[Linux-ima-devel] [PATCH 0/7] IMA: new parser for ima_restore_measurement_list()
Ken Goldman
kgold at linux.vnet.ibm.com
Tue May 23 21:00:27 UTC 2017
On 5/18/2017 5:38 AM, Roberto Sassu wrote:
>
> There cannot be buffer overflow, because the length of each digest
> field is known.
Crypto Agile: pcr[4] total_digest_len[4]
digest1_len[4] digest1[digest1_len] ...
The way I read this, the digest length is supplied by the caller, which
is slightly different from "known". For example, if I supply a digest
length of 0xffffffff, a too trusting (buggy) parser could overflow the
buffer.
total_digest_len is similarly untrusted. The attacker can send invalid
values.
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
More information about the Linux-security-module-archive
mailing list