ima: Fix use after free in ima_read_modsig()

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

If we can't parse the PKCS7 in the appended modsig, we will free the modsig
structure and then access one of its members to determine the error value.

Fixes: 39b07096364a ("ima: Implement support for module-style appended signatures")
Reported-by: kbuild test robot <lkp@intel.com>
Reported-by: Julia Lawall <julia.lawall@lip6.fr>
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Thiago Jung Bauermann <bauerman@linux.ibm.com>
Reviewed-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>

authored by

Thiago Jung Bauermann and committed by

Mimi Zohar 6 years ago 556d971b 70433f67

+2 -1

1 changed file

expand all

security

integrity

ima

ima_modsig.c

+2 -1

security/integrity/ima/ima_modsig.c

··· 91 91 92 92 hdr->pkcs7_msg = pkcs7_parse_message(buf + buf_len, sig_len); 93 93 if (IS_ERR(hdr->pkcs7_msg)) { 94 + rc = PTR_ERR(hdr->pkcs7_msg); 94 95 kfree(hdr); 95 - return PTR_ERR(hdr->pkcs7_msg); 96 + return rc; 96 97 } 97 98 98 99 memcpy(hdr->raw_pkcs7, buf + buf_len, sig_len);