In restore_template_fmt(), template_desc->fmt will be NULL if kstrdup
fails, but the return value of restore_template_fmt() will not be null,
then in ima_restore_measurement_list(), template_desc->fmt will continue
to be used in below logic:
|-- restore_template_fmt(...); <-- template_desc->fmt = NULL
|-- ret = template_desc_init_fields(template_desc->fmt,
&(template_desc->fields),
&(template_desc->num_fields));
|-- template_num_fields = template_fmt_size(template_fmt);
|--int template_fmt_len = strlen(template_fmt); <-- null-pre-def
So we need return NULL and free template_desc's memory if kstrdup fails
to fix it.
Fixes: c7d09367702e ("ima: support restoring multiple template formats")
Signed-off-by: Gaosheng Cui <cuigaosheng1@xxxxxxxxxx>
---
security/integrity/ima/ima_template.c | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)
diff --git a/security/integrity/ima/ima_template.c b/security/integrity/ima/ima_template.c
index c25079faa208..dc6e8a5194da 100644
--- a/security/integrity/ima/ima_template.c
+++ b/security/integrity/ima/ima_template.c
@@ -331,23 +331,26 @@ static struct ima_template_desc *restore_template_fmt(char *template_name)
if (ret < 0) {
pr_err("attempting to initialize the template \"%s\" failed\n",
template_name);
- goto out;
+ goto err;
}
template_desc = kzalloc(sizeof(*template_desc), GFP_KERNEL);
if (!template_desc)
- goto out;
+ goto err;
template_desc->name = "";
template_desc->fmt = kstrdup(template_name, GFP_KERNEL);
if (!template_desc->fmt)
- goto out;
+ goto err;
spin_lock(&template_list);
list_add_tail_rcu(&template_desc->list, &defined_templates);
spin_unlock(&template_list);
-out:
return template_desc;
+err:
+ if (template_desc != NULL)
+ kfree(template_desc);
+ return NULL;
}
static int ima_restore_template_data(struct ima_template_desc *template_desc,
--
2.25.1
