From 16bfa38b1936212428cb38fbfbbb8f6c62b8d81f Mon Sep 17 00:00:00 2001 From: Mimi Zohar Date: Fri, 21 Aug 2009 14:32:49 -0400 Subject: ima: hashing large files bug fix Hashing files larger than INT_MAX causes process to loop. Dependent on redefining kernel_read() offset type to loff_t. (http://bugzilla.kernel.org/show_bug.cgi?id=13909) Cc: stable@kernel.org Signed-off-by: Mimi Zohar Signed-off-by: James Morris --- security/integrity/ima/ima_crypto.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) (limited to 'security') diff --git a/security/integrity/ima/ima_crypto.c b/security/integrity/ima/ima_crypto.c index 63003a63aae..46642a19bc7 100644 --- a/security/integrity/ima/ima_crypto.c +++ b/security/integrity/ima/ima_crypto.c @@ -45,9 +45,9 @@ int ima_calc_hash(struct file *file, char *digest) { struct hash_desc desc; struct scatterlist sg[1]; - loff_t i_size; + loff_t i_size, offset = 0; char *rbuf; - int rc, offset = 0; + int rc; rc = init_desc(&desc); if (rc != 0) @@ -67,6 +67,8 @@ int ima_calc_hash(struct file *file, char *digest) rc = rbuf_len; break; } + if (rbuf_len == 0) + break; offset += rbuf_len; sg_init_one(sg, rbuf, rbuf_len); -- cgit v1.2.3-70-g09d2 From 53a7197aff20e341487fca8575275056fe1c63e5 Mon Sep 17 00:00:00 2001 From: Eric Paris Date: Wed, 26 Aug 2009 14:56:48 -0400 Subject: IMA: iint put in ima_counts_get and put ima_counts_get() calls ima_iint_find_insert_get() which takes a reference to the iint in question, but does not put that reference at the end of the function. This can lead to a nasty memory leak. Easy enough to reproduce: #include #include int main (void) { int i; void *ptr; for (i=0; i < 100000; i++) { ptr = mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_SHARED|MAP_ANONYMOUS, -1, 0); if (ptr == MAP_FAILED) return 2; munmap(ptr, 4096); } return 0; } Signed-off-by: Eric Paris Signed-off-by: James Morris --- security/integrity/ima/ima_main.c | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'security') diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index 101c512564e..4732f5e5d12 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -262,6 +262,8 @@ void ima_counts_put(struct path *path, int mask) else if (mask & (MAY_READ | MAY_EXEC)) iint->readcount--; mutex_unlock(&iint->mutex); + + kref_put(&iint->refcount, iint_free); } /* @@ -291,6 +293,8 @@ void ima_counts_get(struct file *file) if (file->f_mode & FMODE_WRITE) iint->writecount++; mutex_unlock(&iint->mutex); + + kref_put(&iint->refcount, iint_free); } EXPORT_SYMBOL_GPL(ima_counts_get); -- cgit v1.2.3-70-g09d2