diff options
author | Roberto Sassu <roberto.sassu@polito.it> | 2014-02-03 13:56:05 +0100 |
---|---|---|
committer | Mimi Zohar <zohar@linux.vnet.ibm.com> | 2014-03-07 11:32:30 -0500 |
commit | e3b64c268b485f578a498c2f6d5704ef54ab4432 (patch) | |
tree | 0612967837f6afe8b78da21d803146bbc1c8ddf6 /security/integrity/ima/ima_crypto.c | |
parent | c019e307ad82a8ee652b8ccbacf69ae94263b07b (diff) | |
download | op-kernel-dev-e3b64c268b485f578a498c2f6d5704ef54ab4432.zip op-kernel-dev-e3b64c268b485f578a498c2f6d5704ef54ab4432.tar.gz |
ima: reduce memory usage when a template containing the n field is used
Before this change, to correctly calculate the template digest for the
'ima' template, the event name field (id: 'n') length was set to the fixed
size of 256 bytes.
This patch reduces the length of the event name field to the string
length incremented of one (to make room for the termination character '\0')
and handles the specific case of the digest calculation for the 'ima'
template directly in ima_calc_field_array_hash_tfm().
Signed-off-by: Roberto Sassu <roberto.sassu@polito.it>
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Diffstat (limited to 'security/integrity/ima/ima_crypto.c')
-rw-r--r-- | security/integrity/ima/ima_crypto.c | 11 |
1 files changed, 9 insertions, 2 deletions
diff --git a/security/integrity/ima/ima_crypto.c b/security/integrity/ima/ima_crypto.c index fdf60de..d8b55c9 100644 --- a/security/integrity/ima/ima_crypto.c +++ b/security/integrity/ima/ima_crypto.c @@ -161,15 +161,22 @@ static int ima_calc_field_array_hash_tfm(struct ima_field_data *field_data, return rc; for (i = 0; i < num_fields; i++) { + u8 buffer[IMA_EVENT_NAME_LEN_MAX + 1] = { 0 }; + u8 *data_to_hash = field_data[i].data; + u32 datalen = field_data[i].len; + if (strcmp(td->name, IMA_TEMPLATE_IMA_NAME) != 0) { rc = crypto_shash_update(&desc.shash, (const u8 *) &field_data[i].len, sizeof(field_data[i].len)); if (rc) break; + } else if (strcmp(td->fields[i]->field_id, "n") == 0) { + memcpy(buffer, data_to_hash, datalen); + data_to_hash = buffer; + datalen = IMA_EVENT_NAME_LEN_MAX + 1; } - rc = crypto_shash_update(&desc.shash, field_data[i].data, - field_data[i].len); + rc = crypto_shash_update(&desc.shash, data_to_hash, datalen); if (rc) break; } |