Commit 4adfa865 authored by Linus Torvalds's avatar Linus Torvalds
Browse files

Merge tag 'integrity-v5.19-fix' of... 

Merge tag 'integrity-v5.19-fix' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity

Pull integrity fixes from Mimi Zohar:
 "Here are a number of fixes for recently found bugs.

  Only 'ima: fix violation measurement list record' was introduced in
  the current release. The rest address existing bugs"

* tag 'integrity-v5.19-fix' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity:
  ima: Fix potential memory leak in ima_init_crypto()
  ima: force signature verification when CONFIG_KEXEC_SIG is configured
  ima: Fix a potential integer overflow in ima_appraise_measurement
  ima: fix violation measurement list record
  Revert "evm: Fix memleak in init_desc"
parents 2eb5866c 067d2521

include/linux/kexec.h

+6 −0
Original line number Diff line number Diff line
@@ -452,6 +452,12 @@ static inline int kexec_crash_loaded(void) { return 0; } 
#define kexec_in_progress false

#endif /* CONFIG_KEXEC_CORE */



#ifdef CONFIG_KEXEC_SIG

void set_kexec_sig_enforced(void);

#else

static inline void set_kexec_sig_enforced(void) {}

#endif



#endif /* !defined(__ASSEBMLY__) */



#endif /* LINUX_KEXEC_H */

kernel/kexec_file.c

+10 −1
Original line number Diff line number Diff line
@@ -29,6 +29,15 @@ 
#include <linux/vmalloc.h>

#include "kexec_internal.h"



#ifdef CONFIG_KEXEC_SIG

static bool sig_enforce = IS_ENABLED(CONFIG_KEXEC_SIG_FORCE);



void set_kexec_sig_enforced(void)

{

	sig_enforce = true;

}

#endif



static int kexec_calculate_store_digests(struct kimage *image);



/*
@@ -159,7 +168,7 @@ kimage_validate_signature(struct kimage *image) 
					   image->kernel_buf_len);

	if (ret) {



		if (IS_ENABLED(CONFIG_KEXEC_SIG_FORCE)) {

		if (sig_enforce) {

			pr_notice("Enforced kernel signature verification failed (%d).\n", ret);

			return ret;

		}

security/integrity/evm/evm_crypto.c

+2 −5
Original line number Diff line number Diff line
@@ -75,7 +75,7 @@ static struct shash_desc *init_desc(char type, uint8_t hash_algo) 
{

	long rc;

	const char *algo;

	struct crypto_shash **tfm, *tmp_tfm = NULL;

	struct crypto_shash **tfm, *tmp_tfm;

	struct shash_desc *desc;



	if (type == EVM_XATTR_HMAC) {
@@ -120,16 +120,13 @@ static struct shash_desc *init_desc(char type, uint8_t hash_algo) 
alloc:

	desc = kmalloc(sizeof(*desc) + crypto_shash_descsize(*tfm),

			GFP_KERNEL);

	if (!desc) {

		crypto_free_shash(tmp_tfm);

	if (!desc)

		return ERR_PTR(-ENOMEM);

	}



	desc->tfm = *tfm;



	rc = crypto_shash_init(desc);

	if (rc) {

		crypto_free_shash(tmp_tfm);

		kfree(desc);

		return ERR_PTR(rc);

	}

security/integrity/ima/ima_appraise.c

+2 −1
Original line number Diff line number Diff line
@@ -514,7 +514,8 @@ int ima_appraise_measurement(enum ima_hooks func, 
		goto out;

	}



	status = evm_verifyxattr(dentry, XATTR_NAME_IMA, xattr_value, rc, iint);

	status = evm_verifyxattr(dentry, XATTR_NAME_IMA, xattr_value,

				 rc < 0 ? 0 : rc, iint);

	switch (status) {

	case INTEGRITY_PASS:

	case INTEGRITY_PASS_IMMUTABLE:

security/integrity/ima/ima_crypto.c

+1 −0
Original line number Diff line number Diff line
@@ -205,6 +205,7 @@ int __init ima_init_crypto(void) 


		crypto_free_shash(ima_algo_array[i].tfm);

	}

	kfree(ima_algo_array);

out:

	crypto_free_shash(ima_shash_tfm);

	return rc;