| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <187d23d7c1a02a9240cfa6caa8e502361cb77f2d.camel@huaweicloud.com>
Date: Wed, 09 Oct 2024 17:34:12 +0200
From: Roberto Sassu <roberto.sassu@...weicloud.com>
To: David Fernandez Gonzalez <david.fernandez.gonzalez@...cle.com>, Mimi
Zohar <zohar@...ux.ibm.com>, Roberto Sassu <roberto.sassu@...wei.com>,
Dmitry Kasatkin <dmitry.kasatkin@...il.com>, Eric Snowberg
<eric.snowberg@...cle.com>, Paul Moore <paul@...l-moore.com>, James Morris
<jmorris@...ei.org>, "Serge E. Hallyn" <serge@...lyn.com>,
linux-integrity@...r.kernel.org, linux-security-module@...r.kernel.org,
linux-kernel@...r.kernel.org
Cc: harshit.m.mogalapalli@...cle.com, vegard.nossum@...cle.com
Subject: Re: [PATCH] ima: Fix OOB read when violation occurs with ima
template.
On Wed, 2024-10-09 at 14:53 +0000, David Fernandez Gonzalez wrote:
> When processing a violation inside ima_eventdigest_init,
> ima_eventdigest_init_common will be called with cur_digest
> being NULL. hash_algo is always set to HASH_ALGO__LAST.
>
> Inside ima_eventdigest_init_common, since digest is NULL,
> offset will be calculated by accessing hash_digest_size
> with HASH_ALGO__LAST, one element OOB.
>
> This will be used to calculate the amount of bytes
> to be copied as file content hash. Depending on the memory,
> this could lead to the 0 hash not being recorded if offset is 0,
> the violation not being recorded at all if offset is too big
> (as it will be used to allocate the buffer in
> ima_write_template_field_data), or potentially leaking
> memory values into the measurements file, if offset is big
> enough but can still be used to allocate the buffer.
Hi David
thanks a lot for the patch! We currently have another similar in our
queue:
https://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.git/commit/?h=next-integrity&id=fa8a4ce432e82cc138e61fab7f44d60f9e720d47
Will be sent to Linus soon.
Thanks
Roberto
> UBSAN: array-index-out-of-bounds in security/integrity/ima/ima_template_lib.c:329:29
> index 23 is out of range for type 'int [23]'
> CPU: 0 UID: 0 PID: 383 Comm: journal-offline Not tainted 6.12.0-rc2 #14
> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
> Call Trace:
> <TASK>
> dump_stack_lvl+0x64/0x80
> __ubsan_handle_out_of_bounds+0xc6/0x100
> ima_eventdigest_init_common+0x297/0x2c0
> ? ima_add_violation+0x10b/0x260
> ? __pfx_ima_eventdigest_init_common+0x10/0x10
> ? path_openat+0x739/0x1ba0
> ? do_filp_open+0x168/0x290
> ? do_sys_openat2+0x126/0x160
> ima_eventdigest_init+0xba/0x280
> ? __pfx_ima_eventdigest_init+0x10/0x10
> ? srso_alias_return_thunk+0x5/0xfbef5
> ? __kmalloc_noprof+0x1cd/0x490
> ? ima_alloc_init_template+0xd8/0x2f0
> ima_alloc_init_template+0x1d1/0x2f0
> ima_add_violation+0x10b/0x260
> ...
>
> HASH_ALGO__LAST is only passed to ima_eventdigest_init_common
> for ima template. This change ensures to set an appropriate hash_algo
> value before calculating the offset.
>
> Cc: stable@...r.kernel.org
> Fixes: 9fab303a2cb3 ("ima: fix violation measurement list record")
> Signed-off-by: David Fernandez Gonzalez <david.fernandez.gonzalez@...cle.com>
> ---
> security/integrity/ima/ima_template_lib.c | 8 ++++++--
> 1 file changed, 6 insertions(+), 2 deletions(-)
>
> diff --git a/security/integrity/ima/ima_template_lib.c b/security/integrity/ima/ima_template_lib.c
> index 4183956c53af..7a46d720303b 100644
> --- a/security/integrity/ima/ima_template_lib.c
> +++ b/security/integrity/ima/ima_template_lib.c
> @@ -318,15 +318,19 @@ static int ima_eventdigest_init_common(const u8 *digest, u32 digestsize,
> hash_algo_name[hash_algo]);
> }
>
> - if (digest)
> + if (digest) {
> memcpy(buffer + offset, digest, digestsize);
> - else
> + } else {
> /*
> * If digest is NULL, the event being recorded is a violation.
> * Make room for the digest by increasing the offset by the
> * hash algorithm digest size.
> */
> + if (hash_algo == HASH_ALGO__LAST) /* To handle ima template case */
> + hash_algo = ima_template_hash_algo_allowed(ima_hash_algo) ?
> + ima_hash_algo : HASH_ALGO_SHA1;
> offset += hash_digest_size[hash_algo];
> + }
>
> return ima_write_template_field_data(buffer, offset + digestsize,
> fmt, field_data);
Powered by blists - more mailing lists