ima: make a copy of template_fmt in template_desc_init_fields()

Roberto Sassu · Mimi Zohar · commit dbc335d2dc3c · 2013-11-25T15:05:33.000-05:00
This patch makes a copy of the 'template_fmt' function argument so that the latter will not be modified by strsep(), which does the splitting by replacing the given separator with '\0'. IMA: No TPM chip found, activating TPM-bypass! Unable to handle kernel pointer dereference at virtual kernel address 0000000000842000 Oops: 0004 [#1] SMP Modules linked in: CPU: 3 PID: 1 Comm: swapper/0 Not tainted 3.12.0-rc2-00098-g3ce1217d6cd5 #17 task: 000000003ffa0000 ti: 000000003ff84000 task.ti: 000000003ff84000 Krnl PSW : 0704e00180000000 000000000044bf88 (strsep+0x7c/0xa0) R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:2 PM:0 EA:3 Krnl GPRS: 000000000000007c 000000000000007c 000000003ff87d90 0000000000821fd8 0000000000000000 000000000000007c 0000000000aa37e0 0000000000aa9008 0000000000000051 0000000000a114d8 0000000100000002 0000000000842bde 0000000000842bdf 00000000006f97f0 000000000040062c 000000003ff87cf0 Krnl Code: 000000000044bf7c: a7f4000a brc 15,44bf90 000000000044bf80: b90200cc ltgr %r12,%r12 #000000000044bf84: a7840006 brc 8,44bf90 >000000000044bf88: 9200c000 mvi 0(%r12),0 000000000044bf8c: 41c0c001 la %r12,1(%r12) 000000000044bf90: e3c020000024 stg %r12,0(%r2) 000000000044bf96: b904002b lgr %r2,%r11 000000000044bf9a: ebbcf0700004 lmg %r11,%r12,112(%r15) Call Trace: ([<00000000004005fe>] ima_init_template+0xa2/0x1bc) [<0000000000a7c896>] ima_init+0x7a/0xa8 [<0000000000a7c938>] init_ima+0x24/0x40 [<00000000001000e8>] do_one_initcall+0x68/0x128 [<0000000000a4eb56>] kernel_init_freeable+0x20a/0x2b4 [<00000000006a1ff4>] kernel_init+0x30/0x178 [<00000000006b69fe>] kernel_thread_starter+0x6/0xc [<00000000006b69f8>] kernel_thread_starter+0x0/0xc Last Breaking-Event-Address: [<000000000044bf42>] strsep+0x36/0xa0 Fixes commit: adf53a7 ima: new templates management mechanism Changelog v1: - make template_fmt 'const char *' (reported-by James Morris) - fix kstrdup memory leak (reported-by James Morris) Reported-by: Heiko Carstens <heiko.carstens@de.ibm.com> Signed-off-by: Roberto Sassu <roberto.sassu@polito.it> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> Tested-by: Heiko Carstens <heiko.carstens@de.ibm.com>
diff --git a/security/integrity/ima/ima_template.c b/security/integrity/ima/ima_template.c
@@ -90,7 +90,7 @@ static struct ima_template_field *lookup_template_field(const char *field_id)
 	return NULL;
 }
 
-static int template_fmt_size(char *template_fmt)
+static int template_fmt_size(const char *template_fmt)
 {
 	char c;
 	int template_fmt_len = strlen(template_fmt);
@@ -106,23 +106,28 @@ static int template_fmt_size(char *template_fmt)
 	return j + 1;
 }
 
-static int template_desc_init_fields(char *template_fmt,
+static int template_desc_init_fields(const char *template_fmt,
 				     struct ima_template_field ***fields,
 				     int *num_fields)
 {
-	char *c, *template_fmt_ptr = template_fmt;
+	char *c, *template_fmt_copy;
 	int template_num_fields = template_fmt_size(template_fmt);
 	int i, result = 0;
 
 	if (template_num_fields > IMA_TEMPLATE_NUM_FIELDS_MAX)
 		return -EINVAL;
 
+	/* copying is needed as strsep() modifies the original buffer */
+	template_fmt_copy = kstrdup(template_fmt, GFP_KERNEL);
+	if (template_fmt_copy == NULL)
+		return -ENOMEM;
+
 	*fields = kzalloc(template_num_fields * sizeof(*fields), GFP_KERNEL);
 	if (*fields == NULL) {
 		result = -ENOMEM;
 		goto out;
 	}
-	for (i = 0; (c = strsep(&template_fmt_ptr, "|")) != NULL &&
+	for (i = 0; (c = strsep(&template_fmt_copy, "|")) != NULL &&
 	     i < template_num_fields; i++) {
 		struct ima_template_field *f = lookup_template_field(c);
 
@@ -133,10 +138,12 @@ static int template_desc_init_fields(char *template_fmt,
 		(*fields)[i] = f;
 	}
 	*num_fields = i;
-	return 0;
 out:
-	kfree(*fields);
-	*fields = NULL;
+	if (result < 0) {
+		kfree(*fields);
+		*fields = NULL;
+	}
+	kfree(template_fmt_copy);
 	return result;
 }
 
