Received: by 2002:a05:6a10:2726:0:0:0:0 with SMTP id ib38csp909940pxb; Wed, 6 Apr 2022 04:02:04 -0700 (PDT) X-Google-Smtp-Source: ABdhPJz0/MKbRO6cJWMjndgniMqv/wtCH1/e1kuqcs8P4nekr2KmRP8CwzwqyFXw6X/L5wvDJSC2 X-Received: by 2002:a05:6e02:1a84:b0:2ca:d62:ebf8 with SMTP id k4-20020a056e021a8400b002ca0d62ebf8mr3862343ilv.120.1649242924685; Wed, 06 Apr 2022 04:02:04 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1649242924; cv=none; d=google.com; s=arc-20160816; b=sZO290nNj00L74aogX7KqcSp+jn5CwAPK0U7M+diYQDZCh4xHXut2mW4V2JGJJtuqr eQXnuAvGkXGB/jfeM9J5AO2lueMDtBXC3BPESRnnXHCqJVxkteSPIlxaHWHQfakl/bqX YEWICdc5uVWcEHCIJVe7L1zO9HOR19Qc9ECoGy0PfC1mEGmZPgjOZ48udNebGYZANrEh 6L/FrLlbdl25DGcSErntzyndsDHU8WmBD8oivJb9QiPI8ztEtFuUqhVfPqu2dwVJ39g6 WbxiSMIxxP6Mf9Hmyd3VhDKVMXShLBJ9YBeKtGj9hLwbCdVn9+2FL83gesml9VvT6Lho lO5g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=3Qpmf8cj9Q7C5lINfxIUDcToqbrOqwyTbbp/zFKpJ9U=; b=OaAiwVfHTvyV7RUdMd53BnPF8qrJOXVUxp71Dv31nKHSRztr3ubhvloLvzbKBS0T08 dBHpdrHvHgqg5S52gin+HslHR/JK961X3/NHj8EhAvwx7mzZVeOQfEhjEcS6klmJMNWe I37kzpd7FIHPWNx5H19iDgNlV1zwMFQDBE6f+5ybTzof/+YEOoYWb7Bt70wWiY5/IPJF vxrHxsh11/F2oz1TDw4AN/H8f0ORMzPxZHuxw1XI/HgseQIYBrCYCLSIbuD3CpBFfI7i 5MLlwERsUYLfPg6OJPypBj8FW2SZjHlXx0+3SWUd4omcozILTQ8UBzzq2Yvh+kmghSSs YaaA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=aLEMuI3p; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [2620:137:e000::1:18]) by mx.google.com with ESMTPS id w5-20020a056638138500b00323cd783b75si7515870jad.87.2022.04.06.04.02.04 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 06 Apr 2022 04:02:04 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) client-ip=2620:137:e000::1:18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=aLEMuI3p; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id A8A0B5B5E61; Wed, 6 Apr 2022 02:25:09 -0700 (PDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1843654AbiDFBlo (ORCPT + 99 others); Tue, 5 Apr 2022 21:41:44 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:34650 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1573509AbiDETNz (ORCPT ); Tue, 5 Apr 2022 15:13:55 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id CC3E9E885A; Tue, 5 Apr 2022 12:11:53 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 8530EB81FA2; Tue, 5 Apr 2022 19:11:52 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 31D2AC385A3; Tue, 5 Apr 2022 19:11:50 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1649185911; bh=iqDVStRGWXOC77cY1v8kziYHdtofJiyJcwhxPZyHrbc=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=aLEMuI3pesvK6tTddYPd7tLH6xqK53mL9EL/1QzdSFFDsK5N4EdY1LIVnfurkf8d7 BkJukhkF+kv3CQ9PLpfN0qAU8pzWM70ZdrXidS0aNhBClngiuWHJ6I85GU1hdi0WWt hBywYF1O/c5L3zhHAviInVrbXd4/whLDJq1cHeys+Qjci7C4+joCjfJVDMLCoZVb6U m3S0dz+1WlxZPW2eV/Tquo7WTkLeF9z0icfXGEGHZZplTblFgpq0JH2mU1DGI8ODlv DgUgy8TTUHhhkuiXA4mhefyvy1PTrAVpVUtCBg8USciqeKb99t7MjokKbT6OPx0+V+ VYUwwgit8OhpQ== Date: Tue, 5 Apr 2022 19:11:48 +0000 From: Eric Biggers To: Mimi Zohar Cc: linux-integrity@vger.kernel.org, Stefan Berger , linux-fscrypt@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH v7 2/5] ima: define a new template field named 'd-ngv2' and templates Message-ID: References: <20220325223824.310119-1-zohar@linux.ibm.com> <20220325223824.310119-3-zohar@linux.ibm.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20220325223824.310119-3-zohar@linux.ibm.com> X-Spam-Status: No, score=-2.3 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,MAILING_LIST_MULTI, RDNS_NONE,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Mar 25, 2022 at 06:38:21PM -0400, Mimi Zohar wrote: > static int ima_eventdigest_init_common(const u8 *digest, u32 digestsize, > - u8 hash_algo, > + u8 digest_type, u8 hash_algo, > struct ima_field_data *field_data) > { > /* > * digest formats: > * - DATA_FMT_DIGEST: digest > * - DATA_FMT_DIGEST_WITH_ALGO: [] + ':' + '\0' + digest, > + * - DATA_FMT_DIGEST_WITH_TYPE_AND_ALGO: > + * [ + ':' + ] + ':' + '\0' + digest, > + * where is either "ima" or "verity", > * where is provided if the hash algorithm is not > * SHA1 or MD5 This says both "hash type" and "digest type". It should be one or the other. The square brackets are meant to indicate that the part within it is optional, right? Are they in the right place? I don't see how this matches the code. There is also no explanation for why or when is optional with DATA_FMT_DIGEST_WITH_TYPE_AND_ALGO. > + if (digest_type < DIGEST_TYPE__LAST && hash_algo < HASH_ALGO__LAST) { > + fmt = DATA_FMT_DIGEST_WITH_TYPE_AND_ALGO; > + offset += snprintf(buffer, DIGEST_TYPE_NAME_LEN_MAX + > + CRYPTO_MAX_ALG_NAME + 1, "%*s:%s", > + (int)strlen(digest_type_name[digest_type]), > + digest_type_name[digest_type], > hash_algo_name[hash_algo]); > buffer[offset] = ':'; > offset += 2; There's no need to use %*s if the length argument is just going to be strlen(). It should just use %s. Also, this is not correct use of snprintf(), given that the string is unconditionally appended to at the offset which snprintf() returns. So it is not providing buffer overflow protection. It might as well just be: offset += 1 + sprintf(buffer, "%s:%s:", digest_type_name[digest_type], hash_algo_name[hash_algo]); and likewise for the other case: offset += 1 + sprintf(buffer, "%s:", hash_algo_name[hash_algo]); > +/* > + * This function writes the digest of an event (without size limit), > + * prefixed with both the hash type and algorithm. > + */ > +int ima_eventdigest_ngv2_init(struct ima_event_data *event_data, > + struct ima_field_data *field_data) > +{ > + u8 *cur_digest = NULL, hash_algo = HASH_ALGO_SHA1; Why is this defaulting to SHA-1? - Eric