Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security
Pull Integrity subsystem fix from James Morris: "These changes fix a bug in xattr handling, where the evm and ima inode_setxattr() functions do not check for empty xattrs being passed from userspace (leading to user-triggerable null pointer dereferences)" * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: evm: check xattr value length and type in evm_inode_setxattr() ima: check xattr value length and type in the ima_inode_setxattr()
This commit is contained in:
commit
8c78293213
|
@ -319,9 +319,12 @@ int evm_inode_setxattr(struct dentry *dentry, const char *xattr_name,
|
|||
{
|
||||
const struct evm_ima_xattr_data *xattr_data = xattr_value;
|
||||
|
||||
if ((strcmp(xattr_name, XATTR_NAME_EVM) == 0)
|
||||
&& (xattr_data->type == EVM_XATTR_HMAC))
|
||||
return -EPERM;
|
||||
if (strcmp(xattr_name, XATTR_NAME_EVM) == 0) {
|
||||
if (!xattr_value_len)
|
||||
return -EINVAL;
|
||||
if (xattr_data->type != EVM_IMA_XATTR_DIGSIG)
|
||||
return -EPERM;
|
||||
}
|
||||
return evm_protect_xattr(dentry, xattr_name, xattr_value,
|
||||
xattr_value_len);
|
||||
}
|
||||
|
|
|
@ -378,6 +378,8 @@ int ima_inode_setxattr(struct dentry *dentry, const char *xattr_name,
|
|||
result = ima_protect_xattr(dentry, xattr_name, xattr_value,
|
||||
xattr_value_len);
|
||||
if (result == 1) {
|
||||
if (!xattr_value_len || (xvalue->type >= IMA_XATTR_LAST))
|
||||
return -EINVAL;
|
||||
ima_reset_appraise_flags(dentry->d_inode,
|
||||
(xvalue->type == EVM_IMA_XATTR_DIGSIG) ? 1 : 0);
|
||||
result = 0;
|
||||
|
|
|
@ -61,6 +61,7 @@ enum evm_ima_xattr_type {
|
|||
EVM_XATTR_HMAC,
|
||||
EVM_IMA_XATTR_DIGSIG,
|
||||
IMA_XATTR_DIGEST_NG,
|
||||
IMA_XATTR_LAST
|
||||
};
|
||||
|
||||
struct evm_ima_xattr_data {
|
||||
|
|
Loading…
Reference in New Issue