From: Zhang Tianxing zhangtianxing3@huawei.com
hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I409K9 CVE: NA
-----------------------------------------------------------------
Expected error message `ima: Unable to open file:` can be overwritten when the uploaded path contains control characters like `\r` or `\b`. Therefore, When an invalid path (which contains control characters) is uploaded through SecurityFS, unexpected logs can be printed to dmesg.
This patch rejects policy paths with control characters.
Signed-off-by: Zhang Tianxing zhangtianxing3@huawei.com Reviewed-by: Roberto Sassu roberto.sassu@huawei.com Signed-off-by: Zheng Zengkai zhengzengkai@huawei.com Signed-off-by: zhoushuiqing zhoushuiqing2@huawei.com --- security/integrity/ima/ima_fs.c | 9 +++++++++ 1 file changed, 9 insertions(+)
diff --git a/security/integrity/ima/ima_fs.c b/security/integrity/ima/ima_fs.c index 66574a79ac97..5a7be9595e28 100644 --- a/security/integrity/ima/ima_fs.c +++ b/security/integrity/ima/ima_fs.c @@ -22,6 +22,7 @@ #include <linux/parser.h> #include <linux/vmalloc.h> #include <linux/file.h> +#include <linux/ctype.h>
#include "ima.h" #include "ima_digest_list.h" @@ -363,6 +364,7 @@ static ssize_t ima_write_data(struct file *file, const char __user *buf, char *data; ssize_t result; struct dentry *dentry = file_dentry(file); + int i;
/* No partial writes. */ result = -EINVAL; @@ -383,6 +385,13 @@ static ssize_t ima_write_data(struct file *file, const char __user *buf, goto out_free;
data[datalen] = '\0'; + for (i = 0; data[i] != '\n' && data[i] != '\0'; i++) { + if (iscntrl(data[i])) { + pr_err_once("invalid path (control characters are not allowed)\n"); + result = -EINVAL; + goto out_free; + } + }
result = mutex_lock_interruptible(&ima_write_mutex); if (result < 0)