| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20241009145335.1297855-1-david.fernandez.gonzalez@oracle.com>
Date: Wed, 9 Oct 2024 14:53:34 +0000
From: David Fernandez Gonzalez <david.fernandez.gonzalez@...cle.com>
To: Mimi Zohar <zohar@...ux.ibm.com>, Roberto Sassu <roberto.sassu@...wei.com>,
Dmitry Kasatkin <dmitry.kasatkin@...il.com>,
Eric Snowberg <eric.snowberg@...cle.com>,
Paul Moore <paul@...l-moore.com>, James Morris <jmorris@...ei.org>,
"Serge E. Hallyn" <serge@...lyn.com>, linux-integrity@...r.kernel.org,
linux-security-module@...r.kernel.org, linux-kernel@...r.kernel.org
Cc: harshit.m.mogalapalli@...cle.com, vegard.nossum@...cle.com,
david.fernandez.gonzalez@...cle.com
Subject: [PATCH] ima: Fix OOB read when violation occurs with ima template.
When processing a violation inside ima_eventdigest_init,
ima_eventdigest_init_common will be called with cur_digest
being NULL. hash_algo is always set to HASH_ALGO__LAST.
Inside ima_eventdigest_init_common, since digest is NULL,
offset will be calculated by accessing hash_digest_size
with HASH_ALGO__LAST, one element OOB.
This will be used to calculate the amount of bytes
to be copied as file content hash. Depending on the memory,
this could lead to the 0 hash not being recorded if offset is 0,
the violation not being recorded at all if offset is too big
(as it will be used to allocate the buffer in
ima_write_template_field_data), or potentially leaking
memory values into the measurements file, if offset is big
enough but can still be used to allocate the buffer.
UBSAN: array-index-out-of-bounds in security/integrity/ima/ima_template_lib.c:329:29
index 23 is out of range for type 'int [23]'
CPU: 0 UID: 0 PID: 383 Comm: journal-offline Not tainted 6.12.0-rc2 #14
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
Call Trace:
<TASK>
dump_stack_lvl+0x64/0x80
__ubsan_handle_out_of_bounds+0xc6/0x100
ima_eventdigest_init_common+0x297/0x2c0
? ima_add_violation+0x10b/0x260
? __pfx_ima_eventdigest_init_common+0x10/0x10
? path_openat+0x739/0x1ba0
? do_filp_open+0x168/0x290
? do_sys_openat2+0x126/0x160
ima_eventdigest_init+0xba/0x280
? __pfx_ima_eventdigest_init+0x10/0x10
? srso_alias_return_thunk+0x5/0xfbef5
? __kmalloc_noprof+0x1cd/0x490
? ima_alloc_init_template+0xd8/0x2f0
ima_alloc_init_template+0x1d1/0x2f0
ima_add_violation+0x10b/0x260
...
HASH_ALGO__LAST is only passed to ima_eventdigest_init_common
for ima template. This change ensures to set an appropriate hash_algo
value before calculating the offset.
Cc: stable@...r.kernel.org
Fixes: 9fab303a2cb3 ("ima: fix violation measurement list record")
Signed-off-by: David Fernandez Gonzalez <david.fernandez.gonzalez@...cle.com>
---
security/integrity/ima/ima_template_lib.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/security/integrity/ima/ima_template_lib.c b/security/integrity/ima/ima_template_lib.c
index 4183956c53af..7a46d720303b 100644
--- a/security/integrity/ima/ima_template_lib.c
+++ b/security/integrity/ima/ima_template_lib.c
@@ -318,15 +318,19 @@ static int ima_eventdigest_init_common(const u8 *digest, u32 digestsize,
hash_algo_name[hash_algo]);
}
- if (digest)
+ if (digest) {
memcpy(buffer + offset, digest, digestsize);
- else
+ } else {
/*
* If digest is NULL, the event being recorded is a violation.
* Make room for the digest by increasing the offset by the
* hash algorithm digest size.
*/
+ if (hash_algo == HASH_ALGO__LAST) /* To handle ima template case */
+ hash_algo = ima_template_hash_algo_allowed(ima_hash_algo) ?
+ ima_hash_algo : HASH_ALGO_SHA1;
offset += hash_digest_size[hash_algo];
+ }
return ima_write_template_field_data(buffer, offset + digestsize,
fmt, field_data);
--
2.43.0
Powered by blists - more mailing lists