Skip to content
This repository has been archived by the owner on Sep 24, 2020. It is now read-only.

Commit

Permalink
evm: check hash algorithm passed to init_desc()
Browse files Browse the repository at this point in the history 
commit 221be10 upstream.

This patch prevents memory access beyond the evm_tfm array by checking the
validity of the index (hash algorithm) passed to init_desc(). The hash
algorithm can be arbitrarily set if the security.ima xattr type is not
EVM_XATTR_HMAC.

Fixes: 5feeb61 ("evm: Allow non-SHA1 digital signatures")
Signed-off-by: Roberto Sassu <[email protected]>
Cc: [email protected]
Signed-off-by: Mimi Zohar <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
  • Loading branch information
@robertosassu @gregkh
robertosassu authored and gregkh committed Jun 9, 2019
1 parent f85b87a commit 6e322a9
Showing 1 changed file with 3 additions and 0 deletions.
3 changes: 3 additions & 0 deletions security/integrity/evm/evm_crypto.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -89,6 +89,9 @@ static struct shash_desc *init_desc(char type, uint8_t hash_algo)
tfm = &hmac_tfm;
algo = evm_hmac;
} else {
if (hash_algo >= HASH_ALGO__LAST)
return ERR_PTR(-EINVAL);

tfm = &evm_tfm[hash_algo];
algo = hash_algo_name[hash_algo];
}
Expand Down

0 comments on commit 6e322a9

Please sign in to comment.