Julia Lawall <Julia.Lawall@xxxxxxx> writes:
> This looks risky. See lines 80 and 81.
That is indeed a bug. Thanks for spotting it!
Here's the fix:
>From 445e9ab15f61dc3b1fa1a30495d233bd2d2ecdaa Mon Sep 17 00:00:00 2001
From: Thiago Jung Bauermann <bauerman@xxxxxxxxxxxxx>
Date: Wed, 7 Aug 2019 21:29:53 -0300
Subject: [PATCH] ima: Fix use after free in ima_read_modsig()
If we can't parse the PKCS7 in the appended modsig, we will free the modsig
structure and then access one of its members to determine the error value.
Fixes: 39b07096364a ("ima: Implement support for module-style appended signatures")
Reported-by: kbuild test robot <lkp@xxxxxxxxx>
Reported-by: Julia Lawall <julia.lawall@xxxxxxx>
Signed-off-by: Thiago Jung Bauermann <bauerman@xxxxxxxxxxxxx>
---
security/integrity/ima/ima_modsig.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/security/integrity/ima/ima_modsig.c b/security/integrity/ima/ima_modsig.c
index c412e31d1714..d106885cc495 100644
--- a/security/integrity/ima/ima_modsig.c
+++ b/security/integrity/ima/ima_modsig.c
@@ -91,8 +91,9 @@ int ima_read_modsig(enum ima_hooks func, const void *buf, loff_t buf_len,
hdr->pkcs7_msg = pkcs7_parse_message(buf + buf_len, sig_len);
if (IS_ERR(hdr->pkcs7_msg)) {
+ rc = PTR_ERR(hdr->pkcs7_msg);
kfree(hdr);
- return PTR_ERR(hdr->pkcs7_msg);
+ return rc;
}
memcpy(hdr->raw_pkcs7, buf + buf_len, sig_len);
