integrity-v5.19-fix
-----BEGIN PGP SIGNATURE----- iIoEABYIADIWIQQdXVVFGN5XqKr1Hj7LwZzRsCrn5QUCYtAwjhQcem9oYXJAbGlu dXguaWJtLmNvbQAKCRDLwZzRsCrn5TaxAQD2uVSa1/t9/cdTz3jWdWKrF080jChb uiYsZKA4RHbwjgEA8dCAa5zsfHX8Y0+vVqA65eyu1dQA98WbJDMQ4AaFVAg= =7Yy6 -----END PGP SIGNATURE----- Merge tag 'integrity-v5.19-fix' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity Pull integrity fixes from Mimi Zohar: "Here are a number of fixes for recently found bugs. Only 'ima: fix violation measurement list record' was introduced in the current release. The rest address existing bugs" * tag 'integrity-v5.19-fix' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity: ima: Fix potential memory leak in ima_init_crypto() ima: force signature verification when CONFIG_KEXEC_SIG is configured ima: Fix a potential integer overflow in ima_appraise_measurement ima: fix violation measurement list record Revert "evm: Fix memleak in init_desc"
This commit is contained in:
commit
4adfa865bb
|
@ -452,6 +452,12 @@ static inline int kexec_crash_loaded(void) { return 0; }
|
|||
#define kexec_in_progress false
|
||||
#endif /* CONFIG_KEXEC_CORE */
|
||||
|
||||
#ifdef CONFIG_KEXEC_SIG
|
||||
void set_kexec_sig_enforced(void);
|
||||
#else
|
||||
static inline void set_kexec_sig_enforced(void) {}
|
||||
#endif
|
||||
|
||||
#endif /* !defined(__ASSEBMLY__) */
|
||||
|
||||
#endif /* LINUX_KEXEC_H */
|
||||
|
|
|
@ -29,6 +29,15 @@
|
|||
#include <linux/vmalloc.h>
|
||||
#include "kexec_internal.h"
|
||||
|
||||
#ifdef CONFIG_KEXEC_SIG
|
||||
static bool sig_enforce = IS_ENABLED(CONFIG_KEXEC_SIG_FORCE);
|
||||
|
||||
void set_kexec_sig_enforced(void)
|
||||
{
|
||||
sig_enforce = true;
|
||||
}
|
||||
#endif
|
||||
|
||||
static int kexec_calculate_store_digests(struct kimage *image);
|
||||
|
||||
/*
|
||||
|
@ -159,7 +168,7 @@ kimage_validate_signature(struct kimage *image)
|
|||
image->kernel_buf_len);
|
||||
if (ret) {
|
||||
|
||||
if (IS_ENABLED(CONFIG_KEXEC_SIG_FORCE)) {
|
||||
if (sig_enforce) {
|
||||
pr_notice("Enforced kernel signature verification failed (%d).\n", ret);
|
||||
return ret;
|
||||
}
|
||||
|
|
|
@ -75,7 +75,7 @@ static struct shash_desc *init_desc(char type, uint8_t hash_algo)
|
|||
{
|
||||
long rc;
|
||||
const char *algo;
|
||||
struct crypto_shash **tfm, *tmp_tfm = NULL;
|
||||
struct crypto_shash **tfm, *tmp_tfm;
|
||||
struct shash_desc *desc;
|
||||
|
||||
if (type == EVM_XATTR_HMAC) {
|
||||
|
@ -120,16 +120,13 @@ static struct shash_desc *init_desc(char type, uint8_t hash_algo)
|
|||
alloc:
|
||||
desc = kmalloc(sizeof(*desc) + crypto_shash_descsize(*tfm),
|
||||
GFP_KERNEL);
|
||||
if (!desc) {
|
||||
crypto_free_shash(tmp_tfm);
|
||||
if (!desc)
|
||||
return ERR_PTR(-ENOMEM);
|
||||
}
|
||||
|
||||
desc->tfm = *tfm;
|
||||
|
||||
rc = crypto_shash_init(desc);
|
||||
if (rc) {
|
||||
crypto_free_shash(tmp_tfm);
|
||||
kfree(desc);
|
||||
return ERR_PTR(rc);
|
||||
}
|
||||
|
|
|
@ -514,7 +514,8 @@ int ima_appraise_measurement(enum ima_hooks func,
|
|||
goto out;
|
||||
}
|
||||
|
||||
status = evm_verifyxattr(dentry, XATTR_NAME_IMA, xattr_value, rc, iint);
|
||||
status = evm_verifyxattr(dentry, XATTR_NAME_IMA, xattr_value,
|
||||
rc < 0 ? 0 : rc, iint);
|
||||
switch (status) {
|
||||
case INTEGRITY_PASS:
|
||||
case INTEGRITY_PASS_IMMUTABLE:
|
||||
|
|
|
@ -205,6 +205,7 @@ int __init ima_init_crypto(void)
|
|||
|
||||
crypto_free_shash(ima_algo_array[i].tfm);
|
||||
}
|
||||
kfree(ima_algo_array);
|
||||
out:
|
||||
crypto_free_shash(ima_shash_tfm);
|
||||
return rc;
|
||||
|
|
|
@ -67,6 +67,8 @@ const char * const *arch_get_ima_policy(void)
|
|||
if (IS_ENABLED(CONFIG_IMA_ARCH_POLICY) && arch_ima_get_secureboot()) {
|
||||
if (IS_ENABLED(CONFIG_MODULE_SIG))
|
||||
set_module_sig_enforced();
|
||||
if (IS_ENABLED(CONFIG_KEXEC_SIG))
|
||||
set_kexec_sig_enforced();
|
||||
return sb_arch_rules;
|
||||
}
|
||||
return NULL;
|
||||
|
|
|
@ -323,10 +323,10 @@ static int ima_eventdigest_init_common(const u8 *digest, u32 digestsize,
|
|||
else
|
||||
/*
|
||||
* If digest is NULL, the event being recorded is a violation.
|
||||
* Make room for the digest by increasing the offset of
|
||||
* IMA_DIGEST_SIZE.
|
||||
* Make room for the digest by increasing the offset by the
|
||||
* hash algorithm digest size.
|
||||
*/
|
||||
offset += IMA_DIGEST_SIZE;
|
||||
offset += hash_digest_size[hash_algo];
|
||||
|
||||
return ima_write_template_field_data(buffer, offset + digestsize,
|
||||
fmt, field_data);
|
||||
|
|
Loading…
Reference in New Issue