ima: check return value of crypto_shash_final() in boot aggregate

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

The return value of crypto_shash_final() is not checked in
ima_calc_boot_aggregate_tfm(). If the hash finalization fails, the
function returns success and a corrupted boot aggregate digest could
be used for IMA measurements.

Capture the return value and propagate any error to the caller.

Fixes: 76bb28f6126f ("ima: use new crypto_shash API instead of old crypto_hash")
Signed-off-by: Daniel Hodges <hodgesd@meta.com>
Reviewed-by: Roberto Sassu <roberto.sassu@huawei.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>

authored by

Daniel Hodges and committed by

Mimi Zohar 2 months ago 87081943 a74d7197

+1 -1

1 changed file

expand all

security

integrity

ima

ima_crypto.c

+1 -1

security/integrity/ima/ima_crypto.c

··· 838 838 } 839 839 } 840 840 if (!rc) 841 - crypto_shash_final(shash, digest); 841 + rc = crypto_shash_final(shash, digest); 842 842 return rc; 843 843 } 844 844

Configure Feed

Configure Feed