On Thu, 2020-06-18 at 18:04 +0200, Roberto Sassu wrote: > Errors returned by crypto_shash_update() are not checked in > ima_calc_boot_aggregate_tfm() and thus can be overwritten at the next > iteration of the loop. This patch adds a check after calling > crypto_shash_update() and returns immediately if the result is not zero. > > Cc: stable@xxxxxxxxxxxxxxx > Fixes: 3323eec921efd ("integrity: IMA as an integrity service provider") > Signed-off-by: Roberto Sassu <roberto.sassu@xxxxxxxxxx> Verification of the boot_aggregate will fail, but yes this should be fixed. This patch and the next should be moved up front to the beginning of the patch set. Reviewed-by: Mimi Zohar <zohar@xxxxxxxxxxxxx> thanks, Mimi