From: Krzysztof Struczynski krzysztof.struczynski@huawei.com
hulk inclusion category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I49KW1 CVE: NA
--------------------------------
The build_appraise_rules may be a zero length array depends on the kernel configuration. This is (vaguely) forbidden in a standard and leads to the compiler optimisation where the address of the build_appraise_rules is the same as the default_appraise_rules. That leads to the unexpected flow in add_rules() where condition: if (entries != build_appraise_rules) is false for entries equal to default_appraise_rules.
Signed-off-by: Krzysztof Struczynski krzysztof.struczynski@huawei.com Reviewed-by: Zhang Tianxing zhangtianxing3@huawei.com Signed-off-by: Zheng Zengkai zhengzengkai@huawei.com --- security/integrity/ima/ima_policy.c | 7 +++++++ 1 file changed, 7 insertions(+)
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index 35ec2c8f2069..8b7ca11e82f7 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c @@ -208,6 +208,13 @@ static struct ima_rule_entry build_appraise_rules[] __ro_after_init = { {.action = APPRAISE, .func = POLICY_CHECK, .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED}, #endif +#if !defined(CONFIG_IMA_APPRAISE_REQUIRE_MODULE_SIGS) && \ + !defined(CONFIG_IMA_APPRAISE_REQUIRE_FIRMWARE_SIGS) && \ + !defined(CONFIG_IMA_APPRAISE_REQUIRE_KEXEC_SIGS) && \ + !defined(CONFIG_IMA_APPRAISE_REQUIRE_POLICY_SIGS) + /* Add a member to avoid a zero length array */ + {.action = UNKNOWN, .func = NONE, .flags = 0}, +#endif };
static struct ima_rule_entry secure_boot_rules[] __ro_after_init = {