Patch "ima: fix blocking of security.ima xattrs of unsupported algorithms" has been added to the 6.0-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Sun, 16 Oct 2022 22:10:36 -0400

This is a note to let you know that I've just added the patch titled

    ima: fix blocking of security.ima xattrs of unsupported algorithms

to the 6.0-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     ima-fix-blocking-of-security.ima-xattrs-of-unsupport.patch
and it can be found in the queue-6.0 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 58cf095bc7cc3642d0c21d5cc90cd06bdb89751b
Author: Mimi Zohar <zohar@xxxxxxxxxxxxx>
Date:   Wed Aug 17 17:18:42 2022 -0400

    ima: fix blocking of security.ima xattrs of unsupported algorithms
    
    [ Upstream commit 5926586f291b53cb8a0c9631fc19489be1186e2d ]
    
    Limit validating the hash algorithm to just security.ima xattr, not
    the security.evm xattr or any of the protected EVM security xattrs,
    nor posix acls.
    
    Fixes: 50f742dd9147 ("IMA: block writes of the security.ima xattr with unsupported algorithms")
    Reported-by: Christian Brauner <brauner@xxxxxxxxxx>
    Acked-by: Christian Brauner (Microsoft) <brauner@xxxxxxxxxx>
    Signed-off-by: Mimi Zohar <zohar@xxxxxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
index bde74fcecee3..3e0fbbd99534 100644
--- a/security/integrity/ima/ima_appraise.c
+++ b/security/integrity/ima/ima_appraise.c
@@ -750,22 +750,26 @@ int ima_inode_setxattr(struct dentry *dentry, const char *xattr_name,
 	const struct evm_ima_xattr_data *xvalue = xattr_value;
 	int digsig = 0;
 	int result;
+	int err;
 
 	result = ima_protect_xattr(dentry, xattr_name, xattr_value,
 				   xattr_value_len);
 	if (result == 1) {
 		if (!xattr_value_len || (xvalue->type >= IMA_XATTR_LAST))
 			return -EINVAL;
+
+		err = validate_hash_algo(dentry, xvalue, xattr_value_len);
+		if (err)
+			return err;
+
 		digsig = (xvalue->type == EVM_IMA_XATTR_DIGSIG);
 	} else if (!strcmp(xattr_name, XATTR_NAME_EVM) && xattr_value_len > 0) {
 		digsig = (xvalue->type == EVM_XATTR_PORTABLE_DIGSIG);
 	}
 	if (result == 1 || evm_revalidate_status(xattr_name)) {
-		result = validate_hash_algo(dentry, xvalue, xattr_value_len);
-		if (result)
-			return result;
-
 		ima_reset_appraise_flags(d_backing_inode(dentry), digsig);
+		if (result == 1)
+			result = 0;
 	}
 	return result;
 }






