Home

Description

In the Linux kernel, the following vulnerability has been resolved: ima: Handle error code returned by ima_filter_rule_match() In ima_match_rules(), if ima_filter_rule_match() returns -ENOENT due to the rule being NULL, the function incorrectly skips the 'if (!rc)' check and sets 'result = true'. The LSM rule is considered a match, causing extra files to be measured by IMA. This issue can be reproduced in the following scenario: After unloading the SELinux policy module via 'semodule -d', if an IMA measurement is triggered before ima_lsm_rules is updated, in ima_match_rules(), the first call to ima_filter_rule_match() returns -ESTALE. This causes the code to enter the 'if (rc == -ESTALE && !rule_reinitialized)' block, perform ima_lsm_copy_rule() and retry. In ima_lsm_copy_rule(), since the SELinux module has been removed, the rule becomes NULL, and the second call to ima_filter_rule_match() returns -ENOENT. This bypasses the 'if (!rc)' check and results in a false match. Call trace: selinux_audit_rule_match+0x310/0x3b8 security_audit_rule_match+0x60/0xa0 ima_match_rules+0x2e4/0x4a0 ima_match_policy+0x9c/0x1e8 ima_get_action+0x48/0x60 process_measurement+0xf8/0xa98 ima_bprm_check+0x98/0xd8 security_bprm_check+0x5c/0x78 search_binary_handler+0x6c/0x318 exec_binprm+0x58/0x1b8 bprm_execve+0xb8/0x130 do_execveat_common.isra.0+0x1a8/0x258 __arm64_sys_execve+0x48/0x68 invoke_syscall+0x50/0x128 el0_svc_common.constprop.0+0xc8/0xf0 do_el0_svc+0x24/0x38 el0_svc+0x44/0x200 el0t_64_sync_handler+0x100/0x130 el0t_64_sync+0x3c8/0x3d0 Fix this by changing 'if (!rc)' to 'if (rc <= 0)' to ensure that error codes like -ENOENT do not bypass the check and accidentally result in a successful match.

PUBLISHED Reserved 2025-12-24 | Published 2025-12-24 | Updated 2026-02-09 | Assigner Linux

Product status

Default status
unaffected

4af4662fa4a9dc62289c580337ae2506339c4729 (git) before d14e0ec6a6828ee0dffa163fb5d513c9a21f0a51
affected

4af4662fa4a9dc62289c580337ae2506339c4729 (git) before f2f4627b74c120fcdd8e1db93bc91f9bbaf46f85
affected

4af4662fa4a9dc62289c580337ae2506339c4729 (git) before 88cd5fbf5869731be8fc6f7cecb4e0d6ab3d8749
affected

4af4662fa4a9dc62289c580337ae2506339c4729 (git) before cca3e7df3c0f99542033657ba850b9a6d27f8784
affected

4af4662fa4a9dc62289c580337ae2506339c4729 (git) before c2238d487a640ae3511e1b6f4640ab27ce10d7f6
affected

4af4662fa4a9dc62289c580337ae2506339c4729 (git) before de4431faf308d0c533cb386f5fa9af009bc86158
affected

4af4662fa4a9dc62289c580337ae2506339c4729 (git) before 32952c4f4d1b2deb30dce72ba109da808a9018e1
affected

4af4662fa4a9dc62289c580337ae2506339c4729 (git) before 738c9738e690f5cea24a3ad6fd2d9a323cf614f6
affected

Default status
affected

2.6.30
affected

Any version before 2.6.30
unaffected

5.10.248 (semver)
unaffected

5.15.198 (semver)
unaffected

6.1.160 (semver)
unaffected

6.6.120 (semver)
unaffected

6.12.63 (semver)
unaffected

6.17.13 (semver)
unaffected

6.18.2 (semver)
unaffected

6.19 (original_commit_for_fix)
unaffected

References

git.kernel.org/...c/d14e0ec6a6828ee0dffa163fb5d513c9a21f0a51

git.kernel.org/...c/f2f4627b74c120fcdd8e1db93bc91f9bbaf46f85

git.kernel.org/...c/88cd5fbf5869731be8fc6f7cecb4e0d6ab3d8749

git.kernel.org/...c/cca3e7df3c0f99542033657ba850b9a6d27f8784

git.kernel.org/...c/c2238d487a640ae3511e1b6f4640ab27ce10d7f6

git.kernel.org/...c/de4431faf308d0c533cb386f5fa9af009bc86158

git.kernel.org/...c/32952c4f4d1b2deb30dce72ba109da808a9018e1

git.kernel.org/...c/738c9738e690f5cea24a3ad6fd2d9a323cf614f6

cve.org (CVE-2025-68740)

nvd.nist.gov (CVE-2025-68740)

Download JSON