Last active
September 16, 2020 13:24
-
-
Save sinkap/6dd3829a8259343a6b178cef3f59342b to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Subject: [PATCH] ima: Fix NULL pointer dereference in ima_file_hash | |
Date: Wed, 16 Sep 2020 12:05:48 +0000 | |
Message-Id: <20200916120548.364892-1-kpsingh@chromium.org> | |
X-Mailer: git-send-email 2.28.0.618.gf4bc123cb7-goog | |
MIME-Version: 1.0 | |
Content-Transfer-Encoding: 8bit | |
From: KP Singh <kpsingh@google.com> | |
ima_file_hash can be called when there is no iint->ima_hash available | |
even though the inode exists in the integrity cache. | |
An example where this can happen (suggested by Jann Horn): | |
Process A does: | |
while(1) { | |
unlink("/tmp/imafoo"); | |
fd = open("/tmp/imafoo", O_RDWR|O_CREAT|O_TRUNC, 0700); | |
if (fd == -1) { | |
perror("open"); | |
continue; | |
} | |
write(fd, "A", 1); | |
close(fd); | |
} | |
and Process B does: | |
while (1) { | |
int fd = open("/tmp/imafoo", O_RDONLY); | |
if (fd == -1) | |
continue; | |
char *mapping = mmap(NULL, 0x1000, PROT_READ|PROT_EXEC, | |
MAP_PRIVATE, fd, 0); | |
if (mapping != MAP_FAILED) | |
munmap(mapping, 0x1000); | |
close(fd); | |
} | |
Due to the race to get the iint->mutex between ima_file_hash and | |
process_measurement iint->ima_hash could still be NULL. | |
Fixes: 6beea7afcc72 ("ima: add the ability to query the cached hash of a given file") | |
Signed-off-by: KP Singh <kpsingh@google.com> | |
--- | |
security/integrity/ima/ima_main.c | 10 ++++++++++ | |
1 file changed, 10 insertions(+) | |
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c | |
index 8a91711ca79b..4c86cd4eece0 100644 | |
--- a/security/integrity/ima/ima_main.c | |
+++ b/security/integrity/ima/ima_main.c | |
@@ -531,6 +531,16 @@ int ima_file_hash(struct file *file, char *buf, size_t buf_size) | |
return -EOPNOTSUPP; | |
mutex_lock(&iint->mutex); | |
+ | |
+ /* | |
+ * ima_file_hash can be called when ima_collect_measurement has still | |
+ * not been called, we might not always have a hash. | |
+ */ | |
+ if (!iint->ima_hash) { | |
+ mutex_unlock(&iint->mutex); | |
+ return -EOPNOTSUPP; | |
+ } | |
+ | |
if (buf) { | |
size_t copied_size; | |
-- | |
2.28.0.618.gf4bc123cb7-goog |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment