diff mbox series

[BIONIC,CVE-2019-18808,2/2] crypto: ccp - Release all allocated memory if sha type is invalid

Message ID 20200813123349.5867-1-william.gray@canonical.com
State New
Headers show
Series [FOCAL,CVE-2019-18808,1/2] crypto: ccp - Release all allocated memory if sha type is invalid | expand

Commit Message

William Breathitt Gray Aug. 13, 2020, 12:33 p.m. UTC
From: Navid Emamdoost <navid.emamdoost@gmail.com>

Release all allocated memory if sha type is invalid:
In ccp_run_sha_cmd, if the type of sha is invalid, the allocated
hmac_buf should be released.

v2: fix the goto.

Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
Acked-by: Gary R Hook <gary.hook@amd.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>

CVE-2019-18808

(cherry picked from 128c66429247add5128c03dc1e144ca56f05a4e2)
Signed-off-by: William Breathitt Gray <william.gray@canonical.com>
---
 drivers/crypto/ccp/ccp-ops.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

Comments

Stefan Bader Aug. 14, 2020, 7:38 a.m. UTC | #1
On 13.08.20 14:33, William Breathitt Gray wrote:
> From: Navid Emamdoost <navid.emamdoost@gmail.com>
> 
> Release all allocated memory if sha type is invalid:
> In ccp_run_sha_cmd, if the type of sha is invalid, the allocated
> hmac_buf should be released.
> 
> v2: fix the goto.
> 
> Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
> Acked-by: Gary R Hook <gary.hook@amd.com>
> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
> 
> CVE-2019-18808
> 
> (cherry picked from 128c66429247add5128c03dc1e144ca56f05a4e2)
> Signed-off-by: William Breathitt Gray <william.gray@canonical.com>
Acked-by: Stefan Bader <stefan.bader@canonical.com>
> ---

See my other reply as this is basically the same here.

-Stefan

>  drivers/crypto/ccp/ccp-ops.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/crypto/ccp/ccp-ops.c b/drivers/crypto/ccp/ccp-ops.c
> index 330853a2702f..43b74cf0787e 100644
> --- a/drivers/crypto/ccp/ccp-ops.c
> +++ b/drivers/crypto/ccp/ccp-ops.c
> @@ -1783,8 +1783,9 @@ ccp_run_sha_cmd(struct ccp_cmd_queue *cmd_q, struct ccp_cmd *cmd)
>  			       LSB_ITEM_SIZE);
>  			break;
>  		default:
> +			kfree(hmac_buf);
>  			ret = -EINVAL;
> -			goto e_ctx;
> +			goto e_data;
>  		}
>  
>  		memset(&hmac_cmd, 0, sizeof(hmac_cmd));
>
Kleber Souza Aug. 20, 2020, 8:03 a.m. UTC | #2
On 13.08.20 14:33, William Breathitt Gray wrote:
> From: Navid Emamdoost <navid.emamdoost@gmail.com>
> 
> Release all allocated memory if sha type is invalid:
> In ccp_run_sha_cmd, if the type of sha is invalid, the allocated
> hmac_buf should be released.
> 
> v2: fix the goto.
> 
> Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
> Acked-by: Gary R Hook <gary.hook@amd.com>
> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
> 
> CVE-2019-18808
> 
> (cherry picked from 128c66429247add5128c03dc1e144ca56f05a4e2)
> Signed-off-by: William Breathitt Gray <william.gray@canonical.com>

Acked-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>

> ---
>  drivers/crypto/ccp/ccp-ops.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/crypto/ccp/ccp-ops.c b/drivers/crypto/ccp/ccp-ops.c
> index 330853a2702f..43b74cf0787e 100644
> --- a/drivers/crypto/ccp/ccp-ops.c
> +++ b/drivers/crypto/ccp/ccp-ops.c
> @@ -1783,8 +1783,9 @@ ccp_run_sha_cmd(struct ccp_cmd_queue *cmd_q, struct ccp_cmd *cmd)
>  			       LSB_ITEM_SIZE);
>  			break;
>  		default:
> +			kfree(hmac_buf);
>  			ret = -EINVAL;
> -			goto e_ctx;
> +			goto e_data;
>  		}
>  
>  		memset(&hmac_cmd, 0, sizeof(hmac_cmd));
>
Ian May Aug. 25, 2020, 10:28 p.m. UTC | #3
This patch was applied in the following patchset:

Bionic update: upstream stable patchset 2020-08-11
https://bugs.launchpad.net/bugs/1891228

Thanks!
Ian

On 2020-08-13 08:33:48 , William Breathitt Gray wrote:
> From: Navid Emamdoost <navid.emamdoost@gmail.com>
> 
> Release all allocated memory if sha type is invalid:
> In ccp_run_sha_cmd, if the type of sha is invalid, the allocated
> hmac_buf should be released.
> 
> v2: fix the goto.
> 
> Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
> Acked-by: Gary R Hook <gary.hook@amd.com>
> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
> 
> CVE-2019-18808
> 
> (cherry picked from 128c66429247add5128c03dc1e144ca56f05a4e2)
> Signed-off-by: William Breathitt Gray <william.gray@canonical.com>
> ---
>  drivers/crypto/ccp/ccp-ops.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/crypto/ccp/ccp-ops.c b/drivers/crypto/ccp/ccp-ops.c
> index 330853a2702f..43b74cf0787e 100644
> --- a/drivers/crypto/ccp/ccp-ops.c
> +++ b/drivers/crypto/ccp/ccp-ops.c
> @@ -1783,8 +1783,9 @@ ccp_run_sha_cmd(struct ccp_cmd_queue *cmd_q, struct ccp_cmd *cmd)
>  			       LSB_ITEM_SIZE);
>  			break;
>  		default:
> +			kfree(hmac_buf);
>  			ret = -EINVAL;
> -			goto e_ctx;
> +			goto e_data;
>  		}
>  
>  		memset(&hmac_cmd, 0, sizeof(hmac_cmd));
> -- 
> 2.25.1
> 
> 
> -- 
> kernel-team mailing list
> kernel-team@lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team
diff mbox series

Patch

diff --git a/drivers/crypto/ccp/ccp-ops.c b/drivers/crypto/ccp/ccp-ops.c
index 330853a2702f..43b74cf0787e 100644
--- a/drivers/crypto/ccp/ccp-ops.c
+++ b/drivers/crypto/ccp/ccp-ops.c
@@ -1783,8 +1783,9 @@  ccp_run_sha_cmd(struct ccp_cmd_queue *cmd_q, struct ccp_cmd *cmd)
 			       LSB_ITEM_SIZE);
 			break;
 		default:
+			kfree(hmac_buf);
 			ret = -EINVAL;
-			goto e_ctx;
+			goto e_data;
 		}
 
 		memset(&hmac_cmd, 0, sizeof(hmac_cmd));