IMA: reject unknown hash algorithms in ima_get_hash_algo
authorTHOBY Simon <Simon.THOBY@viveris.fr>
Sun, 22 Aug 2021 08:55:26 +0000 (08:55 +0000)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Wed, 17 Nov 2021 10:04:52 +0000 (11:04 +0100)
commit45a47382941d9702ec50608b6e4edd27c2bdd15a
treed11accc90a7bf1e135afa6ab450524cfb9c5094c
parenta3c6e358fbe42247c347c6b777167e5c4351248d
IMA: reject unknown hash algorithms in ima_get_hash_algo

commit cb181da161963eddc9de0000de6ab2c7942be219 upstream.

The new function validate_hash_algo() assumed that ima_get_hash_algo()
always return a valid 'enum hash_algo', but it returned the
user-supplied value present in the digital signature without
any bounds checks.

Update ima_get_hash_algo() to always return a valid hash algorithm,
defaulting on 'ima_hash_algo' when the user-supplied value inside
the xattr is invalid.

Signed-off-by: THOBY Simon <Simon.THOBY@viveris.fr>
Reported-by: syzbot+e8bafe7b82c739eaf153@syzkaller.appspotmail.com
Fixes: 50f742dd9147 ("IMA: block writes of the security.ima xattr with unsupported algorithms")
Reviewed-by: Lakshmi Ramasubramanian <nramas@linux.microsoft.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
security/integrity/ima/ima_appraise.c