From: Roberto Sassu Date: Fri, 5 Jun 2020 06:50:28 +0000 (+0200) Subject: ima: Directly free *entry in ima_alloc_init_template() if digests is NULL X-Git-Tag: Ubuntu-5.10.0-12.13~2688^2 X-Git-Url: https://git.proxmox.com/?a=commitdiff_plain;h=42413b49804b250ced70dac8815388af2d4ad872;p=mirror_ubuntu-hirsute-kernel.git ima: Directly free *entry in ima_alloc_init_template() if digests is NULL To support multiple template digests, the static array entry->digest has been replaced with a dynamically allocated array in commit aa724fe18a8a ("ima: Switch to dynamically allocated buffer for template digests"). The array is allocated in ima_alloc_init_template() and if the returned pointer is NULL, ima_free_template_entry() is called. However, (*entry)->template_desc is not yet initialized while it is used by ima_free_template_entry(). This patch fixes the issue by directly freeing *entry without calling ima_free_template_entry(). Fixes: aa724fe18a8a ("ima: Switch to dynamically allocated buffer for template digests") Reported-by: syzbot+223310b454ba6b75974e@syzkaller.appspotmail.com Signed-off-by: Roberto Sassu Signed-off-by: Mimi Zohar --- diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c index 78e0b0a7723e..bf22de8b7ce0 100644 --- a/security/integrity/ima/ima_api.c +++ b/security/integrity/ima/ima_api.c @@ -55,8 +55,9 @@ int ima_alloc_init_template(struct ima_event_data *event_data, digests = kcalloc(NR_BANKS(ima_tpm_chip) + ima_extra_slots, sizeof(*digests), GFP_NOFS); if (!digests) { - result = -ENOMEM; - goto out; + kfree(*entry); + *entry = NULL; + return -ENOMEM; } (*entry)->digests = digests;