lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <0b454d6825824d3d9e4a99b552cc5f84@huawei.com>
Date:   Mon, 2 Mar 2020 09:46:23 +0000
From:   Roberto Sassu <roberto.sassu@...wei.com>
To:     kernel test robot <rong.a.chen@...el.com>
CC:     "zohar@...ux.ibm.com" <zohar@...ux.ibm.com>,
        "James.Bottomley@...senPartnership.com" 
        <James.Bottomley@...senPartnership.com>,
        "jarkko.sakkinen@...ux.intel.com" <jarkko.sakkinen@...ux.intel.com>,
        "linux-integrity@...r.kernel.org" <linux-integrity@...r.kernel.org>,
        "linux-security-module@...r.kernel.org" 
        <linux-security-module@...r.kernel.org>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
        Silviu Vlasceanu <Silviu.Vlasceanu@...wei.com>,
        "lkp@...ts.01.org" <lkp@...ts.01.org>
Subject: RE: [ima] 9165b814d2: BUG:kernel_NULL_pointer_dereference,address

> -----Original Message-----
> From: kernel test robot [mailto:rong.a.chen@...el.com]
> Sent: Monday, March 2, 2020 2:22 AM
> To: Roberto Sassu <roberto.sassu@...wei.com>
> Cc: zohar@...ux.ibm.com; James.Bottomley@...senPartnership.com;
> jarkko.sakkinen@...ux.intel.com; linux-integrity@...r.kernel.org; linux-
> security-module@...r.kernel.org; linux-kernel@...r.kernel.org; Silviu
> Vlasceanu <Silviu.Vlasceanu@...wei.com>; Roberto Sassu
> <roberto.sassu@...wei.com>; lkp@...ts.01.org
> Subject: [ima] 9165b814d2:
> BUG:kernel_NULL_pointer_dereference,address
> 
> FYI, we noticed the following commit (built with gcc-7):
> 
> commit: 9165b814d2bea8cfeb557505bb206396331e8192 ("[PATCH v2 8/8]
> ima: Use ima_hash_algo for collision detection in the measurement list")
> url: https://github.com/0day-ci/linux/commits/Roberto-Sassu/ima-support-
> stronger-algorithms-for-attestation/20200205-233901
> base: https://git.kernel.org/cgit/linux/kernel/git/zohar/linux-integrity.git
> next-integrity

Hi

thanks for the report.

Yes, version 2 had a bug:

---
		ima_algo_array[i++].algo = HASH_ALGO_SHA1;
	}

	if (ima_hash_algo_idx >= nr_allocated_banks) {
		ima_algo_array[i].tfm = ima_shash_tfm;
		ima_algo_array[i].algo = ima_hash_algo;
	}
---

The code allocated ima_algo_array with size 1 (TPM was not found and
the default algorithm is SHA1).

However, later it initializes ima_algo_array for SHA1 and increments the
i variable. Since the code does not check if the default algorithm is SHA1,
the last part is also executed and causes corruption, because ima_algo_array
has only one element.

I fixed already this bug in version 3 of the patch set.

Thanks

Roberto

HUAWEI TECHNOLOGIES Duesseldorf GmbH, HRB 56063
Managing Director: Li Peng, Li Jian, Shi Yanli

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