[PATCH] ima: Fix potential NULL pointer access in ima_match_rules()

Mimi Zohar zohar at linux.ibm.com
Wed Mar 15 00:17:02 UTC 2023


On Tue, 2023-03-14 at 21:03 +0300, Roman Danilov wrote:
> In ima_match_rules(), when ima_lsm_copy_rule() fails, NULL pointer
> is assigned to lsm_rule. After that, in the next step of the loop
> NULL pointer is dereferenced in lsm_rule->lsm[i].rule.

I must being missing something.  The next step of the loop tests
whether rule_reinitialized is set before accessing lsm_rule-
>lsm[i].rule.

> 
> As far as ima_match_rules() is not designed to return error code,
> add __GFP_NOFAIL to make sure memory allocation succeeds.

Using  __GFP_NOFAIL here would be safer.

> 
> Found by Linux Verification Center (linuxtesting.org) with SVACE.
> 
> Fixes: c7423dbdbc9e ("ima: Handle -ESTALE returned by ima_filter_rule_match()")
> Signed-off-by: Roman Danilov <romanosauce57 at gmail.com>
> Reviewed-by: Alexey Khoroshilov <khoroshilov at ispras.ru>

-- 
thanks,

Mimi



More information about the Linux-security-module-archive mailing list