From: David Laight <David.Laight@ACULAB.COM>
To: 'Roberto Sassu' <roberto.sassu@huawei.com>,
"zohar@linux.ibm.com" <zohar@linux.ibm.com>,
"rgoldwyn@suse.de" <rgoldwyn@suse.de>
Cc: "linux-integrity@vger.kernel.org"
<linux-integrity@vger.kernel.org>,
"linux-security-module@vger.kernel.org"
<linux-security-module@vger.kernel.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"silviu.vlasceanu@huawei.com" <silviu.vlasceanu@huawei.com>,
"krzysztof.struczynski@huawei.com"
<krzysztof.struczynski@huawei.com>,
"stable@vger.kernel.org" <stable@vger.kernel.org>
Subject: RE: [PATCH v2 3/6] ima: Fix ima digest hash table key calculation
Date: Mon, 27 Apr 2020 11:00:06 +0000 [thread overview]
Message-ID: <84ecd8f2576849b29876448df66824fc@AcuMS.aculab.com> (raw)
In-Reply-To: <20200427102900.18887-3-roberto.sassu@huawei.com>
From: Roberto Sassu
> Sent: 27 April 2020 11:29
> Function hash_long() accepts unsigned long, while currently only one byte
> is passed from ima_hash_key(), which calculates a key for ima_htable.
>
> Given that hashing the digest does not give clear benefits compared to
> using the digest itself, remove hash_long() and return the modulus
> calculated on the beginning of the digest with the number of slots. Also
> reduce the depth of the hash table by doubling the number of slots.
>
> Cc: stable@vger.kernel.org
> Fixes: 3323eec921ef ("integrity: IMA as an integrity service provider")
> Co-developed-by: Roberto Sassu <roberto.sassu@huawei.com>
> Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
> Signed-off-by: Krzysztof Struczynski <krzysztof.struczynski@huawei.com>
> ---
> security/integrity/ima/ima.h | 6 +++---
> 1 file changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
> index 467dfdbea25c..6ee458cf124a 100644
> --- a/security/integrity/ima/ima.h
> +++ b/security/integrity/ima/ima.h
> @@ -36,7 +36,7 @@ enum tpm_pcrs { TPM_PCR0 = 0, TPM_PCR8 = 8 };
> #define IMA_DIGEST_SIZE SHA1_DIGEST_SIZE
> #define IMA_EVENT_NAME_LEN_MAX 255
>
> -#define IMA_HASH_BITS 9
> +#define IMA_HASH_BITS 10
> #define IMA_MEASURE_HTABLE_SIZE (1 << IMA_HASH_BITS)
>
> #define IMA_TEMPLATE_FIELD_ID_MAX_LEN 16
> @@ -179,9 +179,9 @@ struct ima_h_table {
> };
> extern struct ima_h_table ima_htable;
>
> -static inline unsigned long ima_hash_key(u8 *digest)
> +static inline unsigned int ima_hash_key(u8 *digest)
> {
> - return hash_long(*digest, IMA_HASH_BITS);
> + return (*(unsigned int *)digest % IMA_MEASURE_HTABLE_SIZE);
That almost certainly isn't right.
It falls foul of the *(integer_type *)ptr being almost always wrong.
David
-
Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK
Registration No: 1397386 (Wales)
next prev parent reply other threads:[~2020-04-27 11:00 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-04-27 10:28 [PATCH v2 1/6] ima: Set file->f_mode instead of file->f_flags in ima_calc_file_hash() Roberto Sassu
2020-04-27 10:28 ` [PATCH v2 2/6] evm: Check also if *tfm is an error pointer in init_desc() Roberto Sassu
2020-04-27 10:28 ` [PATCH v2 3/6] ima: Fix ima digest hash table key calculation Roberto Sassu
2020-04-27 11:00 ` David Laight [this message]
2020-04-27 12:50 ` Roberto Sassu
2020-04-27 14:28 ` David Laight
2020-04-28 7:19 ` Roberto Sassu
2020-04-28 7:30 ` [RESEND][PATCH " Roberto Sassu
2020-04-30 8:03 ` David Laight
2020-04-27 10:28 ` [PATCH v2 4/6] ima: Remove redundant policy rule set in add_rules() Roberto Sassu
2020-04-27 10:28 ` [PATCH v2 5/6] ima: Set again build_ima_appraise variable Roberto Sassu
2020-04-27 10:31 ` [PATCH v2 6/6] ima: Fix return value of ima_write_policy() Roberto Sassu
2020-04-28 17:46 ` Mimi Zohar
2020-04-29 6:43 ` Krzysztof Struczynski
2020-04-27 13:42 ` [PATCH v2 1/6] ima: Set file->f_mode instead of file->f_flags in ima_calc_file_hash() Goldwyn Rodrigues
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=84ecd8f2576849b29876448df66824fc@AcuMS.aculab.com \
--to=david.laight@aculab.com \
--cc=krzysztof.struczynski@huawei.com \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=rgoldwyn@suse.de \
--cc=roberto.sassu@huawei.com \
--cc=silviu.vlasceanu@huawei.com \
--cc=stable@vger.kernel.org \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).