From: Mimi Zohar <zohar@linux.ibm.com>
To: linux-integrity@vger.kernel.org
Cc: Mimi Zohar <zohar@linux.ibm.com>, Petr Vorel <pvorel@suse.cz>,
Vitaly Chikunov <vt@altlinux.org>,
Stefan Berger <stefanb@linux.ibm.com>
Subject: [PATCH ima-evm-utils 07/11] Add missing EVP_MD_CTX_free() call in calc_evm_hash()
Date: Fri, 2 Sep 2022 12:28:32 -0400 [thread overview]
Message-ID: <20220902162836.554839-8-zohar@linux.ibm.com> (raw)
In-Reply-To: <20220902162836.554839-1-zohar@linux.ibm.com>
When EVP_MD_CTX_new() call was added, the corresponding EVP_MD_CTX_free()
was never called. Properly free it.
Fixes: 81010f0d87ef ("ima-evm-utils: Add backward compatible support for openssl 1.1")
Reviewed-by: Petr Vorel <pvorel@suse.cz>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
---
src/evmctl.c | 57 ++++++++++++++++++++++++++++++++++++----------------
1 file changed, 40 insertions(+), 17 deletions(-)
diff --git a/src/evmctl.c b/src/evmctl.c
index a9b2f1040787..b89e74e06c3d 100644
--- a/src/evmctl.c
+++ b/src/evmctl.c
@@ -331,11 +331,17 @@ err:
return -1;
}
+/*
+ * calc_evm_hash - calculate the file metadata hash
+ *
+ * Returns 0 for EVP_ function failures. Return -1 for other failures.
+ * Return hash algorithm size on success.
+ */
static int calc_evm_hash(const char *file, unsigned char *hash)
{
const EVP_MD *md;
struct stat st;
- int err;
+ int err = -1;
uint32_t generation = 0;
EVP_MD_CTX *pctx;
unsigned int mdlen;
@@ -349,12 +355,11 @@ static int calc_evm_hash(const char *file, unsigned char *hash)
#if OPENSSL_VERSION_NUMBER < 0x10100000
EVP_MD_CTX ctx;
pctx = &ctx;
-#else
- pctx = EVP_MD_CTX_new();
#endif
if (lstat(file, &st)) {
log_err("Failed to stat: %s\n", file);
+ errno = 0;
return -1;
}
@@ -391,20 +396,30 @@ static int calc_evm_hash(const char *file, unsigned char *hash)
list_size = llistxattr(file, list, sizeof(list));
if (list_size < 0) {
log_err("llistxattr() failed\n");
+ errno = 0;
return -1;
}
+#if OPENSSL_VERSION_NUMBER >= 0x10100000
+ pctx = EVP_MD_CTX_new();
+ if (!pctx) {
+ log_err("EVP_MD_CTX_new() failed\n");
+ return 0;
+ }
+#endif
+
md = EVP_get_digestbyname(imaevm_params.hash_algo);
if (!md) {
log_err("EVP_get_digestbyname(%s) failed\n",
imaevm_params.hash_algo);
- return 1;
+ err = 0;
+ goto out;
}
err = EVP_DigestInit(pctx, md);
if (!err) {
log_err("EVP_DigestInit() failed\n");
- return 1;
+ goto out;
}
for (xattrname = evm_config_xattrnames; *xattrname != NULL; xattrname++) {
@@ -415,7 +430,8 @@ static int calc_evm_hash(const char *file, unsigned char *hash)
if (err > sizeof(xattr_value)) {
log_err("selinux[%u] value is too long to fit into xattr[%zu]\n",
err, sizeof(xattr_value));
- return -1;
+ err = -1;
+ goto out;
}
strcpy(xattr_value, selinux_str);
} else if (!strcmp(*xattrname, XATTR_NAME_IMA) && ima_str) {
@@ -423,7 +439,8 @@ static int calc_evm_hash(const char *file, unsigned char *hash)
if (err > sizeof(xattr_value)) {
log_err("ima[%u] value is too long to fit into xattr[%zu]\n",
err, sizeof(xattr_value));
- return -1;
+ err = -1;
+ goto out;
}
hex2bin(xattr_value, ima_str, err);
} else if (!strcmp(*xattrname, XATTR_NAME_IMA) && evm_portable){
@@ -432,7 +449,7 @@ static int calc_evm_hash(const char *file, unsigned char *hash)
if (err < 0) {
log_err("EVM portable sig: %s required\n",
xattr_ima);
- return -1;
+ goto out;
}
use_xattr_ima = 1;
