Commit c78eb5c1 authored by Zhang Tianxing's avatar Zhang Tianxing Committed by Zheng Zengkai
Browse files

ima: don't allow control characters in policy path 

hulk inclusion
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I409K9


CVE: NA

-----------------------------------------------------------------

Expected error message `ima: Unable to open file:` can be overwritten
when the uploaded path contains control characters like `\r` or `\b`.
Therefore, When an invalid path (which contains control characters) is
uploaded through SecurityFS, unexpected logs can be printed to dmesg.

This patch rejects policy paths with control characters.

Signed-off-by: default avatarZhang Tianxing <zhangtianxing3@huawei.com>
Reviewed-by: default avatarRoberto Sassu <roberto.sassu@huawei.com>
Signed-off-by: default avatarZheng Zengkai <zhengzengkai@huawei.com>
parent 7c9d18bc

security/integrity/ima/ima_fs.c

+9 −0
Original line number Diff line number Diff line
@@ -22,6 +22,7 @@ 
#include <linux/parser.h>

#include <linux/vmalloc.h>

#include <linux/file.h>

#include <linux/ctype.h>



#include "ima.h"

#include "ima_digest_list.h"
@@ -363,6 +364,7 @@ static ssize_t ima_write_data(struct file *file, const char __user *buf, 
	char *data;

	ssize_t result;

	struct dentry *dentry = file_dentry(file);

	int i;



	/* No partial writes. */

	result = -EINVAL;
@@ -383,6 +385,13 @@ static ssize_t ima_write_data(struct file *file, const char __user *buf, 
		goto out_free;



	data[datalen] = '\0';

	for (i = 0; data[i] != '\n' && data[i] != '\0'; i++) {

		if (iscntrl(data[i])) {

			pr_err_once("invalid path (control characters are not allowed)\n");

			result = -EINVAL;

			goto out_free;

		}

	}



	result = mutex_lock_interruptible(&ima_write_mutex);

	if (result < 0)