tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

ima: Add __counted_by for struct modsig and use struct_size()

Prepare for the coming implementation by GCC and Clang of the __counted_by
attribute. Flexible array members annotated with __counted_by can have
their accesses bounds-checked at run-time via CONFIG_UBSAN_BOUNDS (for
array indexing) and CONFIG_FORTIFY_SOURCE (for strcpy/memcpy-family
functions).

Also, relocate `hdr->raw_pkcs7_len = sig_len;` so that the __counted_by
annotation has effect, and flex-array member `raw_pkcs7` can be properly
bounds-checked at run-time.

While there, use struct_size() helper, instead of the open-coded
version, to calculate the size for the allocation of the whole
flexible structure, including of course, the flexible-array member.

This code was found with the help of Coccinelle, and audited and
fixed manually.

Signed-off-by: "Gustavo A. R. Silva" <gustavoars@kernel.org>
Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
Link: https://lore.kernel.org/r/ZSRaDcJNARUUWUwS@work
Signed-off-by: Kees Cook <keescook@chromium.org>

authored by

Gustavo A. R. Silva and committed by
Kees Cook 68a8f644 8d7af820

+3 -3
+3 -3
security/integrity/ima/ima_modsig.c
··· 29 29 * storing the signature. 30 30 */ 31 31 int raw_pkcs7_len; 32 - u8 raw_pkcs7[]; 32 + u8 raw_pkcs7[] __counted_by(raw_pkcs7_len); 33 33 }; 34 34 35 35 /* ··· 65 65 buf_len -= sig_len + sizeof(*sig); 66 66 67 67 /* Allocate sig_len additional bytes to hold the raw PKCS#7 data. */ 68 - hdr = kzalloc(sizeof(*hdr) + sig_len, GFP_KERNEL); 68 + hdr = kzalloc(struct_size(hdr, raw_pkcs7, sig_len), GFP_KERNEL); 69 69 if (!hdr) 70 70 return -ENOMEM; 71 71 72 + hdr->raw_pkcs7_len = sig_len; 72 73 hdr->pkcs7_msg = pkcs7_parse_message(buf + buf_len, sig_len); 73 74 if (IS_ERR(hdr->pkcs7_msg)) { 74 75 rc = PTR_ERR(hdr->pkcs7_msg); ··· 78 77 } 79 78 80 79 memcpy(hdr->raw_pkcs7, buf + buf_len, sig_len); 81 - hdr->raw_pkcs7_len = sig_len; 82 80 83 81 /* We don't know the hash algorithm yet. */ 84 82 hdr->hash_algo = HASH_ALGO__LAST;