Commit d4b387ba authored Nov 26, 2024 by Samasth Norway Ananda Committed by Gu Bowen Nov 26, 2024

ima: fix buffer overrun in ima_eventdigest_init_common

stable inclusion
from stable-v6.6.63
commit 8a84765c62cc0469864e2faee43aae253ad16082
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IB75G4

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=8a84765c62cc0469864e2faee43aae253ad16082



--------------------------------

commit 923168a0631bc42fffd55087b337b1b6c54dcff5 upstream.

Function ima_eventdigest_init() calls ima_eventdigest_init_common()
with HASH_ALGO__LAST which is then used to access the array
hash_digest_size[] leading to buffer overrun. Have a conditional
statement to handle this.

Fixes: 9fab303a ("ima: fix violation measurement list record")
Signed-off-by: Samasth Norway Ananda <samasth.norway.ananda@oracle.com>
Tested-by: Enrico Bravi (PhD at polito.it) <enrico.bravi@huawei.com>
Cc: stable@vger.kernel.org # 5.19+
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Gu Bowen <gubowen5@huawei.com>

parent b95a35e8

security/integrity/ima/ima_template_lib.c

+10 −4

Original line number	Diff line number	Diff line
		@@ -318,15 +318,21 @@ static int ima_eventdigest_init_common(const u8 *digest, u32 digestsize,
		hash_algo_name[hash_algo]);
		}

		if (digest)
		if (digest) {
		memcpy(buffer + offset, digest, digestsize);
		else
		} else {
		/*
		* If digest is NULL, the event being recorded is a violation.
		* Make room for the digest by increasing the offset by the
		* hash algorithm digest size.
		* hash algorithm digest size. If the hash algorithm is not
		* specified increase the offset by IMA_DIGEST_SIZE which
		* fits SHA1 or MD5
		*/
		if (hash_algo < HASH_ALGO__LAST)
		offset += hash_digest_size[hash_algo];
		else
		offset += IMA_DIGEST_SIZE;
		}

		return ima_write_template_field_data(buffer, offset + digestsize,
		fmt, field_data);