| Message ID | 20211104134642.20638-1-cyeaa@connect.ust.hk (mailing list archive) |
|---|---|
| State | Accepted |
| Delegated to: | Herbert Xu |
| Headers | show |
| Series | crypto: qce: fix uaf on qce_skcipher_register_one | expand |
On 11/4/21 9:46 AM, Chengfeng Ye wrote: > Pointer alg points to sub field of tmpl, it > is dereferenced after tmpl is freed. Fix > this by accessing alg before free tmpl. > > Fixes: ec8f5d8f ("crypto: qce - Qualcomm crypto engine driver") > Signed-off-by: Chengfeng Ye <cyeaa@connect.ust.hk> Acked-by: Thara Gopinath <thara.gopinath@linaro.org> > --- > drivers/crypto/qce/skcipher.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/crypto/qce/skcipher.c b/drivers/crypto/qce/skcipher.c > index 8ff10928f581..3d27cd5210ef 100644 > --- a/drivers/crypto/qce/skcipher.c > +++ b/drivers/crypto/qce/skcipher.c > @@ -484,8 +484,8 @@ static int qce_skcipher_register_one(const struct qce_skcipher_def *def, > > ret = crypto_register_skcipher(alg); > if (ret) { > - kfree(tmpl); > dev_err(qce->dev, "%s registration failed\n", alg->base.cra_name); > + kfree(tmpl); > return ret; > } > >
On Thu, Nov 04, 2021 at 06:46:42AM -0700, Chengfeng Ye wrote: > Pointer alg points to sub field of tmpl, it > is dereferenced after tmpl is freed. Fix > this by accessing alg before free tmpl. > > Fixes: ec8f5d8f ("crypto: qce - Qualcomm crypto engine driver") > Signed-off-by: Chengfeng Ye <cyeaa@connect.ust.hk> > --- > drivers/crypto/qce/skcipher.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) Patch applied. Thanks.
diff --git a/drivers/crypto/qce/skcipher.c b/drivers/crypto/qce/skcipher.c index 8ff10928f581..3d27cd5210ef 100644 --- a/drivers/crypto/qce/skcipher.c +++ b/drivers/crypto/qce/skcipher.c @@ -484,8 +484,8 @@ static int qce_skcipher_register_one(const struct qce_skcipher_def *def, ret = crypto_register_skcipher(alg); if (ret) { - kfree(tmpl); dev_err(qce->dev, "%s registration failed\n", alg->base.cra_name); + kfree(tmpl); return ret; }
Pointer alg points to sub field of tmpl, it is dereferenced after tmpl is freed. Fix this by accessing alg before free tmpl. Fixes: ec8f5d8f ("crypto: qce - Qualcomm crypto engine driver") Signed-off-by: Chengfeng Ye <cyeaa@connect.ust.hk> --- drivers/crypto/qce/skcipher.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)