From: Zhang Tianxing zhangtianxing3@huawei.com
euleros inclusion category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I7QZ2M CVE: NA
-----------------------------------------------------------------
Expected error message `ima: Unable to open file:` can be overwritten when the uploaded path contains control characters like `\r` or `\b`. Therefore, When an invalid path (which contains control characters) is uploaded through SecurityFS, unexpected logs can be printed to dmesg.
This patch rejects policy paths with control characters.
Signed-off-by: Zhang Tianxing zhangtianxing3@huawei.com Reviewed-by: Roberto Sassu roberto.sassu@huawei.com Signed-off-by: Zheng Zengkai zhengzengkai@huawei.com Signed-off-by: zhoushuiqing zhoushuiqing2@huawei.com --- security/integrity/ima/ima_efi.c | 3 +++ security/integrity/ima/ima_fs.c | 10 ++++++++++ 2 files changed, 13 insertions(+)
diff --git a/security/integrity/ima/ima_efi.c b/security/integrity/ima/ima_efi.c index 9db66fe31..e1eba55f9 100644 --- a/security/integrity/ima/ima_efi.c +++ b/security/integrity/ima/ima_efi.c @@ -6,6 +6,9 @@ #include <linux/module.h> #include <linux/ima.h> #include <asm/efi.h> +#ifdef CONFIG_IMA_DIGEST_LIST +#include <linux/ctype.h> +#endif
#ifndef arch_ima_efi_boot_mode #define arch_ima_efi_boot_mode efi_secureboot_mode_unset diff --git a/security/integrity/ima/ima_fs.c b/security/integrity/ima/ima_fs.c index 7a20c567f..e531ee483 100644 --- a/security/integrity/ima/ima_fs.c +++ b/security/integrity/ima/ima_fs.c @@ -24,6 +24,7 @@
#ifdef CONFIG_IMA_DIGEST_LIST #include <linux/file.h> +#include <linux/ctype.h> #endif #include "ima.h" #ifdef CONFIG_IMA_DIGEST_LIST @@ -427,6 +428,7 @@ static ssize_t ima_write_policy(struct file *file, const char __user *buf, ssize_t result; #ifdef CONFIG_IMA_DIGEST_LIST struct dentry *dentry = file_dentry(file); + int i; #endif
#ifndef CONFIG_IMA_DIGEST_LIST @@ -454,6 +456,14 @@ static ssize_t ima_write_policy(struct file *file, const char __user *buf, goto out_free;
data[datalen] = '\0'; + + for (i = 0; data[i] != '\n' && data[i] != '\0'; i++) { + if (iscntrl(data[i])) { + pr_err_once("invalid path (control characters are not allowed)\n"); + result = -EINVAL; + goto out_free; + } + } #else data = memdup_user_nul(buf, datalen); if (IS_ERR(data)) {