From 939ff771447a930103ac17bff3652412d82ca4f7 Mon Sep 17 00:00:00 2001 From: Huaxin Lu Date: Thu, 5 Dec 2024 17:01:35 +0800 Subject: [PATCH] ima: Fix violation digests extending issue in virtcca EulerOS inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/IB98NJ ------------------------------ When ima processes violation measurement, the pre-allocated digest array of all 0xFF are extended. The length of array comes from the slot number of RoT. Currently the slot number of virtcca is zero if the algorithm configuration is same between ima and virtcca, which causes the NULL pointer access. This commit ensures the slot of virtcca is allocated always. Fixes: 24ac42fb86c6 ("ima: rot: Adapt VirtCCA into Rot") Signed-off-by: Huaxin Lu --- security/integrity/ima/ima_virtcca.c | 34 ++++++++++++---------------- 1 file changed, 15 insertions(+), 19 deletions(-) diff --git a/security/integrity/ima/ima_virtcca.c b/security/integrity/ima/ima_virtcca.c index 15f7338564b3..8af5d4b6aff1 100644 --- a/security/integrity/ima/ima_virtcca.c +++ b/security/integrity/ima/ima_virtcca.c @@ -38,20 +38,15 @@ int ima_virtcca_init(struct ima_rot *rot) if (rc) return rc; - if (virtcca_algo != ima_hash_algo) { - pr_info("VirtCCA's algo (%s) is different from ima_hash_algo (%s)\n", - hash_algo_name[virtcca_algo], hash_algo_name[ima_hash_algo]); - - rot->allocated_banks = kcalloc(1, sizeof(*rot->allocated_banks), GFP_KERNEL); - if (!rot->allocated_banks) - return -ENOMEM; - - rot->nr_allocated_banks = 1; - rot->allocated_banks[0].alg_id = (virtcca_algo == HASH_ALGO_SHA512) ? - TPM_ALG_SHA512 : TPM_ALG_SHA256; - rot->allocated_banks[0].digest_size = hash_digest_size[virtcca_algo]; - rot->allocated_banks[0].crypto_id = virtcca_algo; - } + rot->allocated_banks = kcalloc(1, sizeof(*rot->allocated_banks), GFP_KERNEL); + if (!rot->allocated_banks) + return -ENOMEM; + + rot->nr_allocated_banks = 1; + rot->allocated_banks[0].alg_id = (virtcca_algo == HASH_ALGO_SHA512) ? + TPM_ALG_SHA512 : TPM_ALG_SHA256; + rot->allocated_banks[0].digest_size = hash_digest_size[virtcca_algo]; + rot->allocated_banks[0].crypto_id = virtcca_algo; return 0; } @@ -81,15 +76,16 @@ int ima_calc_virtcca_boot_aggregate(struct ima_digest_data *hash) int ima_virtcca_extend(struct tpm_digest *digests_arg, const void *args) { struct virtcca_cvm_measurement_extend cme; - int algo_idx = (virtcca_algo != ima_hash_algo) ? 0 : ima_hash_algo_idx; cme.index = CVM_IMA_SLOT_IDX; cme.size = hash_digest_size[virtcca_algo]; - if (digests_arg) - memcpy(cme.value, digests_arg[algo_idx].digest, cme.size); - else - memset(cme.value, 0xff, cme.size); + /* + * virtcca has only one slot, so the algorithm of digests_arg[0] is always + * virtcca_algo according to the init process of ima_init_crypto() and + * ima_init_digets() + */ + memcpy(cme.value, digests_arg[0].digest, cme.size); return tsi_measurement_extend(&cme) == TSI_SUCCESS ? 0 : -EFAULT; } -- Gitee