Re: [Linux-ima-devel] [PATCH 0/7] IMA: new parser for ima_restore_measurement_list()

From: Ken Goldman
Date: Tue May 23 2017 - 17:15:39 EST

Next message: Greg Kroah-Hartman: "[PATCH 3.18 17/59] pid_ns: Sleep in TASK_INTERRUPTIBLE in zap_pid_ns_processes"
Previous message: Greg Kroah-Hartman: "[PATCH 3.18 20/59] usb: host: xhci-plat: propagate return value of platform_get_irq()"
In reply to: Ken Goldman: "Re: [Linux-ima-devel] [PATCH 0/7] IMA: new parser for ima_restore_measurement_list()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 5/18/2017 5:38 AM, Roberto Sassu wrote:

There cannot be buffer overflow, because the length of each digest
field is known.

Crypto Agile: pcr[4] total_digest_len[4]
digest1_len[4] digest1[digest1_len] ...

The way I read this, the digest length is supplied by the caller, which is slightly different from "known". For example, if I supply a digest length of 0xffffffff, a too trusting (buggy) parser could overflow the buffer.

total_digest_len is similarly untrusted. The attacker can send invalid values.

Next message: Greg Kroah-Hartman: "[PATCH 3.18 17/59] pid_ns: Sleep in TASK_INTERRUPTIBLE in zap_pid_ns_processes"
Previous message: Greg Kroah-Hartman: "[PATCH 3.18 20/59] usb: host: xhci-plat: propagate return value of platform_get_irq()"
In reply to: Ken Goldman: "Re: [Linux-ima-devel] [PATCH 0/7] IMA: new parser for ima_restore_measurement_list()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]