Skip to content

Commit

Permalink
ima: Fix use after free in ima_read_modsig()
Browse files Browse the repository at this point in the history 
If we can't parse the PKCS7 in the appended modsig, we will free the modsig
structure and then access one of its members to determine the error value.

Fixes: 39b0709 ("ima: Implement support for module-style appended signatures")
Reported-by: kbuild test robot <lkp@intel.com>
Reported-by: Julia Lawall <julia.lawall@lip6.fr>
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Thiago Jung Bauermann <bauerman@linux.ibm.com>
Reviewed-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
  • Loading branch information
@bauermann @mimizohar
bauermann authored and mimizohar committed Aug 28, 2019
1 parent 70433f6 commit 556d971
Showing 1 changed file with 2 additions and 1 deletion.
3 changes: 2 additions & 1 deletion security/integrity/ima/ima_modsig.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -91,8 +91,9 @@ int ima_read_modsig(enum ima_hooks func, const void *buf, loff_t buf_len,

hdr->pkcs7_msg = pkcs7_parse_message(buf + buf_len, sig_len);
if (IS_ERR(hdr->pkcs7_msg)) {
rc = PTR_ERR(hdr->pkcs7_msg);
kfree(hdr);
return PTR_ERR(hdr->pkcs7_msg);
return rc;
}

memcpy(hdr->raw_pkcs7, buf + buf_len, sig_len);
Expand Down

0 comments on commit 556d971

Please sign in to comment.