On Wed, 2019-07-03 at 09:16 +0000, David Laight wrote: > > diff --git a/security/integrity/ima/ima_template_lib.c b/security/integrity/ima/ima_template_lib.c > > index 9fe0ef7f91e2..05636e9b19b1 100644 > > --- a/security/integrity/ima/ima_template_lib.c > > +++ b/security/integrity/ima/ima_template_lib.c > > @@ -74,7 +74,7 @@ static void ima_show_template_data_ascii(struct seq_file *m, > > case DATA_FMT_DIGEST_WITH_ALGO: > > buf_ptr = strnchr(field_data->data, buflen, ':'); > > if (buf_ptr != field_data->data) > > - seq_printf(m, "%s", field_data->data); > > + seq_puts(m, field_data->data); > > > > /* skip ':' and '\0' */ > > buf_ptr += 2; > > That code looks highly suspect! > It uses a bounded scan then assumes a '\0' terminated string. > It then adds 2 to a potentially NULL pointer. The code here is used for displaying the IMA measurement list, that the kernel itself created. Protecting the in kernel memory from attack is a different problem. Refer to Igor Stoppa's write once memory pools. Mimi
