RE: [ima] 9165b814d2: BUG:kernel_NULL_pointer_dereference,address
From: Roberto Sassu
Date: Mon Mar 02 2020 - 04:46:31 EST
> -----Original Message-----
> From: kernel test robot [mailto:rong.a.chen@xxxxxxxxx]
> Sent: Monday, March 2, 2020 2:22 AM
> To: Roberto Sassu <roberto.sassu@xxxxxxxxxx>
> Cc: zohar@xxxxxxxxxxxxx; James.Bottomley@xxxxxxxxxxxxxxxxxxxxx;
> jarkko.sakkinen@xxxxxxxxxxxxxxx; linux-integrity@xxxxxxxxxxxxxxx; linux-
> security-module@xxxxxxxxxxxxxxx; linux-kernel@xxxxxxxxxxxxxxx; Silviu
> Vlasceanu <Silviu.Vlasceanu@xxxxxxxxxx>; Roberto Sassu
> <roberto.sassu@xxxxxxxxxx>; lkp@xxxxxxxxxxxx
> Subject: [ima] 9165b814d2:
> BUG:kernel_NULL_pointer_dereference,address
>
> FYI, we noticed the following commit (built with gcc-7):
>
> commit: 9165b814d2bea8cfeb557505bb206396331e8192 ("[PATCH v2 8/8]
> ima: Use ima_hash_algo for collision detection in the measurement list")
> url: https://github.com/0day-ci/linux/commits/Roberto-Sassu/ima-support-
> stronger-algorithms-for-attestation/20200205-233901
> base: https://git.kernel.org/cgit/linux/kernel/git/zohar/linux-integrity.git
> next-integrity
Hi
thanks for the report.
Yes, version 2 had a bug:
---
ima_algo_array[i++].algo = HASH_ALGO_SHA1;
}
if (ima_hash_algo_idx >= nr_allocated_banks) {
ima_algo_array[i].tfm = ima_shash_tfm;
ima_algo_array[i].algo = ima_hash_algo;
}
---
The code allocated ima_algo_array with size 1 (TPM was not found and
the default algorithm is SHA1).
However, later it initializes ima_algo_array for SHA1 and increments the
i variable. Since the code does not check if the default algorithm is SHA1,
the last part is also executed and causes corruption, because ima_algo_array
has only one element.
I fixed already this bug in version 3 of the patch set.
Thanks
Roberto
HUAWEI TECHNOLOGIES Duesseldorf GmbH, HRB 56063
Managing Director: Li Peng, Li Jian, Shi Yanli