} else if (!strcmp(*xattrname, XATTR_NAME_CAPS) && (hmac_flags & HMAC_FLAG_CAPS_SET)) {
@@ -442,7 +459,8 @@ static int calc_evm_hash(const char *file, unsigned char *hash)
if (err >= sizeof(xattr_value)) {
log_err("caps[%u] value is too long to fit into xattr[%zu]\n",
err + 1, sizeof(xattr_value));
- return -1;
+ err = -1;
+ goto out;
}
strcpy(xattr_value, caps_str);
} else {
@@ -463,7 +481,7 @@ static int calc_evm_hash(const char *file, unsigned char *hash)
err = EVP_DigestUpdate(pctx, xattr_value, err);
if (!err) {
log_err("EVP_DigestUpdate() failed\n");
- return 1;
+ goto out;
}
}
@@ -517,29 +535,33 @@ static int calc_evm_hash(const char *file, unsigned char *hash)
err = EVP_DigestUpdate(pctx, &hmac_misc, hmac_size);
if (!err) {
log_err("EVP_DigestUpdate() failed\n");
- return 1;
+ goto out;
}
if (!evm_immutable && !evm_portable &&
!(hmac_flags & HMAC_FLAG_NO_UUID)) {
err = get_uuid(&st, uuid);
if (err)
- return -1;
+ goto out;
err = EVP_DigestUpdate(pctx, (const unsigned char *)uuid, sizeof(uuid));
if (!err) {
log_err("EVP_DigestUpdate() failed\n");
- return 1;
+ goto out;
}
}
err = EVP_DigestFinal(pctx, hash, &mdlen);
- if (!err) {
+ if (!err)
log_err("EVP_DigestFinal() failed\n");
- return 1;
- }
- return mdlen;
+out:
+#if OPENSSL_VERSION_NUMBER >= 0x10100000
+ EVP_MD_CTX_free(pctx);
+#endif
+ if (err == 1)
+ return mdlen;
+ return err;
}
static int sign_evm(const char *file, const char *key)
@@ -575,6 +597,7 @@ static int sign_evm(const char *file, const char *key)
err = lsetxattr(file, xattr_evm, sig, len, 0);
if (err < 0) {
log_err("setxattr failed: %s\n", file);
+ errno = 0;
return err;
}
}
--
2.31.1
next prev parent reply other threads:[~2022-09-02 16:29 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-09-02 16:28 [PATCH ima-evm-utils 00/11] address deprecated warnings Mimi Zohar
2022-09-02 16:28 ` [PATCH ima-evm-utils 01/11] travis: use the distro OpenSSL version on jammy Mimi Zohar
2022-09-02 16:28 ` [PATCH ima-evm-utils 02/11] travis: update dist=focal Mimi Zohar
2022-09-02 20:24 ` Stefan Berger
2022-09-06 18:27 ` Mimi Zohar
2022-09-02 16:28 ` [PATCH ima-evm-utils 03/11] Update configure.ac to address a couple of obsolete warnings Mimi Zohar
2022-09-02 16:28 ` [PATCH ima-evm-utils 04/11] Deprecate IMA signature version 1 Mimi Zohar
2022-09-02 19:25 ` Stefan Berger
2022-09-02 16:28 ` [PATCH ima-evm-utils 05/11] Replace the low level SHA1 calls when calculating the TPM 1.2 PCRs Mimi Zohar
2022-09-02 20:18 ` Stefan Berger
2022-09-02 16:28 ` [PATCH ima-evm-utils 06/11] Replace the low level HMAC calls when calculating the EVM HMAC Mimi Zohar
2022-09-02 16:28 ` Mimi Zohar [this message]
2022-09-02 16:28 ` [PATCH ima-evm-utils 08/11] Deprecate use of OpenSSL v3 "engine" support Mimi Zohar
2022-09-04 3:08 ` Vitaly Chikunov
2022-09-04 16:26 ` Mimi Zohar
2022-09-02 16:28 ` [PATCH ima-evm-utils 09/11] Fix potential use after free in read_tpm_banks() Mimi Zohar
2022-09-02 16:28 ` [PATCH ima-evm-utils 10/11] Limit the file hash algorithm name length Mimi Zohar
2022-09-02 16:28 ` [PATCH ima-evm-utils 11/11] Missing template data size lower bounds checking Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220902162836.554839-8-zohar@linux.ibm.com \
--to=zohar@linux.ibm.com \
--cc=linux-integrity@vger.kernel.org \
--cc=pvorel@suse.cz \
--cc=stefanb@linux.ibm.com \
--cc=vt@altlinux.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox