--- /dev/null
+From 60386b854008adc951c470067f90a2d85b5d520f Mon Sep 17 00:00:00 2001
+From: Roberto Sassu <roberto.sassu@huawei.com>
+Date: Fri, 4 Sep 2020 11:23:28 +0200
+Subject: ima: Don't ignore errors from crypto_shash_update()
+
+From: Roberto Sassu <roberto.sassu@huawei.com>
+
+commit 60386b854008adc951c470067f90a2d85b5d520f upstream.
+
+Errors returned by crypto_shash_update() are not checked in
+ima_calc_boot_aggregate_tfm() and thus can be overwritten at the next
+iteration of the loop. This patch adds a check after calling
+crypto_shash_update() and returns immediately if the result is not zero.
+
+Cc: stable@vger.kernel.org
+Fixes: 3323eec921efd ("integrity: IMA as an integrity service provider")
+Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
+Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ security/integrity/ima/ima_crypto.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/security/integrity/ima/ima_crypto.c
++++ b/security/integrity/ima/ima_crypto.c
+@@ -555,6 +555,8 @@ static int __init ima_calc_boot_aggregat
+ ima_pcrread(i, pcr_i);
+ /* now accumulate with current aggregate */
+ rc = crypto_shash_update(shash, pcr_i, TPM_DIGEST_SIZE);
++ if (rc != 0)
++ return rc;
+ }
+ if (!rc)
+ crypto_shash_final(shash, digest);
projects / thirdparty / kernel / stable-queue.git / commitdiff
