On 23 October 2014 18:40, Jan Kara <j...@suse.cz> wrote: > On Thu 23-10-14 16:47:17, Dmitry Kasatkin wrote: >> ima_inode_setxattr() can be called with no value. Function does not >> check the length so that following command can be used to produce >> kernel oops: setfattr -n security.ima FOO. This patch fixes it. >> > .. >> >> Reported-by: Jan Kara <j...@suse.cz> >> Signed-off-by: Dmitry Kasatkin <d.kasat...@samsung.com> >> --- >> security/integrity/ima/ima_appraise.c | 2 ++ >> 1 file changed, 2 insertions(+) >> >> diff --git a/security/integrity/ima/ima_appraise.c >> b/security/integrity/ima/ima_appraise.c >> index 5b845af..f07aacd 100644 >> --- a/security/integrity/ima/ima_appraise.c >> +++ b/security/integrity/ima/ima_appraise.c >> @@ -378,6 +378,8 @@ int ima_inode_setxattr(struct dentry *dentry, const char >> *xattr_name, >> result = ima_protect_xattr(dentry, xattr_name, xattr_value, >> xattr_value_len); >> if (result == 1) { >> + if (!xattr_value_len) >> + return -EINVAL; > Wouldn't it be safer to return EINVAL whenever xattr_value_len != > sizeof(evm_ima_xattr_data)?
In this function we only use first byte to identify attribute type. sizeof(evm_ima_xattr_data) is SHA1_DIGEST_SIZE + 1. But IMA may use any other algorithm where digest size is different. - Dmitry > > Honza >> ima_reset_appraise_flags(dentry->d_inode, >> (xvalue->type == EVM_IMA_XATTR_DIGSIG) ? 1 : 0); >> result = 0; >> -- >> 1.9.1 >> > -- > Jan Kara <j...@suse.cz> > SUSE Labs, CR -- Thanks, Dmitry -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/