ima: Fix a potential NULL pointer access in ima_restore_measurement_list

commit 11220db412edae8dba58853238f53258268bdb88 upstream.

In restore_template_fmt, when kstrdup fails, a non-NULL value will still be
returned, which causes a NULL pointer access in template_desc_init_fields.

Fixes: c7d09367702e ("ima: support restoring multiple template formats")
Cc: stable@kernel.org
Co-developed-by: Jiaming Li <lijiaming30@huawei.com>
Signed-off-by: Jiaming Li <lijiaming30@huawei.com>
Signed-off-by: Huaxin Lu <luhuaxin1@huawei.com>
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/security/integrity/ima/ima_template.c b/security/integrity/ima/ima_template.c
index f84a0598e4f6a62d301436f5368664b9ff70ea83..31a8388e3dfae9e66791a410b27cf4e87fc0785d 100644 (file)
--- a/security/integrity/ima/ima_template.c
+++ b/security/integrity/ima/ima_template.c
@@ -336,8 +336,11 @@ static struct ima_template_desc *restore_template_fmt(char *template_name)
 
        template_desc->name = "";
        template_desc->fmt = kstrdup(template_name, GFP_KERNEL);
-       if (!template_desc->fmt)
+       if (!template_desc->fmt) {
+               kfree(template_desc);
+               template_desc = NULL;
                goto out;
+       }
 
        spin_lock(&template_list);
        list_add_tail_rcu(&template_desc->list, &defined_templates);