ima: fix error handling logic when file measurement failed

mattbobrowski · mimizohar · commit 6dc387d52eb6 · 2023-01-18T13:17:00.000-05:00
Restore the error handling logic so that when file measurement fails, the respective iint entry is not left with the digest data being populated with zeroes. Fixes: 54f0391 ("ima: permit fsverity's file digests in the IMA measurement list") Cc: stable@vger.kernel.org # 5.19 Signed-off-by: Matt Bobrowski <mattbobrowski@google.com> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c
@@ -292,7 +292,7 @@ int ima_collect_measurement(struct integrity_iint_cache *iint,
 		result = ima_calc_file_hash(file, &hash.hdr);
 	}
 
-	if (result == -ENOMEM)
+	if (result && result != -EBADF && result != -EINVAL)
 		goto out;
 
 	length = sizeof(hash.hdr) + hash.hdr.length;
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
@@ -337,7 +337,7 @@ static int process_measurement(struct file *file, const struct cred *cred,
 	hash_algo = ima_get_hash_algo(xattr_value, xattr_len);
 
 	rc = ima_collect_measurement(iint, file, buf, size, hash_algo, modsig);
-	if (rc == -ENOMEM)
+	if (rc != 0 && rc != -EBADF && rc != -EINVAL)
 		goto out_locked;
 
 	if (!pathbuf)	/* ima_rdwr_violation possibly pre-fetched */

Original file line number	Diff line number	Diff line change
`@@ -292,7 +292,7 @@ int ima_collect_measurement(struct integrity_iint_cache *iint,`
`292`	`292`	`result = ima_calc_file_hash(file, &hash.hdr);`
`293`	`293`	`}`
`294`	`294`
`295`		`- if (result == -ENOMEM)`
	`295`	`+ if (result && result != -EBADF && result != -EINVAL)`
`296`	`296`	`goto out;`
`297`	`297`
`298`	`298`	`length = sizeof(hash.hdr) + hash.hdr.length;`