Patch "ima: Fix NULL pointer dereference in ima_file_hash" has been added to the 5.9-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Mon, 26 Oct 2020 01:11:07 -0400

This is a note to let you know that I've just added the patch titled

    ima: Fix NULL pointer dereference in ima_file_hash

to the 5.9-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     ima-fix-null-pointer-dereference-in-ima_file_hash.patch
and it can be found in the queue-5.9 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit f412a47d888ba10c7ed9c448203beddf099c9c95
Author: KP Singh <kpsingh@xxxxxxxxxx>
Date:   Wed Sep 16 18:02:42 2020 +0000

    ima: Fix NULL pointer dereference in ima_file_hash
    
    [ Upstream commit aa662fc04f5b290b3979332588bf8d812b189962 ]
    
    ima_file_hash can be called when there is no iint->ima_hash available
    even though the inode exists in the integrity cache. It is fairly
    common for a file to not have a hash. (e.g. an mknodat, prior to the
    file being closed).
    
    Another example where this can happen (suggested by Jann Horn):
    
    Process A does:
    
            while(1) {
                    unlink("/tmp/imafoo");
                    fd = open("/tmp/imafoo", O_RDWR|O_CREAT|O_TRUNC, 0700);
                    if (fd == -1) {
                            perror("open");
                            continue;
                    }
                    write(fd, "A", 1);
                    close(fd);
            }
    
    and Process B does:
    
            while (1) {
                    int fd = open("/tmp/imafoo", O_RDONLY);
                    if (fd == -1)
                            continue;
                    char *mapping = mmap(NULL, 0x1000, PROT_READ|PROT_EXEC,
                                         MAP_PRIVATE, fd, 0);
                    if (mapping != MAP_FAILED)
                            munmap(mapping, 0x1000);
                    close(fd);
            }
    
    Due to the race to get the iint->mutex between ima_file_hash and
    process_measurement iint->ima_hash could still be NULL.
    
    Fixes: 6beea7afcc72 ("ima: add the ability to query the cached hash of a given file")
    Signed-off-by: KP Singh <kpsingh@xxxxxxxxxx>
    Reviewed-by: Florent Revest <revest@xxxxxxxxxxxx>
    Signed-off-by: Mimi Zohar <zohar@xxxxxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index 8a91711ca79b2..4c86cd4eece0c 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -531,6 +531,16 @@ int ima_file_hash(struct file *file, char *buf, size_t buf_size)
 		return -EOPNOTSUPP;
 
 	mutex_lock(&iint->mutex);
+
+	/*
+	 * ima_file_hash can be called when ima_collect_measurement has still
+	 * not been called, we might not always have a hash.
+	 */
+	if (!iint->ima_hash) {
+		mutex_unlock(&iint->mutex);
+		return -EOPNOTSUPP;
+	}
+
 	if (buf) {
 		size_t copied_size;
 






