[PATCH v13 7/9] ima: verify if the segment size has changed
Stefan Berger
stefanb at linux.ibm.com
Tue Apr 29 18:19:46 UTC 2025
On 4/21/25 6:25 PM, steven chen wrote:
> From: Steven Chen <chenste at linux.microsoft.com>
>
> kexec 'load' may be called multiple times. Free and realloc the buffer
> only if the segment_size is changed from the previous kexec 'load' call.
>
> Signed-off-by: Steven Chen <chenste at linux.microsoft.com>
> Acked-by: Baoquan He <bhe at redhat.com>
> Reviewed-by: Mimi Zohar <zohar at linux.ibm.com>
> ---
> security/integrity/ima/ima_kexec.c | 10 ++++++++++
> 1 file changed, 10 insertions(+)
>
> diff --git a/security/integrity/ima/ima_kexec.c b/security/integrity/ima/ima_kexec.c
> index 5c3b3e0b2186..ed867734ee70 100644
> --- a/security/integrity/ima/ima_kexec.c
> +++ b/security/integrity/ima/ima_kexec.c
> @@ -33,6 +33,14 @@ static void ima_free_kexec_file_buf(struct seq_file *sf)
>
> static int ima_alloc_kexec_file_buf(size_t segment_size)
> {
> + /*
> + * kexec 'load' may be called multiple times.
> + * Free and realloc the buffer only if the segment_size is
> + * changed from the previous kexec 'load' call.
> + */
> + if (ima_kexec_file.buf && ima_kexec_file.size == segment_size)
> + goto out;
> +
> ima_free_kexec_file_buf(&ima_kexec_file);
>
> /* segment size can't change between kexec load and execute */
> @@ -41,6 +49,8 @@ static int ima_alloc_kexec_file_buf(size_t segment_size)
> return -ENOMEM;
>
> ima_kexec_file.size = segment_size;
> +
> +out:
> ima_kexec_file.read_pos = 0;
> ima_kexec_file.count = sizeof(struct ima_kexec_hdr); /* reserved space */
>
Reviewed-by: Stefan Berger <stefanb at linux.ibm.com>
More information about the Linux-security-module-archive
mailing list