[PATCH][next] ima: ima_modsig: Fix use-after-free bug in ima_read

All of lore.kernel.org
 help / color / mirror / Atom feed

* [PATCH][next] ima: ima_modsig: Fix use-after-free bug in ima_read_modsig
@ 2019-08-11 23:55 Gustavo A. R. Silva
  2019-08-28 13:50 ` Mimi Zohar
  0 siblings, 1 reply; 3+ messages in thread
From: Gustavo A. R. Silva @ 2019-08-11 23:55 UTC (permalink / raw)
  To: Mimi Zohar, Dmitry Kasatkin, James Morris, Serge E. Hallyn,
	Thiago Jung Bauermann
  Cc: linux-integrity, linux-security-module, linux-kernel,
	Gustavo A. R. Silva

hdr is being freed and then dereferenced by accessing hdr->pkcs7_msg

Fix this by copying the value returned by PTR_ERR(hdr->pkcs7_msg) into
automatic variable err for its safe use after freeing hdr.

Addresses-Coverity-ID: 1485813 ("Read from pointer after free")
Fixes: 39b07096364a ("ima: Implement support for module-style appended signatures")
Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
---
 security/integrity/ima/ima_modsig.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/security/integrity/ima/ima_modsig.c b/security/integrity/ima/ima_modsig.c
index c412e31d1714..e681d4326145 100644
--- a/security/integrity/ima/ima_modsig.c
+++ b/security/integrity/ima/ima_modsig.c
@@ -91,8 +91,9 @@ int ima_read_modsig(enum ima_hooks func, const void *buf, loff_t buf_len,
 
 	hdr->pkcs7_msg = pkcs7_parse_message(buf + buf_len, sig_len);
 	if (IS_ERR(hdr->pkcs7_msg)) {
+		int err = PTR_ERR(hdr->pkcs7_msg);
 		kfree(hdr);
-		return PTR_ERR(hdr->pkcs7_msg);
+		return err;
 	}
 
 	memcpy(hdr->raw_pkcs7, buf + buf_len, sig_len);
-- 
2.22.0


^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: [PATCH][next] ima: ima_modsig: Fix use-after-free bug in ima_read_modsig
  2019-08-11 23:55 [PATCH][next] ima: ima_modsig: Fix use-after-free bug in ima_read_modsig Gustavo A. R. Silva
@ 2019-08-28 13:50 ` Mimi Zohar
  2019-08-28 18:55   ` Gustavo A. R. Silva
  0 siblings, 1 reply; 3+ messages in thread
From: Mimi Zohar @ 2019-08-28 13:50 UTC (permalink / raw)
  To: Gustavo A. R. Silva, Dmitry Kasatkin, James Morris,
	Serge E. Hallyn, Thiago Jung Bauermann
  Cc: linux-integrity, linux-security-module, linux-kernel

Hi Gustavo,

On Sun, 2019-08-11 at 18:55 -0500, Gustavo A. R. Silva wrote:
> hdr is being freed and then dereferenced by accessing hdr->pkcs7_msg
> 
> Fix this by copying the value returned by PTR_ERR(hdr->pkcs7_msg) into
> automatic variable err for its safe use after freeing hdr.
> 
> Addresses-Coverity-ID: 1485813 ("Read from pointer after free")
> Fixes: 39b07096364a ("ima: Implement support for module-style appended signatures")
> Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>

This bug was reported Julia and addressed by Thiago on 8/7. If you
would like to add your Review/Tested-by, the patch can be found in the
linux-integrity next-queued-testing branch.

thanks,

Mimi


^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH][next] ima: ima_modsig: Fix use-after-free bug in ima_read_modsig
  2019-08-28 13:50 ` Mimi Zohar
@ 2019-08-28 18:55   ` Gustavo A. R. Silva
  0 siblings, 0 replies; 3+ messages in thread
From: Gustavo A. R. Silva @ 2019-08-28 18:55 UTC (permalink / raw)
  To: Mimi Zohar, Dmitry Kasatkin, James Morris, Serge E. Hallyn,
	Thiago Jung Bauermann
  Cc: linux-integrity, linux-security-module, linux-kernel



On 8/28/19 8:50 AM, Mimi Zohar wrote:
> Hi Gustavo,
> 
> On Sun, 2019-08-11 at 18:55 -0500, Gustavo A. R. Silva wrote:
>> hdr is being freed and then dereferenced by accessing hdr->pkcs7_msg
>>
>> Fix this by copying the value returned by PTR_ERR(hdr->pkcs7_msg) into
>> automatic variable err for its safe use after freeing hdr.
>>
>> Addresses-Coverity-ID: 1485813 ("Read from pointer after free")
>> Fixes: 39b07096364a ("ima: Implement support for module-style appended signatures")
>> Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
> 
> This bug was reported Julia and addressed by Thiago on 8/7. If you
> would like to add your Review/Tested-by, the patch can be found in the
> linux-integrity next-queued-testing branch.
> 

I'm glad this is fixed now. :)

Yeah, you can add my:

Reviewed-by: Gustavo A. R. Silva <gustavo@embeddedor.com>

Thanks
--
Gustavo

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2019-08-28 19:17 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2019-08-11 23:55 [PATCH][next] ima: ima_modsig: Fix use-after-free bug in ima_read_modsig Gustavo A. R. Silva
2019-08-28 13:50 ` Mimi Zohar
2019-08-28 18:55   ` Gustavo A. R. Silva

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.