diff options
author | Thiago Jung Bauermann <bauerman@linux.ibm.com> | 2019-08-07 21:43:18 -0300 |
---|---|---|
committer | Mimi Zohar <zohar@linux.ibm.com> | 2019-08-28 15:01:24 -0400 |
commit | 556d971bdae643de4cd7e2976e14f70ca2a3061d (patch) | |
tree | 6ec599f3c79cd36ee2222dd519ca5c93c8c0f28a | |
parent | 70433f67ec3a54710744902d782f8954325e25b8 (diff) |
ima: Fix use after free in ima_read_modsig()
If we can't parse the PKCS7 in the appended modsig, we will free the modsig
structure and then access one of its members to determine the error value.
Fixes: 39b07096364a ("ima: Implement support for module-style appended signatures")
Reported-by: kbuild test robot <lkp@intel.com>
Reported-by: Julia Lawall <julia.lawall@lip6.fr>
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Thiago Jung Bauermann <bauerman@linux.ibm.com>
Reviewed-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
-rw-r--r-- | security/integrity/ima/ima_modsig.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/security/integrity/ima/ima_modsig.c b/security/integrity/ima/ima_modsig.c index c412e31d1714..d106885cc495 100644 --- a/security/integrity/ima/ima_modsig.c +++ b/security/integrity/ima/ima_modsig.c @@ -91,8 +91,9 @@ int ima_read_modsig(enum ima_hooks func, const void *buf, loff_t buf_len, hdr->pkcs7_msg = pkcs7_parse_message(buf + buf_len, sig_len); if (IS_ERR(hdr->pkcs7_msg)) { + rc = PTR_ERR(hdr->pkcs7_msg); kfree(hdr); - return PTR_ERR(hdr->pkcs7_msg); + return rc; } memcpy(hdr->raw_pkcs7, buf + buf_len, sig_len); |