Re: [PATCH] ima: Replace two seq_printf() calls by seq_puts() in... | linux-security-module

Re: [PATCH] ima: Replace two seq_printf() calls by seq_puts() in ima_show_template_data_ascii()

From: Mimi Zohar <zohar@linux.ibm.com>
Date: 2019-07-03 11:15:01
Also in: kernel-janitors, linux-integrity, lkml

On Wed, 2019-07-03 at 09:16 +0000, David Laight wrote:

quoted

diff --git a/security/integrity/ima/ima_template_lib.c b/security/integrity/ima/ima_template_lib.c
index 9fe0ef7f91e2..05636e9b19b1 100644
--- a/security/integrity/ima/ima_template_lib.c
+++ b/security/integrity/ima/ima_template_lib.c

@@ -74,7 +74,7 @@ static void ima_show_template_data_ascii(struct seq_file *m,
 	case DATA_FMT_DIGEST_WITH_ALGO:
 		buf_ptr = strnchr(field_data->data, buflen, ':');
 		if (buf_ptr != field_data->data)
-			seq_printf(m, "%s", field_data->data);
+			seq_puts(m, field_data->data);

 		/* skip ':' and '\0' */
 		buf_ptr += 2;

That code looks highly suspect!
It uses a bounded scan then assumes a '\0' terminated string.
It then adds 2 to a potentially NULL pointer.

The code here is used for displaying the IMA measurement list, that
the kernel itself created.  Protecting the in kernel memory from
attack is a different problem.  Refer to Igor Stoppa's write once
memory pools.

Mimi

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help