releases/3.0.18/ima-fix-invalid-memory-reference.patch - pub/scm/linux/kernel/git/stable/stable-queue - Git at Google

 From 7b7e5916aa2f46e57f8bd8cb89c34620ebfda5da Mon Sep 17 00:00:00 2001
 From: Roberto Sassu <roberto.sassu@polito.it>
 Date: Mon, 19 Dec 2011 15:57:28 +0100
 Subject: ima: fix invalid memory reference

 From: Roberto Sassu <roberto.sassu@polito.it>

 commit 7b7e5916aa2f46e57f8bd8cb89c34620ebfda5da upstream.

 Don't free a valid measurement entry on TPM PCR extend failure.

 Signed-off-by: Roberto Sassu <roberto.sassu@polito.it>
 Signed-off-by: Mimi Zohar <zohar@us.ibm.com>
 Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

 ---
  security/integrity/ima/ima_queue.c |   16 +++++++++++-----
  1 file changed, 11 insertions(+), 5 deletions(-)

 --- a/security/integrity/ima/ima_queue.c
 +++ b/security/integrity/ima/ima_queue.c
 @@ -23,6 +23,8 @@
  #include <linux/slab.h>
  #include "ima.h"

 +#define AUDIT_CAUSE_LEN_MAX 32
 +
  LIST_HEAD(ima_measurements);	/* list of all measurements */

  /* key: inode (before secure-hashing a file) */
 @@ -94,7 +96,8 @@ static int ima_pcr_extend(const u8 *hash

  	result = tpm_pcr_extend(TPM_ANY_NUM, CONFIG_IMA_MEASURE_PCR_IDX, hash);
  	if (result != 0)
 -		pr_err("IMA: Error Communicating to TPM chip\n");
 +		pr_err("IMA: Error Communicating to TPM chip, result: %d\n",
 +		       result);
  	return result;
  }

 @@ -106,8 +109,9 @@ int ima_add_template_entry(struct ima_te
  {
  	u8 digest[IMA_DIGEST_SIZE];
  	const char *audit_cause = "hash_added";
 +	char tpm_audit_cause[AUDIT_CAUSE_LEN_MAX];
  	int audit_info = 1;
 -	int result = 0;
 +	int result = 0, tpmresult = 0;

  	mutex_lock(&ima_extend_list_mutex);
  	if (!violation) {
 @@ -129,9 +133,11 @@ int ima_add_template_entry(struct ima_te
  	if (violation)		/* invalidate pcr */
  		memset(digest, 0xff, sizeof digest);

 -	result = ima_pcr_extend(digest);
 -	if (result != 0) {
 -		audit_cause = "TPM error";
 +	tpmresult = ima_pcr_extend(digest);
 +	if (tpmresult != 0) {
 +		snprintf(tpm_audit_cause, AUDIT_CAUSE_LEN_MAX, "TPM_error(%d)",
 +			 tpmresult);
 +		audit_cause = tpm_audit_cause;
  		audit_info = 0;
  	}
  out:
	From 7b7e5916aa2f46e57f8bd8cb89c34620ebfda5da Mon Sep 17 00:00:00 2001
	From: Roberto Sassu <roberto.sassu@polito.it>
	Date: Mon, 19 Dec 2011 15:57:28 +0100
	Subject: ima: fix invalid memory reference

	From: Roberto Sassu <roberto.sassu@polito.it>

	commit 7b7e5916aa2f46e57f8bd8cb89c34620ebfda5da upstream.

	Don't free a valid measurement entry on TPM PCR extend failure.

	Signed-off-by: Roberto Sassu <roberto.sassu@polito.it>
	Signed-off-by: Mimi Zohar <zohar@us.ibm.com>
	Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

	---
	security/integrity/ima/ima_queue.c \| 16 +++++++++++-----
	1 file changed, 11 insertions(+), 5 deletions(-)

	--- a/security/integrity/ima/ima_queue.c
	+++ b/security/integrity/ima/ima_queue.c
	@@ -23,6 +23,8 @@
	#include <linux/slab.h>
	#include "ima.h"

	+#define AUDIT_CAUSE_LEN_MAX 32
	+
	LIST_HEAD(ima_measurements); /* list of all measurements */

	/* key: inode (before secure-hashing a file) */
	@@ -94,7 +96,8 @@ static int ima_pcr_extend(const u8 *hash

	result = tpm_pcr_extend(TPM_ANY_NUM, CONFIG_IMA_MEASURE_PCR_IDX, hash);
	if (result != 0)
	- pr_err("IMA: Error Communicating to TPM chip\n");
	+ pr_err("IMA: Error Communicating to TPM chip, result: %d\n",
	+ result);
	return result;
	}

	@@ -106,8 +109,9 @@ int ima_add_template_entry(struct ima_te
	{
	u8 digest[IMA_DIGEST_SIZE];
	const char *audit_cause = "hash_added";
	+ char tpm_audit_cause[AUDIT_CAUSE_LEN_MAX];
	int audit_info = 1;
	- int result = 0;
	+ int result = 0, tpmresult = 0;

	mutex_lock(&ima_extend_list_mutex);
	if (!violation) {
	@@ -129,9 +133,11 @@ int ima_add_template_entry(struct ima_te
	if (violation) /* invalidate pcr */
	memset(digest, 0xff, sizeof digest);

	- result = ima_pcr_extend(digest);
	- if (result != 0) {
	- audit_cause = "TPM error";
	+ tpmresult = ima_pcr_extend(digest);
	+ if (tpmresult != 0) {
	+ snprintf(tpm_audit_cause, AUDIT_CAUSE_LEN_MAX, "TPM_error(%d)",
	+ tpmresult);
	+ audit_cause = tpm_audit_cause;
	audit_info = 0;
	}
	out: