Skip to content

K
Kernel

openeuler / Kernel
接近 2 年 前同步成功

通知 8
Star 0
Fork 0
K
Kernel
提交 c78eb5c1 编写于 作者: Z Zhang Tianxing 提交者: Zheng Zengkai
浏览文件
操作

ima: don't allow control characters in policy path 

hulk inclusion
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I409K9
CVE: NA

-----------------------------------------------------------------

Expected error message `ima: Unable to open file:` can be overwritten
when the uploaded path contains control characters like `\r` or `\b`.
Therefore, When an invalid path (which contains control characters) is
uploaded through SecurityFS, unexpected logs can be printed to dmesg.

This patch rejects policy paths with control characters.
Signed-off-by: NZhang Tianxing <zhangtianxing3@huawei.com>
Reviewed-by: NRoberto Sassu <roberto.sassu@huawei.com>
Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>
上级 7c9d18bc
隐藏空白更改
内联 并排
Showing with 9 addition and 0 deletion
security/integrity/ima/ima_fs.c
浏览文件 @ c78eb5c1
...@@ -22,6 +22,7 @@ ...@@ -22,6 +22,7 @@
#include <linux/parser.h> #include <linux/parser.h>
#include <linux/vmalloc.h> #include <linux/vmalloc.h>
#include <linux/file.h> #include <linux/file.h>
#include <linux/ctype.h>
#include "ima.h" #include "ima.h"
#include "ima_digest_list.h" #include "ima_digest_list.h"
...@@ -363,6 +364,7 @@ static ssize_t ima_write_data(struct file *file, const char __user *buf, ...@@ -363,6 +364,7 @@ static ssize_t ima_write_data(struct file *file, const char __user *buf,
char *data; char *data;
ssize_t result; ssize_t result;
struct dentry *dentry = file_dentry(file); struct dentry *dentry = file_dentry(file);
int i;
/* No partial writes. */ /* No partial writes. */
result = -EINVAL; result = -EINVAL;
...@@ -383,6 +385,13 @@ static ssize_t ima_write_data(struct file *file, const char __user *buf, ...@@ -383,6 +385,13 @@ static ssize_t ima_write_data(struct file *file, const char __user *buf,
goto out_free; goto out_free;
data[datalen] = '\0'; data[datalen] = '\0';
for (i = 0; data[i] != '\n' && data[i] != '\0'; i++) {
if (iscntrl(data[i])) {
pr_err_once("invalid path (control characters are not allowed)\n");
result = -EINVAL;
goto out_free;
}
}
result = mutex_lock_interruptible(&ima_write_mutex); result = mutex_lock_interruptible(&ima_write_mutex);
if (result < 0) if (result < 0)
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册