ima: fix buffer overrun in ima_eventdigest_init_common

Function ima_eventdigest_init() calls ima_eventdigest_init_common()
with HASH_ALGO__LAST which is then used to access the array
hash_digest_size[] leading to buffer overrun. Have a conditional
statement to handle this.

Fixes: 9fab303a2cb3 ("ima: fix violation measurement list record")
Signed-off-by: Samasth Norway Ananda <samasth.norway.ananda@oracle.com>
Tested-by: Enrico Bravi (PhD at polito.it) <enrico.bravi@huawei.com>
Cc: stable@vger.kernel.org # 5.19+
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>

diff --git a/security/integrity/ima/ima_template_lib.c b/security/integrity/ima/ima_template_lib.c
index 4183956c53af49061d03882537dd4a2d058b4d2e..0e627eac9c33bb39cb372e5751f4bf63d2e06da9 100644 (file)
--- a/security/integrity/ima/ima_template_lib.c
+++ b/security/integrity/ima/ima_template_lib.c
@@ -318,15 +318,21 @@ static int ima_eventdigest_init_common(const u8 *digest, u32 digestsize,
                                      hash_algo_name[hash_algo]);
        }
 
-       if (digest)
+       if (digest) {
                memcpy(buffer + offset, digest, digestsize);
-       else
+       } else {
                /*
                 * If digest is NULL, the event being recorded is a violation.
                 * Make room for the digest by increasing the offset by the
-                * hash algorithm digest size.
+                * hash algorithm digest size. If the hash algorithm is not
+                * specified increase the offset by IMA_DIGEST_SIZE which
+                * fits SHA1 or MD5
                 */
-               offset += hash_digest_size[hash_algo];
+               if (hash_algo < HASH_ALGO__LAST)
+                       offset += hash_digest_size[hash_algo];
+               else
+                       offset += IMA_DIGEST_SIZE;
+       }
 
        return ima_write_template_field_data(buffer, offset + digestsize,
                                             fmt, field_data);