From: Zhang Tianxing <zhangtianxing3@huawei.com> hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I409K9 CVE: NA ----------------------------------------------------------------- Expected error message `ima: Unable to open file:` can be overwritten when the uploaded path contains control characters like `\r` or `\b`. Therefore, When an invalid path (which contains control characters) is uploaded through SecurityFS, unexpected logs can be printed to dmesg. This patch rejects policy paths with control characters. Signed-off-by: Zhang Tianxing <zhangtianxing3@huawei.com> Reviewed-by: Roberto Sassu <roberto.sassu@huawei.com> Signed-off-by: Zheng Zengkai <zhengzengkai@huawei.com> Signed-off-by: Zhou Shuiqing<zhoushuiqing2@huawei.com> --- security/integrity/ima/ima_fs.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/security/integrity/ima/ima_fs.c b/security/integrity/ima/ima_fs.c index 66574a79ac97..5a7be9595e28 100644 --- a/security/integrity/ima/ima_fs.c +++ b/security/integrity/ima/ima_fs.c @@ -22,6 +22,7 @@ #include <linux/parser.h> #include <linux/vmalloc.h> #include <linux/file.h> +#include <linux/ctype.h> #include "ima.h" #include "ima_digest_list.h" @@ -363,6 +364,7 @@ static ssize_t ima_write_data(struct file *file, const char __user *buf, char *data; ssize_t result; struct dentry *dentry = file_dentry(file); + int i; /* No partial writes. */ result = -EINVAL; @@ -383,6 +385,13 @@ static ssize_t ima_write_data(struct file *file, const char __user *buf, goto out_free; data[datalen] = '\0'; + for (i = 0; data[i] != '\n' && data[i] != '\0'; i++) { + if (iscntrl(data[i])) { + pr_err_once("invalid path (control characters are not allowed)\n"); + result = -EINVAL; + goto out_free; + } + } result = mutex_lock_interruptible(&ima_write_mutex); if (result < 0) -- 2.33.0