Re: [PATCH] ima: Fix potential NULL pointer access in ima_match_rules()

From: Mimi Zohar
Date: Tue Mar 14 2023 - 20:17:56 EST


On Tue, 2023-03-14 at 21:03 +0300, Roman Danilov wrote:
> In ima_match_rules(), when ima_lsm_copy_rule() fails, NULL pointer
> is assigned to lsm_rule. After that, in the next step of the loop
> NULL pointer is dereferenced in lsm_rule->lsm[i].rule.

I must being missing something. The next step of the loop tests
whether rule_reinitialized is set before accessing lsm_rule-
>lsm[i].rule.

>
> As far as ima_match_rules() is not designed to return error code,
> add __GFP_NOFAIL to make sure memory allocation succeeds.

Using __GFP_NOFAIL here would be safer.

>
> Found by Linux Verification Center (linuxtesting.org) with SVACE.
>
> Fixes: c7423dbdbc9e ("ima: Handle -ESTALE returned by ima_filter_rule_match()")
> Signed-off-by: Roman Danilov <romanosauce57@xxxxxxxxx>
> Reviewed-by: Alexey Khoroshilov <khoroshilov@xxxxxxxxx>

--
thanks,

Mimi