Hey Mimi,
Just a gentle ping on this one.
On Wed, Jan 04, 2023 at 03:41:56AM +0000, Matt Bobrowski wrote:
> The IMA_COLLECTED flag indicates whether the IMA subsystem has
> successfully collected a measurement for a given file object. Ensure
> that we return the respective digest value stored within the iint
> entry only when this flag has been set.
>
> Failing to check for the presence of this flag exposes consumers of
> this IMA API to receive potentially undesired IMA digest values when
> an erroneous condition has been experienced in some of the lower level
> IMA API code.
>
> Signed-off-by: Matt Bobrowski <mattbobrowski@xxxxxxxxxx>
> ---
> security/integrity/ima/ima_main.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
> index b1ae0f2751f1..1d40cdfa23d5 100644
> --- a/security/integrity/ima/ima_main.c
> +++ b/security/integrity/ima/ima_main.c
> @@ -563,7 +563,7 @@ static int __ima_inode_hash(struct inode *inode, struct file *file, char *buf,
> * ima_file_hash can be called when ima_collect_measurement has still
> * not been called, we might not always have a hash.
> */
> - if (!iint->ima_hash) {
> + if (!iint->ima_hash || !(iint->flags & IMA_COLLECTED)) {
> mutex_unlock(&iint->mutex);
> return -EOPNOTSUPP;
> }
> --
> 2.39.0.314.g84b9a713c41-goog
/M
