From 5c57ec04ec4208a968d490dfedd72319c8518e01 Mon Sep 17 00:00:00 2001 From: Huaxin Lu Date: Thu, 14 Sep 2023 12:26:29 +0800 Subject: [PATCH] Limit the max line number of policy and baseline parsing 1. Limit the max file line number to 10000, the excess lines will be ignored; 2. Remove some unused macro definitions; 3. Change some macro names. Signed-off-by: Huaxin Lu --- doc/manual.md | 9 +++++---- src/common/dim_utils.c | 10 ++++++++-- src/core/dim_core_policy.c | 6 ++++++ src/core/dim_core_policy.h | 2 +- src/core/dim_core_static_baseline.c | 16 +++++++++++----- src/core/dim_core_static_baseline.h | 22 +++++++--------------- 6 files changed, 38 insertions(+), 27 deletions(-) diff --git a/doc/manual.md b/doc/manual.md index a8f94e4..1a20742 100644 --- a/doc/manual.md +++ b/doc/manual.md @@ -52,10 +52,11 @@ DIM特性通过在程序运行时对内存中的关键数据(如代码段、 ### 1.3 规格约束 -| 规格项 | 值 | -| ------------------------------------------------------------ | ---- | -| 文件大小上限(策略文件、静态基线文件、签名文件、证书文件) | 10MB | -| 同一个度量目标在一次动态基线后多次度量期间最多记录的篡改度量日志条数 | 10条 | +| 规格项 | 值 | +| ------------------------------------------------------------ | ------- | +| 文件大小上限(策略文件、静态基线文件、签名文件、证书文件) | 10MB | +| 文件行数上限(策略文件、静态基线文件) | 10000行 | +| 同一个度量目标在一次动态基线后多次度量期间最多记录的篡改度量日志条数 | 10条 | ### 1.4 架构说明 diff --git a/src/common/dim_utils.c b/src/common/dim_utils.c index 83ed967..75b58fc 100644 --- a/src/common/dim_utils.c +++ b/src/common/dim_utils.c @@ -83,8 +83,14 @@ int dim_parse_line_buf(char *buf, loff_t len, int (*line_parser)(char *, int)) ret = line_parser(line_buf, line_no); } - if (ret < 0) + if (ret < 0) { + /* + * if the parser returns -E2BIG, means the line number + * is too large, the excess lines will be ignored. + */ + ret = (ret == -E2BIG) ? 0 : ret; goto out; + } line_no++; } @@ -93,4 +99,4 @@ out: kfree(line_buf); return ret; -} \ No newline at end of file +} diff --git a/src/core/dim_core_policy.c b/src/core/dim_core_policy.c index b501de4..a3fa369 100644 --- a/src/core/dim_core_policy.c +++ b/src/core/dim_core_policy.c @@ -170,6 +170,12 @@ static int policy_parse_line(char* line, int line_no) int key = 0; const char *val = NULL; + if (line_no > DIM_POLICY_LINE_MAX) { + dim_warn("more than %d policy items will be ignored\n", + DIM_POLICY_LINE_MAX); + return -E2BIG; + } + if (strlen(line) == 0 || line[0] == '#') return 0; /* ignore blank line and comment */ diff --git a/src/core/dim_core_policy.h b/src/core/dim_core_policy.h index 0f0de91..48c6f41 100644 --- a/src/core/dim_core_policy.h +++ b/src/core/dim_core_policy.h @@ -6,7 +6,7 @@ #define __DIM_CORE_POLICY_H #define DIM_POLICY_PATH "/etc/dim/policy" -#define DIM_MAX_POLICY_NUMBER 100000 +#define DIM_POLICY_LINE_MAX 10000 /* policy key */ #define DIM_POLICY_MEASURE "measure" diff --git a/src/core/dim_core_static_baseline.c