From: Zhang Tianxing <zhangtianxing3@huawei.com> euleros inclusion category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I7QZ2M CVE: NA ----------------------------------------------------------------- Expected error message `ima: Unable to open file:` can be overwritten when the uploaded path contains control characters like `\r` or `\b`. Therefore, When an invalid path (which contains control characters) is uploaded through SecurityFS, unexpected logs can be printed to dmesg. This patch rejects policy paths with control characters. Signed-off-by: Zhang Tianxing <zhangtianxing3@huawei.com> Reviewed-by: Roberto Sassu <roberto.sassu@huawei.com> Signed-off-by: Zheng Zengkai <zhengzengkai@huawei.com> Signed-off-by: zhoushuiqing <zhoushuiqing2@huawei.com> --- security/integrity/ima/ima_efi.c | 3 +++ security/integrity/ima/ima_fs.c | 10 ++++++++++ 2 files changed, 13 insertions(+) diff --git a/security/integrity/ima/ima_efi.c b/security/integrity/ima/ima_efi.c index 9db66fe31..e1eba55f9 100644 --- a/security/integrity/ima/ima_efi.c +++ b/security/integrity/ima/ima_efi.c @@ -6,6 +6,9 @@ #include <linux/module.h> #include <linux/ima.h> #include <asm/efi.h> +#ifdef CONFIG_IMA_DIGEST_LIST +#include <linux/ctype.h> +#endif #ifndef arch_ima_efi_boot_mode #define arch_ima_efi_boot_mode efi_secureboot_mode_unset diff --git a/security/integrity/ima/ima_fs.c b/security/integrity/ima/ima_fs.c index 7a20c567f..e531ee483 100644 --- a/security/integrity/ima/ima_fs.c +++ b/security/integrity/ima/ima_fs.c @@ -24,6 +24,7 @@ #ifdef CONFIG_IMA_DIGEST_LIST #include <linux/file.h> +#include <linux/ctype.h> #endif #include "ima.h" #ifdef CONFIG_IMA_DIGEST_LIST @@ -427,6 +428,7 @@ static ssize_t ima_write_policy(struct file *file, const char __user *buf, ssize_t result; #ifdef CONFIG_IMA_DIGEST_LIST struct dentry *dentry = file_dentry(file); + int i; #endif #ifndef CONFIG_IMA_DIGEST_LIST @@ -454,6 +456,14 @@ static ssize_t ima_write_policy(struct file *file, const char __user *buf, goto out_free; data[datalen] = '\0'; + + for (i = 0; data[i] != '\n' && data[i] != '\0'; i++) { + if (iscntrl(data[i])) { + pr_err_once("invalid path (control characters are not allowed)\n"); + result = -EINVAL; + goto out_free; + } + } #else data = memdup_user_nul(buf, datalen); if (IS_ERR(data)) { -- 2.33.0