lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20241009145335.1297855-1-david.fernandez.gonzalez@oracle.com>
Date: Wed,  9 Oct 2024 14:53:34 +0000
From: David Fernandez Gonzalez <david.fernandez.gonzalez@...cle.com>
To: Mimi Zohar <zohar@...ux.ibm.com>, Roberto Sassu <roberto.sassu@...wei.com>,
        Dmitry Kasatkin <dmitry.kasatkin@...il.com>,
        Eric Snowberg <eric.snowberg@...cle.com>,
        Paul Moore <paul@...l-moore.com>, James Morris <jmorris@...ei.org>,
        "Serge E. Hallyn" <serge@...lyn.com>, linux-integrity@...r.kernel.org,
        linux-security-module@...r.kernel.org, linux-kernel@...r.kernel.org
Cc: harshit.m.mogalapalli@...cle.com, vegard.nossum@...cle.com,
        david.fernandez.gonzalez@...cle.com
Subject: [PATCH] ima: Fix OOB read when violation occurs with ima template.

When processing a violation inside ima_eventdigest_init,
ima_eventdigest_init_common will be called with cur_digest
being NULL. hash_algo is always set to HASH_ALGO__LAST.

Inside ima_eventdigest_init_common, since digest is NULL,
offset will be calculated by accessing hash_digest_size
with HASH_ALGO__LAST, one element OOB.

This will be used to calculate the amount of bytes
to be copied as file content hash. Depending on the memory,
this could lead to the 0 hash not being recorded if offset is 0,
the violation not being recorded at all if offset is too big
(as it will be used to allocate the buffer in
ima_write_template_field_data), or potentially leaking
memory values into the measurements file, if offset is big
enough but can still be used to allocate the buffer.

UBSAN: array-index-out-of-bounds in security/integrity/ima/ima_template_lib.c:329:29
index 23 is out of range for type 'int [23]'
CPU: 0 UID: 0 PID: 383 Comm: journal-offline Not tainted 6.12.0-rc2 #14
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
Call Trace:
 <TASK>
 dump_stack_lvl+0x64/0x80
 __ubsan_handle_out_of_bounds+0xc6/0x100
 ima_eventdigest_init_common+0x297/0x2c0
 ? ima_add_violation+0x10b/0x260
 ? __pfx_ima_eventdigest_init_common+0x10/0x10
 ? path_openat+0x739/0x1ba0
 ? do_filp_open+0x168/0x290
 ? do_sys_openat2+0x126/0x160
 ima_eventdigest_init+0xba/0x280
 ? __pfx_ima_eventdigest_init+0x10/0x10
 ? srso_alias_return_thunk+0x5/0xfbef5
 ? __kmalloc_noprof+0x1cd/0x490
 ? ima_alloc_init_template+0xd8/0x2f0
 ima_alloc_init_template+0x1d1/0x2f0
 ima_add_violation+0x10b/0x260
 ...

HASH_ALGO__LAST is only passed to ima_eventdigest_init_common
for ima template. This change ensures to set an appropriate hash_algo
value before calculating the offset.

Cc: stable@...r.kernel.org
Fixes: 9fab303a2cb3 ("ima: fix violation measurement list record")
Signed-off-by: David Fernandez Gonzalez <david.fernandez.gonzalez@...cle.com>
---
 security/integrity/ima/ima_template_lib.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/security/integrity/ima/ima_template_lib.c b/security/integrity/ima/ima_template_lib.c
index 4183956c53af..7a46d720303b 100644
--- a/security/integrity/ima/ima_template_lib.c
+++ b/security/integrity/ima/ima_template_lib.c
@@ -318,15 +318,19 @@ static int ima_eventdigest_init_common(const u8 *digest, u32 digestsize,
 				      hash_algo_name[hash_algo]);
 	}
 
-	if (digest)
+	if (digest) {
 		memcpy(buffer + offset, digest, digestsize);
-	else
+	} else {
 		/*
 		 * If digest is NULL, the event being recorded is a violation.
 		 * Make room for the digest by increasing the offset by the
 		 * hash algorithm digest size.
 		 */
+		if (hash_algo == HASH_ALGO__LAST) /* To handle ima template case */
+			hash_algo = ima_template_hash_algo_allowed(ima_hash_algo) ?
+				ima_hash_algo : HASH_ALGO_SHA1;
 		offset += hash_digest_size[hash_algo];
+	}
 
 	return ima_write_template_field_data(buffer, offset + digestsize,
 					     fmt, field_data);
-- 
2.43.0


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