]> www.infradead.org Git - users/dwmw2/linux.git/commitdiff
ima: Fix NULL pointer dereference in ima_file_hash
authorKP Singh <kpsingh@google.com>
Wed, 16 Sep 2020 18:02:42 +0000 (18:02 +0000)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Thu, 29 Oct 2020 09:11:21 +0000 (10:11 +0100)
[ Upstream commit aa662fc04f5b290b3979332588bf8d812b189962 ]

ima_file_hash can be called when there is no iint->ima_hash available
even though the inode exists in the integrity cache. It is fairly
common for a file to not have a hash. (e.g. an mknodat, prior to the
file being closed).

Another example where this can happen (suggested by Jann Horn):

Process A does:

while(1) {
unlink("/tmp/imafoo");
fd = open("/tmp/imafoo", O_RDWR|O_CREAT|O_TRUNC, 0700);
if (fd == -1) {
perror("open");
continue;
}
write(fd, "A", 1);
close(fd);
}

and Process B does:

while (1) {
int fd = open("/tmp/imafoo", O_RDONLY);
if (fd == -1)
continue;
     char *mapping = mmap(NULL, 0x1000, PROT_READ|PROT_EXEC,
       MAP_PRIVATE, fd, 0);
if (mapping != MAP_FAILED)
munmap(mapping, 0x1000);
close(fd);
   }

Due to the race to get the iint->mutex between ima_file_hash and
process_measurement iint->ima_hash could still be NULL.

Fixes: 6beea7afcc72 ("ima: add the ability to query the cached hash of a given file")
Signed-off-by: KP Singh <kpsingh@google.com>
Reviewed-by: Florent Revest <revest@chromium.org>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
security/integrity/ima/ima_main.c

index 8a91711ca79b2af3999f981d1fe7a0dfd5c1b78e..4c86cd4eece0cce972497c83200ace7abb11161b 100644 (file)
@@ -531,6 +531,16 @@ int ima_file_hash(struct file *file, char *buf, size_t buf_size)
                return -EOPNOTSUPP;
 
        mutex_lock(&iint->mutex);
+
+       /*
+        * ima_file_hash can be called when ima_collect_measurement has still
+        * not been called, we might not always have a hash.
+        */
+       if (!iint->ima_hash) {
+               mutex_unlock(&iint->mutex);
+               return -EOPNOTSUPP;
+       }
+
        if (buf) {
                size_t copied_size;