[ima] 9165b814d2: BUG:kernel_NULL_pointer_dereference,address

[Roberto Sassu]

> -----Original Message-----
> From: kernel test robot [mailto:rong.a.chen at intel.com]
> Sent: Monday, March 2, 2020 2:22 AM
> To: Roberto Sassu <roberto.sassu at huawei.com>
> Cc: zohar at linux.ibm.com; James.Bottomley at HansenPartnership.com;
> jarkko.sakkinen at linux.intel.com; linux-integrity at vger.kernel.org; linux-
> security-module at vger.kernel.org; linux-kernel at vger.kernel.org; Silviu
> Vlasceanu <Silviu.Vlasceanu at huawei.com>; Roberto Sassu
> <roberto.sassu at huawei.com>; lkp at lists.01.org
> Subject: [ima] 9165b814d2:
> BUG:kernel_NULL_pointer_dereference,address
> 
> FYI, we noticed the following commit (built with gcc-7):
> 
> commit: 9165b814d2bea8cfeb557505bb206396331e8192 ("[PATCH v2 8/8]
> ima: Use ima_hash_algo for collision detection in the measurement list")
> url: https://github.com/0day-ci/linux/commits/Roberto-Sassu/ima-support-
> stronger-algorithms-for-attestation/20200205-233901
> base: https://git.kernel.org/cgit/linux/kernel/git/zohar/linux-integrity.git
> next-integrity

Hi

thanks for the report.

Yes, version 2 had a bug:

---
		ima_algo_array[i++].algo = HASH_ALGO_SHA1;
	}

	if (ima_hash_algo_idx >= nr_allocated_banks) {
		ima_algo_array[i].tfm = ima_shash_tfm;
		ima_algo_array[i].algo = ima_hash_algo;
	}
---

The code allocated ima_algo_array with size 1 (TPM was not found and
the default algorithm is SHA1).

However, later it initializes ima_algo_array for SHA1 and increments the
i variable. Since the code does not check if the default algorithm is SHA1,
the last part is also executed and causes corruption, because ima_algo_array
has only one element.

I fixed already this bug in version 3 of the patch set.

Thanks

Roberto

HUAWEI TECHNOLOGIES Duesseldorf GmbH, HRB 56063
Managing Director: Li Peng, Li Jian, Shi Yanli