When adding new protections against writing invalid data in the security.ima xattr, I erroneously expected ima_get_hash_algo() to always return a valid 'enum hash_algo', but it turns out it trusts the user-supplied digital signatures and return it without any checks. It didn't affect process_measurement() because that function (indirectly) calls into ima_alloc_atfm() that fallback silently on the default hash algorithm, but it did affect ima_inode_setxattr as that new function didn't perform a bounds check. Update ima_get_hash_algo() to always return a valid hash algorithm, defaulting on 'ima_hash_algo' when the user-supplied value inside the xattr is invalid. This patch was successfully tested by syszbot, see https://syzkaller.appspot.com/bug?extid=e8bafe7b82c739eaf153. Signed-off-by: THOBY Simon <Simon.THOBY@xxxxxxxxxx> Reported-by: syzbot+e8bafe7b82c739eaf153@xxxxxxxxxxxxxxxxxxxxxxxxx --- security/integrity/ima/ima_appraise.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c index 8f1eb7ef041e..dbba51583e7c 100644 --- a/security/integrity/ima/ima_appraise.c +++ b/security/integrity/ima/ima_appraise.c @@ -185,7 +185,8 @@ enum hash_algo ima_get_hash_algo(const struct evm_ima_xattr_data *xattr_value, switch (xattr_value->type) { case EVM_IMA_XATTR_DIGSIG: sig = (typeof(sig))xattr_value; - if (sig->version != 2 || xattr_len <= sizeof(*sig)) + if (sig->version != 2 || xattr_len <= sizeof(*sig) + || sig->hash_algo >= HASH_ALGO__LAST) return ima_hash_algo; return sig->hash_algo; break; -- 2.31.1
