Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp931217yba;
        Thu, 16 May 2019 11:11:10 -0700 (PDT)
X-Google-Smtp-Source: APXvYqzQdhn8eJ9wvjffibnJh84+noNTvTzSKe9oljc8cu9VcAyVfh98seEPkQ1rfYaP88ghh9h2
X-Received: by 2002:a17:902:158b:: with SMTP id m11mr10283127pla.268.1558030270168;
        Thu, 16 May 2019 11:11:10 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1558030270; cv=none;
        d=google.com; s=arc-20160816;
        b=R+zVEP2Jp9YdbuviiStIUPWVDVU3cJ5x1AH94vhz5/iqk15L8viNclQNPDkUI2pqYc
         Ms6U7ozVmQBhcDCyM+HijdSrQVzxv9WiTKPVzq5WTSz+1/yRnBv94VJHNLYW5N3oQqvR
         MXruOUXnOPzt5ycT/348Yb1RcfAX7o3avjIThGIZDAqfPtX4olkwg2S0s8uuHtQC+rnY
         w1DGC+3OztOF+jJyX2yprI8eXMgjdBEKKHjj3LBfCdygCiQC+AE60MdQgfNebWyBoFpv
         TfVUoUOObGf0RI4PQCn9jCw4l+gxaEySkuwnhmRurvzi5splEoq1D6/I6d1fNvkfDpzX
         4MIw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:message-id:date:subject:cc
         :to:from;
        bh=Y+56xqSSO+HeRy2haPFni8RNqhcTmFBhMt+Le95Dg2o=;
        b=MiM6Z6LvIpgS857iHQmoKWqdbzh7o8fO9fOCDSADSXDqeZDrui7Ipm2sNi87j+iQ9E
         nIW06VbnKVbz5mOwV8Kkc1xoL7GoPw1seUKN35C3r8RIgIwDkmSH6TN2CPGoc3Ie4J3B
         L1WIQpw+dawY/gEtg2OzO43shICp2xI7uY6SA+n677xn2bI9s+xWoNoAWB/a3LMxRT/A
         Vq/hzyyIjXdlqe0SR2XjjRtKK3RIAdjO2EJyVY+zWPumWWs0SnXL7sN8qEqg1WF99dmh
         WUsbPptO6A2cvIUrDL72Q+OgkSzjg50VdhDVn89SvfgWd0yefBjYoW9kHt1OZ6FyhD9M
         aRPw==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id j38si5484699plb.308.2019.05.16.11.10.51;
        Thu, 16 May 2019 11:11:10 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726827AbfEPQRd (ORCPT <rfc822;ttoukan.linux@gmail.com>
        + 99 others); Thu, 16 May 2019 12:17:33 -0400
Received: from lhrrgout.huawei.com ([185.176.76.210]:32945 "EHLO huawei.com"
        rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP
        id S1726369AbfEPQRc (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 16 May 2019 12:17:32 -0400
Received: from LHREML713-CAH.china.huawei.com (unknown [172.18.7.106])
        by Forcepoint Email with ESMTP id 15D88A774FA91AD2A6E8;
        Thu, 16 May 2019 17:17:31 +0100 (IST)
Received: from roberto-HP-EliteDesk-800-G2-DM-65W.huawei.com (10.204.65.154)
 by smtpsuk.huawei.com (10.201.108.36) with Microsoft SMTP Server (TLS) id
 14.3.408.0; Thu, 16 May 2019 17:17:21 +0100
From:   Roberto Sassu <roberto.sassu@huawei.com>
To:     <zohar@linux.ibm.com>, <dmitry.kasatkin@huawei.com>,
        <mjg59@google.com>
CC:     <linux-integrity@vger.kernel.org>, <linux-doc@vger.kernel.org>,
        <linux-security-module@vger.kernel.org>,
        <linux-kernel@vger.kernel.org>, <silviu.vlasceanu@huawei.com>,
        Roberto Sassu <roberto.sassu@huawei.com>,
        <stable@vger.kernel.org>
Subject: [PATCH 1/4] evm: check hash algorithm passed to init_desc()
Date:   Thu, 16 May 2019 18:12:54 +0200
Message-ID: <20190516161257.6640-1-roberto.sassu@huawei.com>
X-Mailer: git-send-email 2.17.1
MIME-Version: 1.0
Content-Type: text/plain
X-Originating-IP: [10.204.65.154]
X-CFilter-Loop: Reflected
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

This patch prevents memory access beyond the evm_tfm array by checking the
validity of the index (hash algorithm) passed to init_desc(). The hash
algorithm can be arbitrarily set if the security.ima xattr type is not
EVM_XATTR_HMAC.

Fixes: 5feeb61183dde ("evm: Allow non-SHA1 digital signatures")
Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
Cc: stable@vger.kernel.org
---
 security/integrity/evm/evm_crypto.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/security/integrity/evm/evm_crypto.c b/security/integrity/evm/evm_crypto.c
index e11564eb645b..82a38e801ee4 100644
--- a/security/integrity/evm/evm_crypto.c
+++ b/security/integrity/evm/evm_crypto.c
@@ -89,6 +89,9 @@ static struct shash_desc *init_desc(char type, uint8_t hash_algo)
 		tfm = &hmac_tfm;
 		algo = evm_hmac;
 	} else {
+		if (hash_algo >= HASH_ALGO__LAST)
+			return ERR_PTR(-EINVAL);
+
 		tfm = &evm_tfm[hash_algo];
 		algo = hash_algo_name[hash_algo];
 	}
-- 
2.17.1