projects / GitHub / moto-9609 / android_kernel_motorola_exynos9610.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 710584b)
ima: fix ima_d_path() possible race with rename
authorMimi Zohar <zohar@linux.vnet.ibm.com>
Tue, 17 Jan 2017 11:45:41 +0000 (06:45 -0500)
committerMimi Zohar <zohar@linux.vnet.ibm.com>
Fri, 27 Jan 2017 19:16:02 +0000 (14:16 -0500)
On failure to return a pathname from ima_d_path(), a pointer to
dname is returned, which is subsequently used in the IMA measurement
list, the IMA audit records, and other audit logging.  Saving the
pointer to dname for later use has the potential to race with rename.

Intead of returning a pointer to dname on failure, this patch returns
a pointer to a copy of the filename.

Reported-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Cc: stable@vger.kernel.org
security/integrity/ima/ima.h patch | blob | blame | history
security/integrity/ima/ima_api.c patch | blob | blame | history
security/integrity/ima/ima_main.c patch | blob | blame | history

diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
index 5e6180a4da7d2a9d583d4b81bbcfb76a1d9e558a..b563fbd4d122c24450f98dc7c6aaffd6235c451f 100644 (file)
--- a/security/integrity/ima/ima.h
+++ b/security/integrity/ima/ima.h
@@ -204,7 +204,7 @@ int ima_store_template(struct ima_template_entry *entry, int violation,
                       struct inode *inode,
                       const unsigned char *filename, int pcr);
 void ima_free_template_entry(struct ima_template_entry *entry);
-const char *ima_d_path(const struct path *path, char **pathbuf);
+const char *ima_d_path(const struct path *path, char **pathbuf, char *filename);
 
 /* IMA policy related functions */
 int ima_match_policy(struct inode *inode, enum ima_hooks func, int mask,
diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c
index 9df26a2b75ba692ee9d164fb14317779a117ca16..d01a52f8f7082b4ac0a46e6f890af0cec5b59281 100644 (file)
--- a/security/integrity/ima/ima_api.c
+++ b/security/integrity/ima/ima_api.c
@@ -318,7 +318,17 @@ void ima_audit_measurement(struct integrity_iint_cache *iint,
        iint->flags |= IMA_AUDITED;
 }
 
-const char *ima_d_path(const struct path *path, char **pathbuf)
+/*
+ * ima_d_path - return a pointer to the full pathname
+ *
+ * Attempt to return a pointer to the full pathname for use in the
+ * IMA measurement list, IMA audit records, and auditing logs.
+ *
+ * On failure, return a pointer to a copy of the filename, not dname.
+ * Returning a pointer to dname, could result in using the pointer
+ * after the memory has been freed.
+ */
+const char *ima_d_path(const struct path *path, char **pathbuf, char *namebuf)
 {
        char *pathname = NULL;
 
@@ -331,5 +341,11 @@ const char *ima_d_path(const struct path *path, char **pathbuf)
                        pathname = NULL;
                }
        }
-       return pathname ?: (const char *)path->dentry->d_name.name;
+
+       if (!pathname) {
+               strlcpy(namebuf, path->dentry->d_name.name, NAME_MAX);
+               pathname = namebuf;
+       }
+
+       return pathname;
 }
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index 50818c60538b8e0e764de72c842cfb608abb305a..d5e492bd28991fc6d205102003c4d970c9f76189 100644 (file)
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -83,6 +83,7 @@ static void ima_rdwr_violation_check(struct file *file,
                                     const char **pathname)
 {
        struct inode *inode = file_inode(file);
+       char filename[NAME_MAX];
        fmode_t mode = file->f_mode;
        bool send_tomtou = false, send_writers = false;
 
@@ -102,7 +103,7 @@ static void ima_rdwr_violation_check(struct file *file,
        if (!send_tomtou && !send_writers)
                return;
 
-       *pathname = ima_d_path(&file->f_path, pathbuf);
+       *pathname = ima_d_path(&file->f_path, pathbuf, filename);
 
        if (send_tomtou)
                ima_add_violation(file, *pathname, iint,
@@ -161,6 +162,7 @@ static int process_measurement(struct file *file, char *buf, loff_t size,
        struct integrity_iint_cache *iint = NULL;
        struct ima_template_desc *template_desc;
        char *pathbuf = NULL;
+       char filename[NAME_MAX];
        const char *pathname = NULL;
        int rc = -ENOMEM, action, must_appraise;
        int pcr = CONFIG_IMA_MEASURE_PCR_IDX;
@@ -239,8 +241,8 @@ static int process_measurement(struct file *file, char *buf, loff_t size,
                goto out_digsig;
        }
 
-       if (!pathname)  /* ima_rdwr_violation possibly pre-fetched */
-               pathname = ima_d_path(&file->f_path, &pathbuf);
+       if (!pathbuf)   /* ima_rdwr_violation possibly pre-fetched */
+               pathname = ima_d_path(&file->f_path, &pathbuf, filename);
 
        if (action & IMA_MEASURE)
                ima_store_measurement(iint, file, pathname,