ima: verify if the segment size has changed

kexec 'load' may be called multiple times. Free and realloc the buffer
only if the segment_size is changed from the previous kexec 'load' call.

Signed-off-by: Steven Chen <chenste@linux.microsoft.com>
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
Acked-by: Baoquan He <bhe@redhat.com>
Tested-by: Stefan Berger <stefanb@linux.ibm.com> # ppc64/kvm
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>

diff --git a/security/integrity/ima/ima_kexec.c b/security/integrity/ima/ima_kexec.c
index 5c3b3e0b21862320bb1083dc1643882ea30d72c0..ed867734ee7071bcb2f2cb4dce74c28620c6d57c 100644 (file)
--- a/security/integrity/ima/ima_kexec.c
+++ b/security/integrity/ima/ima_kexec.c
@@ -33,6 +33,14 @@ static void ima_free_kexec_file_buf(struct seq_file *sf)
 
 static int ima_alloc_kexec_file_buf(size_t segment_size)
 {
+       /*
+        * kexec 'load' may be called multiple times.
+        * Free and realloc the buffer only if the segment_size is
+        * changed from the previous kexec 'load' call.
+        */
+       if (ima_kexec_file.buf && ima_kexec_file.size == segment_size)
+               goto out;
+
        ima_free_kexec_file_buf(&ima_kexec_file);
 
        /* segment size can't change between kexec load and execute */
@@ -41,6 +49,8 @@ static int ima_alloc_kexec_file_buf(size_t segment_size)
                return -ENOMEM;
 
        ima_kexec_file.size = segment_size;
+
+out:
        ima_kexec_file.read_pos = 0;
        ima_kexec_file.count = sizeof(struct ima_kexec_hdr);    /* reserved space */