[PATCH] ima: check return value of crypto_shash_final() in boot aggregate
Mimi Zohar
zohar at linux.ibm.com
Mon Mar 9 15:03:16 UTC 2026
On Sat, 2026-01-31 at 18:40 -0800, Daniel Hodges wrote:
> The return value of crypto_shash_final() is not checked in
> ima_calc_boot_aggregate_tfm(). If the hash finalization fails, the
> function returns success and a corrupted boot aggregate digest could
> be used for IMA measurements.
>
> Capture the return value and propagate any error to the caller.
>
> Fixes: 76bb28f6126f ("ima: use new crypto_shash API instead of old crypto_hash")
> Signed-off-by: Daniel Hodges <hodgesd at meta.com>
Thanks, Daniel. The patch is now queueud.
Mimi
More information about the Linux-security-module-archive
mailing list