-

CVE-2025-68740

In the Linux kernel, the following vulnerability has been resolved:

ima: Handle error code returned by ima_filter_rule_match()

In ima_match_rules(), if ima_filter_rule_match() returns -ENOENT due to
the rule being NULL, the function incorrectly skips the 'if (!rc)' check
and sets 'result = true'. The LSM rule is considered a match, causing
extra files to be measured by IMA.

This issue can be reproduced in the following scenario:
After unloading the SELinux policy module via 'semodule -d', if an IMA
measurement is triggered before ima_lsm_rules is updated,
in ima_match_rules(), the first call to ima_filter_rule_match() returns
-ESTALE. This causes the code to enter the 'if (rc == -ESTALE &&
!rule_reinitialized)' block, perform ima_lsm_copy_rule() and retry. In
ima_lsm_copy_rule(), since the SELinux module has been removed, the rule
becomes NULL, and the second call to ima_filter_rule_match() returns
-ENOENT. This bypasses the 'if (!rc)' check and results in a false match.

Call trace:
  selinux_audit_rule_match+0x310/0x3b8
  security_audit_rule_match+0x60/0xa0
  ima_match_rules+0x2e4/0x4a0
  ima_match_policy+0x9c/0x1e8
  ima_get_action+0x48/0x60
  process_measurement+0xf8/0xa98
  ima_bprm_check+0x98/0xd8
  security_bprm_check+0x5c/0x78
  search_binary_handler+0x6c/0x318
  exec_binprm+0x58/0x1b8
  bprm_execve+0xb8/0x130
  do_execveat_common.isra.0+0x1a8/0x258
  __arm64_sys_execve+0x48/0x68
  invoke_syscall+0x50/0x128
  el0_svc_common.constprop.0+0xc8/0xf0
  do_el0_svc+0x24/0x38
  el0_svc+0x44/0x200
  el0t_64_sync_handler+0x100/0x130
  el0t_64_sync+0x3c8/0x3d0

Fix this by changing 'if (!rc)' to 'if (rc <= 0)' to ensure that error
codes like -ENOENT do not bypass the check and accidentally result in a
successful match.
Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
HerstellerLinux
Produkt Linux
Default Statusunaffected
Version < d14e0ec6a6828ee0dffa163fb5d513c9a21f0a51
Version 4af4662fa4a9dc62289c580337ae2506339c4729
Status affected
Version < f2f4627b74c120fcdd8e1db93bc91f9bbaf46f85
Version 4af4662fa4a9dc62289c580337ae2506339c4729
Status affected
Version < 88cd5fbf5869731be8fc6f7cecb4e0d6ab3d8749
Version 4af4662fa4a9dc62289c580337ae2506339c4729
Status affected
Version < cca3e7df3c0f99542033657ba850b9a6d27f8784
Version 4af4662fa4a9dc62289c580337ae2506339c4729
Status affected
Version < c2238d487a640ae3511e1b6f4640ab27ce10d7f6
Version 4af4662fa4a9dc62289c580337ae2506339c4729
Status affected
Version < de4431faf308d0c533cb386f5fa9af009bc86158
Version 4af4662fa4a9dc62289c580337ae2506339c4729
Status affected
Version < 32952c4f4d1b2deb30dce72ba109da808a9018e1
Version 4af4662fa4a9dc62289c580337ae2506339c4729
Status affected
Version < 738c9738e690f5cea24a3ad6fd2d9a323cf614f6
Version 4af4662fa4a9dc62289c580337ae2506339c4729
Status affected
HerstellerLinux
Produkt Linux
Default Statusaffected
Version 2.6.30
Status affected
Version < 2.6.30
Version 0
Status unaffected
Version <= 5.10.*
Version 5.10.248
Status unaffected
Version <= 5.15.*
Version 5.15.198
Status unaffected
Version <= 6.1.*
Version 6.1.160
Status unaffected
Version <= 6.6.*
Version 6.6.120
Status unaffected
Version <= 6.12.*
Version 6.12.63
Status unaffected
Version <= 6.17.*
Version 6.17.13
Status unaffected
Version <= 6.18.*
Version 6.18.2
Status unaffected
Version <= *
Version 6.19-rc1
Status unaffected
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.04% 0.1
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
Es wurden noch keine Informationen zu CWE veröffentlicht.