aboutsummaryrefslogtreecommitdiff
path: root/lib/debugobjects.c
diff options
context:
space:
mode:
authorKP Singh <[email protected]>2020-09-16 18:02:42 +0000
committerMimi Zohar <[email protected]>2020-09-16 17:43:02 -0400
commitaa662fc04f5b290b3979332588bf8d812b189962 (patch)
treeee5e4656b08d7dab69b6efe7a36c36b567735aa5 /lib/debugobjects.c
parent455b6c9112eff8d249e32ba165742085678a80a4 (diff)
ima: Fix NULL pointer dereference in ima_file_hash
ima_file_hash can be called when there is no iint->ima_hash available even though the inode exists in the integrity cache. It is fairly common for a file to not have a hash. (e.g. an mknodat, prior to the file being closed). Another example where this can happen (suggested by Jann Horn): Process A does: while(1) { unlink("/tmp/imafoo"); fd = open("/tmp/imafoo", O_RDWR|O_CREAT|O_TRUNC, 0700); if (fd == -1) { perror("open"); continue; } write(fd, "A", 1); close(fd); } and Process B does: while (1) { int fd = open("/tmp/imafoo", O_RDONLY); if (fd == -1) continue; char *mapping = mmap(NULL, 0x1000, PROT_READ|PROT_EXEC, MAP_PRIVATE, fd, 0); if (mapping != MAP_FAILED) munmap(mapping, 0x1000); close(fd); } Due to the race to get the iint->mutex between ima_file_hash and process_measurement iint->ima_hash could still be NULL. Fixes: 6beea7afcc72 ("ima: add the ability to query the cached hash of a given file") Signed-off-by: KP Singh <[email protected]> Reviewed-by: Florent Revest <[email protected]> Signed-off-by: Mimi Zohar <[email protected]>
Diffstat (limited to 'lib/debugobjects.c')
0 files changed, 0 insertions, 0 deletions