Fwd: [integrity:next-queued-testing 8/13] security/integrity/ima/ima_modsig.c:81:17-20: ERROR: reference preceded by free on line 80

Linux Integrity Measurement development
 help / color / mirror / Atom feed

From: Julia Lawall <Julia.Lawall@lip6.fr>
To: Thiago Jung Bauermann <bauerman@linux.ibm.com>,
	Mimi Zohar <zohar@linux.ibm.com>,
	linux-integrity@vger.kernel.org, kbuild-all@01.org
Subject: Fwd: [integrity:next-queued-testing 8/13] security/integrity/ima/ima_modsig.c:81:17-20: ERROR: reference preceded by free on line 80
Date: Wed, 07 Aug 2019 15:18:23 +0200	[thread overview]
Message-ID: <2ee96e49ade2e30a44fa14840610b432@lip6.fr> (raw)
In-Reply-To: <201908072140.Qep3jWIW%lkp@intel.com>

This looks risky. See lines 80 and 81.

-------- Courriel original --------
Objet: [integrity:next-queued-testing 8/13] 
security/integrity/ima/ima_modsig.c:81:17-20: ERROR: reference preceded 
by free on line 80
Date: 07.08.2019 15:10
De: kbuild test robot <lkp@intel.com>
À: kbuild@01.org
Cc: Julia Lawall <julia.lawall@lip6.fr>

CC: kbuild-all@01.org
CC: linux-integrity@vger.kernel.org
TO: Thiago Jung Bauermann <bauerman@linux.ibm.com>
CC: Mimi Zohar <zohar@linux.ibm.com>

tree:   
https://kernel.googlesource.com/pub/scm/linux/kernel/git/zohar/linux-integrity.git 
next-queued-testing
head:   cd3553a6a5047b7a759803ae3ba3991a901b89f8
commit: 2ebb61778990547b3dd7496bb66d0ac837659b14 [8/13] ima: Implement 
support for module-style appended signatures
:::::: branch date: 6 days ago
:::::: commit date: 6 days ago

If you fix the issue, kindly add following tag
Reported-by: kbuild test robot <lkp@intel.com>
Reported-by: Julia Lawall <julia.lawall@lip6.fr>

>> security/integrity/ima/ima_modsig.c:81:17-20: ERROR: reference 
>> preceded by free on line 80

git remote add integrity 
https://kernel.googlesource.com/pub/scm/linux/kernel/git/zohar/linux-integrity.git
git remote update integrity
git checkout 2ebb61778990547b3dd7496bb66d0ac837659b14
vim +81 security/integrity/ima/ima_modsig.c

