Commit 556d971b authored by Thiago Jung Bauermann's avatar Thiago Jung Bauermann Committed by Mimi Zohar

ima: Fix use after free in ima_read_modsig()

If we can't parse the PKCS7 in the appended modsig, we will free the modsig
structure and then access one of its members to determine the error value.

Fixes: 39b07096 ("ima: Implement support for module-style appended signatures")
Reported-by: default avatarkbuild test robot <lkp@intel.com>
Reported-by: default avatarJulia Lawall <julia.lawall@lip6.fr>
Reported-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: default avatarThiago Jung Bauermann <bauerman@linux.ibm.com>
Reviewed-by: default avatarGustavo A. R. Silva <gustavo@embeddedor.com>
Signed-off-by: default avatarMimi Zohar <zohar@linux.ibm.com>
parent 70433f67
...@@ -91,8 +91,9 @@ int ima_read_modsig(enum ima_hooks func, const void *buf, loff_t buf_len, ...@@ -91,8 +91,9 @@ int ima_read_modsig(enum ima_hooks func, const void *buf, loff_t buf_len,
hdr->pkcs7_msg = pkcs7_parse_message(buf + buf_len, sig_len); hdr->pkcs7_msg = pkcs7_parse_message(buf + buf_len, sig_len);
if (IS_ERR(hdr->pkcs7_msg)) { if (IS_ERR(hdr->pkcs7_msg)) {
rc = PTR_ERR(hdr->pkcs7_msg);
kfree(hdr); kfree(hdr);
return PTR_ERR(hdr->pkcs7_msg); return rc;
} }
memcpy(hdr->raw_pkcs7, buf + buf_len, sig_len); memcpy(hdr->raw_pkcs7, buf + buf_len, sig_len);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment