diff options
| author | Linus Torvalds <torvalds@linux-foundation.org> | 2020-10-15 15:58:18 -0700 |
|---|---|---|
| committer | Linus Torvalds <torvalds@linux-foundation.org> | 2020-10-15 15:58:18 -0700 |
| commit | 840e5bb326bbcb16ce82dd2416d2769de4839aea (patch) | |
| tree | 0db7a077c3ae35dd99a89f0128b760951d95db72 /security/integrity/ima/ima_main.c | |
| parent | fefa636d815975b34afc45f50852a2810fb23ba9 (diff) | |
| parent | aa662fc04f5b290b3979332588bf8d812b189962 (diff) | |
| download | lwn-840e5bb326bbcb16ce82dd2416d2769de4839aea.tar.gz lwn-840e5bb326bbcb16ce82dd2416d2769de4839aea.zip | |
Merge tag 'integrity-v5.10' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity
Pull integrity updates from Mimi Zohar:
"Continuing IMA policy rule cleanup and validation in particular for
measuring keys, adding/removing/updating informational and error
messages (e.g. "ima_appraise" boot command line option), and other bug
fixes (e.g. minimal data size validation before use, return code and
NULL pointer checking)"
* tag 'integrity-v5.10' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity:
ima: Fix NULL pointer dereference in ima_file_hash
evm: Check size of security.evm before using it
ima: Remove semicolon at the end of ima_get_binary_runtime_size()
ima: Don't ignore errors from crypto_shash_update()
ima: Use kmemdup rather than kmalloc+memcpy
integrity: include keyring name for unknown key request
ima: limit secure boot feedback scope for appraise
integrity: invalid kernel parameters feedback
ima: add check for enforced appraise option
integrity: Use current_uid() in integrity_audit_message()
ima: Fail rule parsing when asymmetric key measurement isn't supportable
ima: Pre-parse the list of keyrings in a KEY_CHECK rule
Diffstat (limited to 'security/integrity/ima/ima_main.c')
| -rw-r--r-- | security/integrity/ima/ima_main.c | 23 |
1 files changed, 19 insertions, 4 deletions
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index 82c9d62bcb11..2d1af8899cab 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -51,18 +51,23 @@ static int __init hash_setup(char *str) return 1; if (strcmp(template_desc->name, IMA_TEMPLATE_IMA_NAME) == 0) { - if (strncmp(str, "sha1", 4) == 0) + if (strncmp(str, "sha1", 4) == 0) { ima_hash_algo = HASH_ALGO_SHA1; - else if (strncmp(str, "md5", 3) == 0) + } else if (strncmp(str, "md5", 3) == 0) { ima_hash_algo = HASH_ALGO_MD5; - else + } else { + pr_err("invalid hash algorithm \"%s\" for template \"%s\"", + str, IMA_TEMPLATE_IMA_NAME); return 1; + } goto out; } i = match_string(hash_algo_name, HASH_ALGO__LAST, str); - if (i < 0) + if (i < 0) { + pr_err("invalid hash algorithm \"%s\"", str); return 1; + } ima_hash_algo = i; out: @@ -532,6 +537,16 @@ int ima_file_hash(struct file *file, char *buf, size_t buf_size) return -EOPNOTSUPP; mutex_lock(&iint->mutex); + + /* + * ima_file_hash can be called when ima_collect_measurement has still + * not been called, we might not always have a hash. + */ + if (!iint->ima_hash) { + mutex_unlock(&iint->mutex); + return -EOPNOTSUPP; + } + if (buf) { size_t copied_size; |