2ebb6177899054 Thiago Jung Bauermann 2019-06-27  41
2ebb6177899054 Thiago Jung Bauermann 2019-06-27  42  /*
2ebb6177899054 Thiago Jung Bauermann 2019-06-27  43   * ima_read_modsig 
- Read modsig from buf.
2ebb6177899054 Thiago Jung Bauermann 2019-06-27  44   *
2ebb6177899054 Thiago Jung Bauermann 2019-06-27  45   * Return: 0 on 
success, error code otherwise.
2ebb6177899054 Thiago Jung Bauermann 2019-06-27  46   */
2ebb6177899054 Thiago Jung Bauermann 2019-06-27  47  int 
ima_read_modsig(enum ima_hooks func, const void *buf, loff_t buf_len,
2ebb6177899054 Thiago Jung Bauermann 2019-06-27  48  		    struct modsig 
**modsig)
2ebb6177899054 Thiago Jung Bauermann 2019-06-27  49  {
2ebb6177899054 Thiago Jung Bauermann 2019-06-27  50  	const size_t 
marker_len = strlen(MODULE_SIG_STRING);
2ebb6177899054 Thiago Jung Bauermann 2019-06-27  51  	const struct 
module_signature *sig;
2ebb6177899054 Thiago Jung Bauermann 2019-06-27  52  	struct modsig 
*hdr;
2ebb6177899054 Thiago Jung Bauermann 2019-06-27  53  	size_t sig_len;
2ebb6177899054 Thiago Jung Bauermann 2019-06-27  54  	const void *p;
2ebb6177899054 Thiago Jung Bauermann 2019-06-27  55  	int rc;
2ebb6177899054 Thiago Jung Bauermann 2019-06-27  56
2ebb6177899054 Thiago Jung Bauermann 2019-06-27  57  	if (buf_len <= 
marker_len + sizeof(*sig))
2ebb6177899054 Thiago Jung Bauermann 2019-06-27  58  		return -ENOENT;
2ebb6177899054 Thiago Jung Bauermann 2019-06-27  59
2ebb6177899054 Thiago Jung Bauermann 2019-06-27  60  	p = buf + buf_len 
- marker_len;
2ebb6177899054 Thiago Jung Bauermann 2019-06-27  61  	if (memcmp(p, 
MODULE_SIG_STRING, marker_len))
2ebb6177899054 Thiago Jung Bauermann 2019-06-27  62  		return -ENOENT;
2ebb6177899054 Thiago Jung Bauermann 2019-06-27  63
2ebb6177899054 Thiago Jung Bauermann 2019-06-27  64  	buf_len -= 
marker_len;
2ebb6177899054 Thiago Jung Bauermann 2019-06-27  65  	sig = (const 
struct module_signature *)(p - sizeof(*sig));
2ebb6177899054 Thiago Jung Bauermann 2019-06-27  66
2ebb6177899054 Thiago Jung Bauermann 2019-06-27  67  	rc = 
mod_check_sig(sig, buf_len, func_tokens[func]);
2ebb6177899054 Thiago Jung Bauermann 2019-06-27  68  	if (rc)
2ebb6177899054 Thiago Jung Bauermann 2019-06-27  69  		return rc;
2ebb6177899054 Thiago Jung Bauermann 2019-06-27  70
2ebb6177899054 Thiago Jung Bauermann 2019-06-27  71  	sig_len = 
be32_to_cpu(sig->sig_len);
2ebb6177899054 Thiago Jung Bauermann 2019-06-27  72  	buf_len -= sig_len 
+ sizeof(*sig);
2ebb6177899054 Thiago Jung Bauermann 2019-06-27  73
2ebb6177899054 Thiago Jung Bauermann 2019-06-27  74  	hdr = 
kmalloc(sizeof(*hdr), GFP_KERNEL);
2ebb6177899054 Thiago Jung Bauermann 2019-06-27  75  	if (!hdr)
2ebb6177899054 Thiago Jung Bauermann 2019-06-27  76  		return -ENOMEM;
2ebb6177899054 Thiago Jung Bauermann 2019-06-27  77
2ebb6177899054 Thiago Jung Bauermann 2019-06-27  78  	hdr->pkcs7_msg = 
pkcs7_parse_message(buf + buf_len, sig_len);
2ebb6177899054 Thiago Jung Bauermann 2019-06-27  79  	if 
(IS_ERR(hdr->pkcs7_msg)) {
2ebb6177899054 Thiago Jung Bauermann 2019-06-27 @80  		kfree(hdr);
2ebb6177899054 Thiago Jung Bauermann 2019-06-27 @81  		return 
PTR_ERR(hdr->pkcs7_msg);
2ebb6177899054 Thiago Jung Bauermann 2019-06-27  82  	}
2ebb6177899054 Thiago Jung Bauermann 2019-06-27  83
2ebb6177899054 Thiago Jung Bauermann 2019-06-27  84  	*modsig = hdr;
2ebb6177899054 Thiago Jung Bauermann 2019-06-27  85
2ebb6177899054 Thiago Jung Bauermann 2019-06-27  86  	return 0;
2ebb6177899054 Thiago Jung Bauermann 2019-06-27  87  }
2ebb6177899054 Thiago Jung Bauermann 2019-06-27  88

---
0-DAY kernel test infrastructure                Open Source Technology 
Center
https://lists.01.org/pipermail/kbuild-all                   Intel 
Corporation

next      parent reply	other threads:[~2019-08-07 13:40 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <201908072140.Qep3jWIW%lkp@intel.com>
2019-08-07 13:18 ` Julia Lawall [this message]
2019-08-08  0:43   ` [PATCH] ima: Fix use after free in ima_read_modsig() Thiago Jung Bauermann

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=2ee96e49ade2e30a44fa14840610b432@lip6.fr \
    --to=julia.lawall@lip6.fr \
    --cc=bauerman@linux.ibm.com \
    --cc=kbuild-all@01.org \
    --cc=linux-integrity@vger.kernel.org \
    --cc=zohar@linux.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox