Kernel/linux-next
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git synced 2025-01-09 07:23:14 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

integrity-v5.19-fix

Browse Source 
-----BEGIN PGP SIGNATURE-----
 
 iIoEABYIADIWIQQdXVVFGN5XqKr1Hj7LwZzRsCrn5QUCYtAwjhQcem9oYXJAbGlu
 dXguaWJtLmNvbQAKCRDLwZzRsCrn5TaxAQD2uVSa1/t9/cdTz3jWdWKrF080jChb
 uiYsZKA4RHbwjgEA8dCAa5zsfHX8Y0+vVqA65eyu1dQA98WbJDMQ4AaFVAg=
 =7Yy6
 -----END PGP SIGNATURE-----

Merge tag 'integrity-v5.19-fix' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity

Pull integrity fixes from Mimi Zohar:
 "Here are a number of fixes for recently found bugs.

  Only 'ima: fix violation measurement list record' was introduced in
  the current release. The rest address existing bugs"

* tag 'integrity-v5.19-fix' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity:
  ima: Fix potential memory leak in ima_init_crypto()
  ima: force signature verification when CONFIG_KEXEC_SIG is configured
  ima: Fix a potential integer overflow in ima_appraise_measurement
  ima: fix violation measurement list record
  Revert "evm: Fix memleak in init_desc"
This commit is contained in:
Linus Torvalds 2022-07-14 12:15:42 -07:00
commit 4adfa865bb
7 changed files with 26 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
include/linux/kexec.h
View File

@ -452,6 +452,12 @@ static inline int kexec_crash_loaded(void) { return 0; }
#define kexec_in_progress false #define kexec_in_progress false
#endif /* CONFIG_KEXEC_CORE */ #endif /* CONFIG_KEXEC_CORE */
#ifdef CONFIG_KEXEC_SIG
void set_kexec_sig_enforced(void);
#else
static inline void set_kexec_sig_enforced(void) {}
#endif
#endif /* !defined(__ASSEBMLY__) */ #endif /* !defined(__ASSEBMLY__) */
#endif /* LINUX_KEXEC_H */ #endif /* LINUX_KEXEC_H */

11
kernel/kexec_file.c
View File

@ -29,6 +29,15 @@
#include <linux/vmalloc.h> #include <linux/vmalloc.h>
#include "kexec_internal.h" #include "kexec_internal.h"
#ifdef CONFIG_KEXEC_SIG
static bool sig_enforce = IS_ENABLED(CONFIG_KEXEC_SIG_FORCE);
void set_kexec_sig_enforced(void)
{
sig_enforce = true;
}
#endif
static int kexec_calculate_store_digests(struct kimage *image); static int kexec_calculate_store_digests(struct kimage *image);
/* /*
@ -159,7 +168,7 @@ kimage_validate_signature(struct kimage *image)
image->kernel_buf_len); image->kernel_buf_len);
if (ret) { if (ret) {
if (IS_ENABLED(CONFIG_KEXEC_SIG_FORCE)) { if (sig_enforce) {
pr_notice("Enforced kernel signature verification failed (%d).\n", ret); pr_notice("Enforced kernel signature verification failed (%d).\n", ret);
return ret; return ret;
} }

7
security/integrity/evm/evm_crypto.c
View File

@ -75,7 +75,7 @@ static struct shash_desc *init_desc(char type, uint8_t hash_algo)
{ {
long rc; long rc;
const char *algo; const char *algo;
struct crypto_shash **tfm, *tmp_tfm = NULL; struct crypto_shash **tfm, *tmp_tfm;
struct shash_desc *desc; struct shash_desc *desc;
if (type == EVM_XATTR_HMAC) { if (type == EVM_XATTR_HMAC) {
@ -120,16 +120,13 @@ unlock:
alloc: alloc:
desc = kmalloc(sizeof(*desc) + crypto_shash_descsize(*tfm), desc = kmalloc(sizeof(*desc) + crypto_shash_descsize(*tfm),
GFP_KERNEL); GFP_KERNEL);
if (!desc) { if (!desc)
crypto_free_shash(tmp_tfm);
return ERR_PTR(-ENOMEM); return ERR_PTR(-ENOMEM);
}
desc->tfm = *tfm; desc->tfm = *tfm;
rc = crypto_shash_init(desc); rc = crypto_shash_init(desc);
if (rc) { if (rc) {
crypto_free_shash(tmp_tfm);
kfree(desc); kfree(desc);
return ERR_PTR(rc); return ERR_PTR(rc);
} }

3
security/integrity/ima/ima_appraise.c
View File

@ -514,7 +514,8 @@ int ima_appraise_measurement(enum ima_hooks func,
goto out; goto out;
} }
status = evm_verifyxattr(dentry, XATTR_NAME_IMA, xattr_value, rc, iint); status = evm_verifyxattr(dentry, XATTR_NAME_IMA, xattr_value,
rc < 0 ? 0 : rc, iint);
switch (status) { switch (status) {
case INTEGRITY_PASS: case INTEGRITY_PASS:
case INTEGRITY_PASS_IMMUTABLE: case INTEGRITY_PASS_IMMUTABLE:

1
security/integrity/ima/ima_crypto.c
View File

@ -205,6 +205,7 @@ out_array:
crypto_free_shash(ima_algo_array[i].tfm); crypto_free_shash(ima_algo_array[i].tfm);
} }
kfree(ima_algo_array);
out: out:
crypto_free_shash(ima_shash_tfm); crypto_free_shash(ima_shash_tfm);
return rc; return rc;

2
security/integrity/ima/ima_efi.c
View File

@ -67,6 +67,8 @@ const char * const *arch_get_ima_policy(void)
if (IS_ENABLED(CONFIG_IMA_ARCH_POLICY) && arch_ima_get_secureboot()) { if (IS_ENABLED(CONFIG_IMA_ARCH_POLICY) && arch_ima_get_secureboot()) {
if (IS_ENABLED(CONFIG_MODULE_SIG)) if (IS_ENABLED(CONFIG_MODULE_SIG))
set_module_sig_enforced(); set_module_sig_enforced();
if (IS_ENABLED(CONFIG_KEXEC_SIG))
set_kexec_sig_enforced();
return sb_arch_rules; return sb_arch_rules;
} }
return NULL; return NULL;

6
security/integrity/ima/ima_template_lib.c
View File

@ -323,10 +323,10 @@ static int ima_eventdigest_init_common(const u8 *digest, u32 digestsize,
else else
/* /*
* If digest is NULL, the event being recorded is a violation. * If digest is NULL, the event being recorded is a violation.
* Make room for the digest by increasing the offset of * Make room for the digest by increasing the offset by the
* IMA_DIGEST_SIZE. * hash algorithm digest size.
*/ */
offset += IMA_DIGEST_SIZE; offset += hash_digest_size[hash_algo];
return ima_write_template_field_data(buffer, offset + digestsize, return ima_write_template_field_data(buffer, offset + digestsize,
fmt, field_data); fmt, field_data);