ima: Fix a potential integer overflow in ima_appraise_measurement

Huaxin Lu · mimizohar · commit d2ee2cfc4aa8 · 2022-07-07T11:50:25.000-04:00
When the ima-modsig is enabled, the rc passed to evm_verifyxattr() may be negative, which may cause the integer overflow problem. Fixes: 39b0709 ("ima: Implement support for module-style appended signatures") Signed-off-by: Huaxin Lu <luhuaxin1@huawei.com> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
@@ -514,7 +514,8 @@ int ima_appraise_measurement(enum ima_hooks func,
 		goto out;
 	}
 
-	status = evm_verifyxattr(dentry, XATTR_NAME_IMA, xattr_value, rc, iint);
+	status = evm_verifyxattr(dentry, XATTR_NAME_IMA, xattr_value,
+				 rc < 0 ? 0 : rc, iint);
 	switch (status) {
 	case INTEGRITY_PASS:
 	case INTEGRITY_PASS_IMMUTABLE:

Original file line number	Diff line number	Diff line change
`@@ -514,7 +514,8 @@ int ima_appraise_measurement(enum ima_hooks func,`
`514`	`514`	`goto out;`
`515`	`515`	`}`
`516`	`516`
`517`		`- status = evm_verifyxattr(dentry, XATTR_NAME_IMA, xattr_value, rc, iint);`
	`517`	`+ status = evm_verifyxattr(dentry, XATTR_NAME_IMA, xattr_value,`
	`518`	`+ rc < 0 ? 0 : rc, iint);`
`518`	`519`	`switch (status) {`
`519`	`520`	`case INTEGRITY_PASS:`
`520`	`521`	`case INTEGRITY_PASS_IMMUTABLE:`