CVE-2025-68740
N/A
Summary
In the Linux kernel, the following vulnerability has been resolved:
ima: Handle error code returned by ima_filter_rule_match()
In ima_match_rules(), if ima_filter_rule_match() returns -ENOENT due to the rule being NULL, the function incorrectly skips the 'if (!rc)' check and sets 'result = true'. The LSM rule is considered a match, causing extra files to be measured by IMA.
This issue can be reproduced in the following scenario: After unloading the SELinux policy module via 'semodule -d', if an IMA measurement is triggered before ima_lsm_rules is updated, in ima_match_rules(), the first call to ima_filter_rule_match() returns -ESTALE. This causes the code to enter the 'if (rc == -ESTALE && !rule_reinitialized)' block, perform ima_lsm_copy_rule() and retry. In ima_lsm_copy_rule(), since the SELinux module has been removed, the rule becomes NULL, and the second call to ima_filter_rule_match() returns -ENOENT. This bypasses the 'if (!rc)' check and results in a false match.
Call trace: selinux_audit_rule_match+0x310/0x3b8 security_audit_rule_match+0x60/0xa0 ima_match_rules+0x2e4/0x4a0 ima_match_policy+0x9c/0x1e8 ima_get_action+0x48/0x60 process_measurement+0xf8/0xa98 ima_bprm_check+0x98/0xd8 security_bprm_check+0x5c/0x78 search_binary_handler+0x6c/0x318 exec_binprm+0x58/0x1b8 bprm_execve+0xb8/0x130 do_execveat_common.isra.0+0x1a8/0x258 __arm64_sys_execve+0x48/0x68 invoke_syscall+0x50/0x128 el0_svc_common.constprop.0+0xc8/0xf0 do_el0_svc+0x24/0x38 el0_svc+0x44/0x200 el0t_64_sync_handler+0x100/0x130 el0t_64_sync+0x3c8/0x3d0
Fix this by changing 'if (!rc)' to 'if (rc <= 0)' to ensure that error codes like -ENOENT do not bypass the check and accidentally result in a successful match.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | 4af4662fa4a9dc62289c580337ae2506339c4729 < d14e0ec6a6828ee0dffa163fb5d513c9a21f0a51 | affected |
| Linux | Linux | 4af4662fa4a9dc62289c580337ae2506339c4729 < f2f4627b74c120fcdd8e1db93bc91f9bbaf46f85 | affected |
| Linux | Linux | 4af4662fa4a9dc62289c580337ae2506339c4729 < 88cd5fbf5869731be8fc6f7cecb4e0d6ab3d8749 | affected |
| Linux | Linux | 4af4662fa4a9dc62289c580337ae2506339c4729 < cca3e7df3c0f99542033657ba850b9a6d27f8784 | affected |
| Linux | Linux | 4af4662fa4a9dc62289c580337ae2506339c4729 < c2238d487a640ae3511e1b6f4640ab27ce10d7f6 | affected |
| Linux | Linux | 4af4662fa4a9dc62289c580337ae2506339c4729 < de4431faf308d0c533cb386f5fa9af009bc86158 | affected |
| Linux | Linux | 4af4662fa4a9dc62289c580337ae2506339c4729 < 32952c4f4d1b2deb30dce72ba109da808a9018e1 | affected |
| Linux | Linux | 4af4662fa4a9dc62289c580337ae2506339c4729 < 738c9738e690f5cea24a3ad6fd2d9a323cf614f6 | affected |
| Linux | Linux | 2.6.30 | affected |
| Linux | Linux | 0 < 2.6.30 | unaffected |
| Linux | Linux | 5.10.248 <= 5.10.* | unaffected |
| Linux | Linux | 5.15.198 <= 5.15.* | unaffected |
| Linux | Linux | 6.1.160 <= 6.1.* | unaffected |
| Linux | Linux | 6.6.120 <= 6.6.* | unaffected |
| Linux | Linux | 6.12.63 <= 6.12.* | unaffected |
| Linux | Linux | 6.17.13 <= 6.17.* | unaffected |
| Linux | Linux | 6.18.2 <= 6.18.* | unaffected |
| Linux | Linux | 6.19 <= * | unaffected |
Weaknesses
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
- https://git.kernel.org/stable/c/d14e0ec6a6828ee0dffa163fb5d513c9a21f0a51
- https://git.kernel.org/stable/c/f2f4627b74c120fcdd8e1db93bc91f9bbaf46f85
- https://git.kernel.org/stable/c/88cd5fbf5869731be8fc6f7cecb4e0d6ab3d8749
- https://git.kernel.org/stable/c/cca3e7df3c0f99542033657ba850b9a6d27f8784
- https://git.kernel.org/stable/c/c2238d487a640ae3511e1b6f4640ab27ce10d7f6
- https://git.kernel.org/stable/c/de4431faf308d0c533cb386f5fa9af009bc86158
- https://git.kernel.org/stable/c/32952c4f4d1b2deb30dce72ba109da808a9018e1
- https://git.kernel.org/stable/c/738c9738e690f5cea24a3ad6fd2d9a323cf614f6
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.