Message ID | 9cf43d16e60089ef42556644381d438e3b531153.1597321688.git.william.gray@canonical.com |
---|---|
State | New |
Headers | show |
Series | [FOCAL,CVE-2019-18808,1/2] crypto: ccp - Release all allocated memory if sha type is invalid | expand |
This patch was applied in the following patchset: Focal update: v5.4.56 upstream stable release https://bugs.launchpad.net/bugs/1891063 Thanks! Ian On 2020-08-13 08:33:49 , William Breathitt Gray wrote: > From: Navid Emamdoost <navid.emamdoost@gmail.com> > > Release all allocated memory if sha type is invalid: > In ccp_run_sha_cmd, if the type of sha is invalid, the allocated > hmac_buf should be released. > > v2: fix the goto. > > Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com> > Acked-by: Gary R Hook <gary.hook@amd.com> > Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> > > CVE-2019-18808 > > (cherry picked from 128c66429247add5128c03dc1e144ca56f05a4e2) > Signed-off-by: William Breathitt Gray <william.gray@canonical.com> > --- > drivers/crypto/ccp/ccp-ops.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/drivers/crypto/ccp/ccp-ops.c b/drivers/crypto/ccp/ccp-ops.c > index c8da8eb160da..422193690fd4 100644 > --- a/drivers/crypto/ccp/ccp-ops.c > +++ b/drivers/crypto/ccp/ccp-ops.c > @@ -1777,8 +1777,9 @@ ccp_run_sha_cmd(struct ccp_cmd_queue *cmd_q, struct ccp_cmd *cmd) > LSB_ITEM_SIZE); > break; > default: > + kfree(hmac_buf); > ret = -EINVAL; > - goto e_ctx; > + goto e_data; > } > > memset(&hmac_cmd, 0, sizeof(hmac_cmd)); > -- > 2.25.1 > > > -- > kernel-team mailing list > kernel-team@lists.ubuntu.com > https://lists.ubuntu.com/mailman/listinfo/kernel-team
diff --git a/drivers/crypto/ccp/ccp-ops.c b/drivers/crypto/ccp/ccp-ops.c index c8da8eb160da..422193690fd4 100644 --- a/drivers/crypto/ccp/ccp-ops.c +++ b/drivers/crypto/ccp/ccp-ops.c @@ -1777,8 +1777,9 @@ ccp_run_sha_cmd(struct ccp_cmd_queue *cmd_q, struct ccp_cmd *cmd) LSB_ITEM_SIZE); break; default: + kfree(hmac_buf); ret = -EINVAL; - goto e_ctx; + goto e_data; } memset(&hmac_cmd, 0, sizeof(hmac_cmd));