From 4b7a74cc41906d462e910aaad0a8fc7caac261dd Mon Sep 17 00:00:00 2001 From: Vitaly Chikunov Date: Mon, 15 Jul 2019 23:05:50 +0300 Subject: [PATCH] ima-evm-utils: Fix possible xattr_value overflows in calc_evm_hash `selinux_str',`caps_str', and `ima_str' are passed from the command line but copied into the fixed-size buffer. Yes, length of `selinux_str' is calculated differently than of `caps_str'. Fixes: CID 229895. Signed-off-by: Vitaly Chikunov Signed-off-by: Mimi Zohar --- src/evmctl.c | 21 ++++++++++++++++++--- 1 file changed, 18 insertions(+), 3 deletions(-) diff --git a/src/evmctl.c b/src/evmctl.c index d6e0b2c..04dc546 100644 --- a/src/evmctl.c +++ b/src/evmctl.c @@ -401,16 +401,31 @@ static int calc_evm_hash(const char *file, unsigned char *hash) for (xattrname = evm_config_xattrnames; *xattrname != NULL; xattrname++) { if (!strcmp(*xattrname, XATTR_NAME_SELINUX) && selinux_str) { - strcpy(xattr_value, selinux_str); err = strlen(selinux_str) + 1; + if (err > sizeof(xattr_value)) { + log_err("selinux[%u] value is too long to fit into xattr[%zu]\n", + err, sizeof(xattr_value)); + return -1; + } + strcpy(xattr_value, selinux_str); } else if (!strcmp(*xattrname, XATTR_NAME_IMA) && ima_str) { - hex2bin(xattr_value, ima_str, strlen(ima_str) / 2); err = strlen(ima_str) / 2; + if (err > sizeof(xattr_value)) { + log_err("ima[%u] value is too long to fit into xattr[%zu]\n", + err, sizeof(xattr_value)); + return -1; + } + hex2bin(xattr_value, ima_str, err); } else if (!strcmp(*xattrname, XATTR_NAME_CAPS) && (hmac_flags & HMAC_FLAG_CAPS_SET)) { if (!caps_str) continue; - strcpy(xattr_value, caps_str); err = strlen(caps_str); + if (err >= sizeof(xattr_value)) { + log_err("caps[%u] value is too long to fit into xattr[%zu]\n", + err + 1, sizeof(xattr_value)); + return -1; + } + strcpy(xattr_value, caps_str); } else { err = lgetxattr(file, *xattrname, xattr_value, sizeof(xattr_value)); if (err < 0) {