From 4e8581eefe720f8d990b892a8c9d298875e1a299 Mon Sep 17 00:00:00 2001
From: Roberto Sassu <roberto.sassu@huawei.com>
Date: Thu, 30 Nov 2017 11:56:02 +0100
Subject: [PATCH] ima: pass filename to ima_rdwr_violation_check()
ima_rdwr_violation_check() retrieves the full path of a measured file by
calling ima_d_path(). If process_measurement() calls this function, it
reuses the pointer and passes it to the functions to measure/appraise/audit
an accessed file.
After commit bc15ed663e7e ("ima: fix ima_d_path() possible race with
rename"), ima_d_path() first tries to retrieve the full path by calling
d_absolute_path() and, if there is an error, copies the dentry name to the
buffer passed as argument.
However, ima_rdwr_violation_check() passes to ima_d_path() the pointer of a
local variable. process_measurement() might be reusing the pointer to an
area in the stack which may have been already overwritten after
ima_rdwr_violation_check() returned.
Correct this issue by passing to ima_rdwr_violation_check() the pointer of
a buffer declared in process_measurement().
Fixes: bc15ed663e7e ("ima: fix ima_d_path() possible race with rename")
Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
---
security/integrity/ima/ima_main.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index be1987e13c43..0abc7d0db90b 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -84,10 +84,10 @@ static void ima_rdwr_violation_check(struct file *file,
struct integrity_iint_cache *iint,
int must_measure,
char **pathbuf,
- const char **pathname)
+ const char **pathname,
+ char *filename)
{
struct inode *inode = file_inode(file);
- char filename[NAME_MAX];
fmode_t mode = file->f_mode;
bool send_tomtou = false, send_writers = false;
@@ -210,7 +210,7 @@ static int process_measurement(struct file *file, char *buf, loff_t size,
if (!rc && violation_check)
ima_rdwr_violation_check(file, iint, action & IMA_MEASURE,
- &pathbuf, &pathname);
+ &pathbuf, &pathname, filename);
inode_unlock(inode);
--
GitLab