From: Matt Bobrowski mattbobrowski@google.com
commit 6dc387d52eb67f45d68caa263704fa4e39ef8e76 upstream.
Restore the error handling logic so that when file measurement fails, the respective iint entry is not left with the digest data being populated with zeroes.
Fixes: 54f03916fb89 ("ima: permit fsverity's file digests in the IMA measurement list") Cc: stable@vger.kernel.org # 5.19 Signed-off-by: Matt Bobrowski mattbobrowski@google.com Signed-off-by: Mimi Zohar zohar@linux.ibm.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org --- security/integrity/ima/ima_api.c | 2 +- security/integrity/ima/ima_main.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-)
--- a/security/integrity/ima/ima_api.c +++ b/security/integrity/ima/ima_api.c @@ -292,7 +292,7 @@ int ima_collect_measurement(struct integ result = ima_calc_file_hash(file, &hash.hdr); }
- if (result == -ENOMEM) + if (result && result != -EBADF && result != -EINVAL) goto out;
length = sizeof(hash.hdr) + hash.hdr.length; --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -335,7 +335,7 @@ static int process_measurement(struct fi hash_algo = ima_get_hash_algo(xattr_value, xattr_len);
rc = ima_collect_measurement(iint, file, buf, size, hash_algo, modsig); - if (rc == -ENOMEM) + if (rc != 0 && rc != -EBADF && rc != -EINVAL) goto out_locked;
if (!pathbuf) /* ima_rdwr_violation possibly pre-fetched */