diff options
| author | Daniel Hodges <hodgesd@meta.com> | 2026-01-31 18:40:15 -0800 |
|---|---|---|
| committer | Mimi Zohar <zohar@linux.ibm.com> | 2026-03-09 10:57:49 -0400 |
| commit | 870819434c8dfcc3158033b66e7851b81bb17e21 (patch) | |
| tree | db29179f5fb3f3aa7b3e739c909246fafc97e05c /security | |
| parent | a74d7197ebe5b1b8028911d47e78c119d9aaf193 (diff) | |
| download | linux-next-history-870819434c8dfcc3158033b66e7851b81bb17e21.tar.gz | |
ima: check return value of crypto_shash_final() in boot aggregate
The return value of crypto_shash_final() is not checked in
ima_calc_boot_aggregate_tfm(). If the hash finalization fails, the
function returns success and a corrupted boot aggregate digest could
be used for IMA measurements.
Capture the return value and propagate any error to the caller.
Fixes: 76bb28f6126f ("ima: use new crypto_shash API instead of old crypto_hash")
Signed-off-by: Daniel Hodges <hodgesd@meta.com>
Reviewed-by: Roberto Sassu <roberto.sassu@huawei.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Diffstat (limited to 'security')
| -rw-r--r-- | security/integrity/ima/ima_crypto.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/security/integrity/ima/ima_crypto.c b/security/integrity/ima/ima_crypto.c index 10022b0db4d58..8f680ef18d8c3 100644 --- a/security/integrity/ima/ima_crypto.c +++ b/security/integrity/ima/ima_crypto.c @@ -838,7 +838,7 @@ static int ima_calc_boot_aggregate_tfm(char *digest, u16 alg_id, } } if (!rc) - crypto_shash_final(shash, digest); + rc = crypto_shash_final(shash, digest); return rc; } |