[PATCH v12 7/9] ima: verify if the segment size has changed
From: steven chen
Date: Tue Apr 15 2025 - 22:12:31 EST
From: Steven Chen <chenste@xxxxxxxxxxxxxxxxxxx>
kexec 'load' may be called multiple times. Free and realloc the buffer
only if the segment_size is changed from the previous kexec 'load' call.
Signed-off-by: Steven Chen <chenste@xxxxxxxxxxxxxxxxxxx>
Acked-by: Baoquan He <bhe@xxxxxxxxxx>
Reviewed-by: Mimi Zohar <zohar@xxxxxxxxxxxxx>
---
security/integrity/ima/ima_kexec.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/security/integrity/ima/ima_kexec.c b/security/integrity/ima/ima_kexec.c
index 5c3b3e0b2186..ed867734ee70 100644
--- a/security/integrity/ima/ima_kexec.c
+++ b/security/integrity/ima/ima_kexec.c
@@ -33,6 +33,14 @@ static void ima_free_kexec_file_buf(struct seq_file *sf)
static int ima_alloc_kexec_file_buf(size_t segment_size)
{
+ /*
+ * kexec 'load' may be called multiple times.
+ * Free and realloc the buffer only if the segment_size is
+ * changed from the previous kexec 'load' call.
+ */
+ if (ima_kexec_file.buf && ima_kexec_file.size == segment_size)
+ goto out;
+
ima_free_kexec_file_buf(&ima_kexec_file);
/* segment size can't change between kexec load and execute */
@@ -41,6 +49,8 @@ static int ima_alloc_kexec_file_buf(size_t segment_size)
return -ENOMEM;
ima_kexec_file.size = segment_size;
+
+out:
ima_kexec_file.read_pos = 0;
ima_kexec_file.count = sizeof(struct ima_kexec_hdr); /* reserved space */
--
2.43.0