From c50d9c87ae2e67d33fd68de29b7689c7ec390f9a Mon Sep 17 00:00:00 2001
From: Zhang Tianxing <zhangtianxing3@huawei.com>
Date: Fri, 16 Jul 2021 15:26:41 +0800
Subject: [PATCH] ima: don't allow control characters in policy path

hulk inclusion
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I409K9
CVE: NA

-----------------------------------------------------------------

Expected error message `ima: Unable to open file:` can be overwritten
when the uploaded path contains control characters like `\r` or `\b`.
Therefore, When an invalid path (which contains control characters) is
uploaded through SecurityFS, unexpected logs can be printed to dmesg.

This patch rejects policy paths with control characters.

Signed-off-by: Zhang Tianxing <zhangtianxing3@huawei.com>
Reviewed-by: Roberto Sassu <roberto.sassu@huawei.com>
Signed-off-by: Zheng Zengkai <zhengzengkai@huawei.com>
---
 security/integrity/ima/ima_fs.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/security/integrity/ima/ima_fs.c b/security/integrity/ima/ima_fs.c
index 16035af08fce..96eeee9e12c1 100644
--- a/security/integrity/ima/ima_fs.c
+++ b/security/integrity/ima/ima_fs.c
@@ -22,6 +22,7 @@
 #include <linux/parser.h>
 #include <linux/vmalloc.h>
 #include <linux/file.h>
+#include <linux/ctype.h>
 
 #include "ima.h"
 #include "ima_digest_list.h"
@@ -363,6 +364,7 @@ static ssize_t ima_write_data(struct file *file, const char __user *buf,
 	char *data;
 	ssize_t result;
 	struct dentry *dentry = file_dentry(file);
+	int i;
 
 	/* No partial writes. */
 	result = -EINVAL;
@@ -383,6 +385,13 @@ static ssize_t ima_write_data(struct file *file, const char __user *buf,
 		goto out_free;
 
 	data[datalen] = '\0';
+	for (i = 0; data[i] != '\n' && data[i] != '\0'; i++) {
+		if (iscntrl(data[i])) {
+			pr_err_once("invalid path (control characters are not allowed)\n");
+			result = -EINVAL;
+			goto out_free;
+		}
+	}
 
 	result = mutex_lock_interruptible(&ima_write_mutex);
 	if (result < 0)
-- 
GitLab