summaryrefslogtreecommitdiffstats
path: root/security
diff options
context:
space:
mode:
authorThiago Jung Bauermann <bauerman@linux.ibm.com>2019-08-08 02:43:18 +0200
committerMimi Zohar <zohar@linux.ibm.com>2019-08-28 21:01:24 +0200
commit556d971bdae643de4cd7e2976e14f70ca2a3061d (patch)
tree6ec599f3c79cd36ee2222dd519ca5c93c8c0f28a /security
parentMODSIGN: make new include file self contained (diff)
downloadlinux-556d971bdae643de4cd7e2976e14f70ca2a3061d.tar.xz
linux-556d971bdae643de4cd7e2976e14f70ca2a3061d.zip
ima: Fix use after free in ima_read_modsig()
If we can't parse the PKCS7 in the appended modsig, we will free the modsig structure and then access one of its members to determine the error value. Fixes: 39b07096364a ("ima: Implement support for module-style appended signatures") Reported-by: kbuild test robot <lkp@intel.com> Reported-by: Julia Lawall <julia.lawall@lip6.fr> Reported-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Thiago Jung Bauermann <bauerman@linux.ibm.com> Reviewed-by: Gustavo A. R. Silva <gustavo@embeddedor.com> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Diffstat (limited to 'security')
-rw-r--r--security/integrity/ima/ima_modsig.c3
1 files changed, 2 insertions, 1 deletions
diff --git a/security/integrity/ima/ima_modsig.c b/security/integrity/ima/ima_modsig.c
index c412e31d1714..d106885cc495 100644
--- a/security/integrity/ima/ima_modsig.c
+++ b/security/integrity/ima/ima_modsig.c
@@ -91,8 +91,9 @@ int ima_read_modsig(enum ima_hooks func, const void *buf, loff_t buf_len,
hdr->pkcs7_msg = pkcs7_parse_message(buf + buf_len, sig_len);
if (IS_ERR(hdr->pkcs7_msg)) {
+ rc = PTR_ERR(hdr->pkcs7_msg);
kfree(hdr);
- return PTR_ERR(hdr->pkcs7_msg);
+ return rc;
}
memcpy(hdr->raw_pkcs7, buf + buf_len, sig_len);