| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <953d1c54-ac80-3807-1082-e7fd00e386d5@linux.microsoft.com>
Date: Tue, 28 Jul 2020 07:25:08 -0700
From: Lakshmi Ramasubramanian <nramas@...ux.microsoft.com>
To: Tyler Hicks <tyhicks@...ux.microsoft.com>,
Mimi Zohar <zohar@...ux.ibm.com>,
Dmitry Kasatkin <dmitry.kasatkin@...il.com>
Cc: James Morris <jmorris@...ei.org>,
"Serge E . Hallyn" <serge@...lyn.com>,
Tushar Sugandhi <tusharsu@...ux.microsoft.com>,
Nayna Jain <nayna@...ux.ibm.com>, linux-kernel@...r.kernel.org,
linux-integrity@...r.kernel.org,
linux-security-module@...r.kernel.org
Subject: Re: [PATCH 1/2] ima: Pre-parse the list of keyrings in a KEY_CHECK
rule
On 7/27/20 7:08 AM, Tyler Hicks wrote:
> The ima_keyrings buffer was used as a work buffer for strsep()-based
> parsing of the "keyrings=" option of an IMA policy rule. This parsing
> was re-performed each time an asymmetric key was added to a kernel
> keyring for each loaded policy rule that contained a "keyrings=" option.
>
> An example rule specifying this option is:
>
> measure func=KEY_CHECK keyrings=a|b|c
>
> The rule says to measure asymmetric keys added to any of the kernel
> keyrings named "a", "b", or "c". The size of the buffer size was
> equal to the size of the largest "keyrings=" value seen in a previously
> loaded rule (5 + 1 for the NUL-terminator in the previous example) and
> the buffer was pre-allocated at the time of policy load.
>
> The pre-allocated buffer approach suffered from a couple bugs:
>
> 1) There was no locking around the use of the buffer so concurrent key
> add operations, to two different keyrings, would result in the
> strsep() loop of ima_match_keyring() to modify the buffer at the same
> time. This resulted in unexpected results from ima_match_keyring()
> and, therefore, could cause unintended keys to be measured or keys to
> not be measured when IMA policy intended for them to be measured.
>
> 2) If the kstrdup() that initialized entry->keyrings in ima_parse_rule()
> failed, the ima_keyrings buffer was freed and set to NULL even when a
> valid KEY_CHECK rule was previously loaded. The next KEY_CHECK event
> would trigger a call to strcpy() with a NULL destination pointer and
> crash the kernel.
>
> Remove the need for a pre-allocated global buffer by parsing the list of
> keyrings in a KEY_CHECK rule at the time of policy load. The
> ima_rule_entry will contain an array of string pointers which point to
> the name of each keyring specified in the rule. No string processing
> needs to happen at the time of asymmetric key add so iterating through
> the list and doing a string comparison is all that's required at the
> time of policy check.
>
> In the process of changing how the "keyrings=" policy option is handled,
> a couple additional bugs were fixed:
>
> 1) The rule parser accepted rules containing invalid "keyrings=" values
> such as "a|b||c", "a|b|", or simply "|".
>
> 2) The /sys/kernel/security/ima/policy file did not display the entire
> "keyrings=" value if the list of keyrings was longer than what could
> fit in the fixed size tbuf buffer in ima_policy_show().
>
> Fixes: 5c7bac9fb2c5 ("IMA: pre-allocate buffer to hold keyrings string")
> Fixes: 2b60c0ecedf8 ("IMA: Read keyrings= option from the IMA policy")
> Signed-off-by: Tyler Hicks <tyhicks@...ux.microsoft.com>
> ---
> security/integrity/ima/ima_policy.c | 138 +++++++++++++++++++---------
> 1 file changed, 93 insertions(+), 45 deletions(-)
Reviewed-by: Lakshmi Ramasubramanian <nramas@...ux.microsoft.com>
Powered by blists - more mailing lists