b/src/core/dim_core_static_baseline.c index ebe6db8..f779da1 100644 --- a/src/core/dim_core_static_baseline.c +++ b/src/core/dim_core_static_baseline.c @@ -57,16 +57,22 @@ static int parse_simple_baseline_line(char* line, int line_no) char *line_str = line; struct dim_digest digest = { 0 }; + if (line_no > DIM_STATIC_BASELINE_LINE_MAX) { + dim_warn("more than %d baseline items will be ignored\n", + DIM_STATIC_BASELINE_LINE_MAX); + return -E2BIG; + } + if (strlen(line) == 0 || line[0] == '#') return 0; /* ignore blank line and comment */ - if (strlen(line) > DIM_BASELINE_MAX_LEN) { + if (strlen(line) > DIM_STATIC_BASELINE_LEN_MAX) { dim_err("overlength item at line %d\n", line_no); return 0; /* ignore baseline parsing failed */ } if ((p = strsep(&line_str, " ")) == NULL || - strcmp(p, DIM_BASELINE_PREFIX) != 0) { + strcmp(p, DIM_STATIC_BASELINE_PREFIX) != 0) { dim_warn("invalid baseline prefix at line %d\n", line_no); return 0; } @@ -167,16 +173,16 @@ int dim_core_static_baseline_load(void) .path = &kpath, }; - ret = kern_path(DIM_BASELINE_ROOT, LOOKUP_DIRECTORY, &kpath); + ret = kern_path(DIM_STATIC_BASELINE_ROOT, LOOKUP_DIRECTORY, &kpath); if (ret < 0) { dim_err("fail to get dim baseline root path: %d", ret); return ret; } - file = filp_open(DIM_BASELINE_ROOT, O_RDONLY | O_DIRECTORY, 0); + file = filp_open(DIM_STATIC_BASELINE_ROOT, O_RDONLY | O_DIRECTORY, 0); if (IS_ERR(file)) { ret = PTR_ERR(file); - dim_err("fail to open %s: %d\n", DIM_BASELINE_ROOT, ret); + dim_err("fail to open %s: %d\n", DIM_STATIC_BASELINE_ROOT, ret); path_put(&kpath); return ret; } diff --git a/src/core/dim_core_static_baseline.h b/src/core/dim_core_static_baseline.h index 0691934..bec37d6 100644 --- a/src/core/dim_core_static_baseline.h +++ b/src/core/dim_core_static_baseline.h @@ -5,22 +5,14 @@ #ifndef __DIM_CORE_STATIC_BASELINE_H #define __DIM_CORE_STATIC_BASELINE_H -#define DIM_BASELINE_ROOT "/etc/dim/digest_list" - -/* key field in baseline json file */ -#define KEY_PRODUCTS "products" -#define KEY_FILES "ccFiles" -#define KEY_FPATCHES "patches" -#define KEY_FILENAME "fileName" -#define KEY_FILETYPE "fileType" -#define KEY_PATCH_FILES "files" -#define KEY_SHA256 "sha256" - -#define DIM_BASELINE_PREFIX "dim" - /* dim KERNEL sha256:{digest} {PATH_MAX}\n*/ - #define DIM_BASELINE_MAX_LEN (strlen(DIM_BASELINE_PREFIX) + 1 + \ - NAME_MAX + 1 + NAME_MAX + 1 + PATH_MAX + 1 + 1) +#define DIM_STATIC_BASELINE_ROOT "/etc/dim/digest_list" +#define DIM_STATIC_BASELINE_LINE_MAX 10000 +#define DIM_STATIC_BASELINE_PREFIX "dim" +/* dim KERNEL sha256:{digest} {PATH_MAX}\n*/ +#define DIM_STATIC_BASELINE_LEN_MAX (strlen(DIM_STATIC_BASELINE_PREFIX) + 1 + \ + NAME_MAX + 1 + NAME_MAX + 1 + \ + PATH_MAX + 1 + 1) int dim_core_static_baseline_load(void); -- 2.33.0