| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20260201024015.2862236-1-hodgesd@meta.com>
Date: Sat, 31 Jan 2026 18:40:15 -0800
From: Daniel Hodges <hodgesd@...a.com>
To: Mimi Zohar <zohar@...ux.ibm.com>,
Roberto Sassu
<roberto.sassu@...wei.com>,
Dmitry Kasatkin <dmitry.kasatkin@...il.com>
CC: Eric Snowberg <eric.snowberg@...cle.com>,
Paul Moore
<paul@...l-moore.com>, James Morris <jmorris@...ei.org>,
"Serge E . Hallyn"
<serge@...lyn.com>,
<linux-integrity@...r.kernel.org>,
<linux-security-module@...r.kernel.org>,
<linux-kernel@...r.kernel.org>, Daniel Hodges <hodgesd@...a.com>
Subject: [PATCH] ima: check return value of crypto_shash_final() in boot aggregate
The return value of crypto_shash_final() is not checked in
ima_calc_boot_aggregate_tfm(). If the hash finalization fails, the
function returns success and a corrupted boot aggregate digest could
be used for IMA measurements.
Capture the return value and propagate any error to the caller.
Fixes: 76bb28f6126f ("ima: use new crypto_shash API instead of old crypto_hash")
Signed-off-by: Daniel Hodges <hodgesd@...a.com>
---
security/integrity/ima/ima_crypto.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/security/integrity/ima/ima_crypto.c b/security/integrity/ima/ima_crypto.c
index 6f5696d999d0..8ae7821a65c2 100644
--- a/security/integrity/ima/ima_crypto.c
+++ b/security/integrity/ima/ima_crypto.c
@@ -825,21 +825,21 @@ static int ima_calc_boot_aggregate_tfm(char *digest, u16 alg_id,
* non-SHA1 boot_aggregate digests to avoid ambiguity.
*/
if (alg_id != TPM_ALG_SHA1) {
for (i = TPM_PCR8; i < TPM_PCR10; i++) {
ima_pcrread(i, &d);
rc = crypto_shash_update(shash, d.digest,
crypto_shash_digestsize(tfm));
}
}
if (!rc)
- crypto_shash_final(shash, digest);
+ rc = crypto_shash_final(shash, digest);
return rc;
}
int ima_calc_boot_aggregate(struct ima_digest_data *hash)
{
struct crypto_shash *tfm;
u16 crypto_id, alg_id;
int rc, i, bank_idx = -1;
for (i = 0; i < ima_tpm_chip->nr_allocated_banks; i++) {
--
2.47.3
Powered by blists - more mailing lists