integrity models for appraised files Roberto Sassu 2017-11-30 10:56 ` Roberto Sassu 2017-11-30 10:56 ` Roberto Sassu [this message] 2017-11-30 10:56 ` [RFC][PATCH v2 1/9] ima: pass filename to ima_rdwr_violation_check() Roberto Sassu 2017-12-01 17:38 ` Mimi Zohar 2017-12-01 17:38 ` Mimi Zohar 2017-11-30 10:56 ` [RFC][PATCH v2 2/9] ima: preserve flags in ima_inode_post_setattr() if file must be appraised Roberto Sassu 2017-11-30 10:56 ` Roberto Sassu 2017-12-01 16:31 ` Mimi Zohar 2017-12-01 16:31 ` Mimi Zohar 2017-11-30 10:56 ` [RFC][PATCH v2 3/9] ima: preserve iint flags if security.ima update is successful Roberto Sassu 2017-11-30 10:56 ` Roberto Sassu 2017-12-01 18:06 ` Mimi Zohar 2017-12-01 18:06 ` Mimi Zohar 2017-11-30 10:56 ` [RFC][PATCH v2 4/9] ima: introduce ima_mk_null_file() Roberto Sassu 2017-11-30 10:56 ` Roberto Sassu 2017-11-30 10:56 ` [RFC][PATCH v2 5/9] ima: measure/appraise/audit inherited file descriptors Roberto Sassu 2017-11-30 10:56 ` Roberto Sassu 2017-11-30 10:56 ` [RFC][PATCH v2 6/9] ima: enforce the Biba strict policy on appraised files Roberto Sassu 2017-11-30 10:56 ` Roberto Sassu 2017-11-30 10:56 ` [RFC][PATCH v2 7/9] ima: enforce the Biba low watermark for objects " Roberto Sassu 2017-11-30 10:56 ` Roberto Sassu 2017-11-30 10:56 ` [RFC][PATCH v2 8/9] ima: introduce policy action try_appraise Roberto Sassu 2017-11-30 10:56 ` Roberto Sassu 2017-11-30 10:56 ` [RFC][PATCH v2 9/9] ima: don't measure files with valid appraisal status Roberto Sassu 2017-11-30 10:56 ` Roberto Sassu
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=20171130105610.15761-2-roberto.sassu@huawei.com \ --to=roberto.sassu@huawei.com \ --cc=linux-security-module@vger.kernel.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.