Commit 038b77f6 authored by Seth Forshee's avatar Seth Forshee Committed by Luis Henriques

UBUNTU: SAUCE: (namespace) security/integrity: Harden against malformed xattrs

BugLink: http://bugs.launchpad.net/bugs/1634964

In general the handling of IMA/EVM xattrs is good, but I found
a few locations where either the xattr size or the value of the
type field in the xattr are not checked. Add a few simple checks
to these locations to prevent malformed or malicious xattrs from
causing problems.
Signed-off-by: default avatarSeth Forshee <seth.forshee@canonical.com>
Acked-by: default avatarTim Gardner <tim.gardner@canonical.com>
Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
parent db19ff87
......@@ -36,7 +36,7 @@ static const char *keyring_name[INTEGRITY_KEYRING_MAX] = {
int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen,
const char *digest, int digestlen)
{
if (id >= INTEGRITY_KEYRING_MAX)
if (id >= INTEGRITY_KEYRING_MAX || siglen < 2)
return -EINVAL;
if (!keyring[id]) {
......
......@@ -145,6 +145,10 @@ static enum integrity_status evm_verify_hmac(struct dentry *dentry,
/* check value type */
switch (xattr_data->type) {
case EVM_XATTR_HMAC:
if (xattr_len != sizeof(struct evm_ima_xattr_data)) {
evm_status = INTEGRITY_FAIL;
goto out;
}
rc = evm_calc_hmac(dentry, xattr_name, xattr_value,
xattr_value_len, calc.digest);
if (rc)
......
......@@ -147,6 +147,8 @@ void ima_get_hash_algo(struct evm_ima_xattr_data *xattr_value, int xattr_len,
break;
case IMA_XATTR_DIGEST_NG:
hash->algo = xattr_value->digest[0];
if (hash->algo >= HASH_ALGO__LAST)
hash->algo = ima_hash_algo;
break;
case IMA_XATTR_DIGEST:
/* this is for backward compatibility */
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment