| Message ID | 20200813123349.5867-1-william.gray@canonical.com |
|---|---|
| State | New |
| Headers | show |
| Series | [FOCAL,CVE-2019-18808,1/2] crypto: ccp - Release all allocated memory if sha type is invalid | expand |
On 13.08.20 14:33, William Breathitt Gray wrote: > From: Navid Emamdoost <navid.emamdoost@gmail.com> > > Release all allocated memory if sha type is invalid: > In ccp_run_sha_cmd, if the type of sha is invalid, the allocated > hmac_buf should be released. > > v2: fix the goto. > > Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com> > Acked-by: Gary R Hook <gary.hook@amd.com> > Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> > > CVE-2019-18808 > > (cherry picked from 128c66429247add5128c03dc1e144ca56f05a4e2) > Signed-off-by: William Breathitt Gray <william.gray@canonical.com> Acked-by: Stefan Bader <stefan.bader@canonical.com> > --- See my other reply as this is basically the same here. -Stefan > drivers/crypto/ccp/ccp-ops.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/drivers/crypto/ccp/ccp-ops.c b/drivers/crypto/ccp/ccp-ops.c > index 330853a2702f..43b74cf0787e 100644 > --- a/drivers/crypto/ccp/ccp-ops.c > +++ b/drivers/crypto/ccp/ccp-ops.c > @@ -1783,8 +1783,9 @@ ccp_run_sha_cmd(struct ccp_cmd_queue *cmd_q, struct ccp_cmd *cmd) > LSB_ITEM_SIZE); > break; > default: > + kfree(hmac_buf); > ret = -EINVAL; > - goto e_ctx; > + goto e_data; > } > > memset(&hmac_cmd, 0, sizeof(hmac_cmd)); >
On 13.08.20 14:33, William Breathitt Gray wrote: > From: Navid Emamdoost <navid.emamdoost@gmail.com> > > Release all allocated memory if sha type is invalid: > In ccp_run_sha_cmd, if the type of sha is invalid, the allocated > hmac_buf should be released. > > v2: fix the goto. > > Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com> > Acked-by: Gary R Hook <gary.hook@amd.com> > Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> > > CVE-2019-18808 > > (cherry picked from 128c66429247add5128c03dc1e144ca56f05a4e2) > Signed-off-by: William Breathitt Gray <william.gray@canonical.com> Acked-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com> > --- > drivers/crypto/ccp/ccp-ops.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/drivers/crypto/ccp/ccp-ops.c b/drivers/crypto/ccp/ccp-ops.c > index 330853a2702f..43b74cf0787e 100644 > --- a/drivers/crypto/ccp/ccp-ops.c > +++ b/drivers/crypto/ccp/ccp-ops.c > @@ -1783,8 +1783,9 @@ ccp_run_sha_cmd(struct ccp_cmd_queue *cmd_q, struct ccp_cmd *cmd) > LSB_ITEM_SIZE); > break; > default: > + kfree(hmac_buf); > ret = -EINVAL; > - goto e_ctx; > + goto e_data; > } > > memset(&hmac_cmd, 0, sizeof(hmac_cmd)); >
This patch was applied in the following patchset: Bionic update: upstream stable patchset 2020-08-11 https://bugs.launchpad.net/bugs/1891228 Thanks! Ian On 2020-08-13 08:33:48 , William Breathitt Gray wrote: > From: Navid Emamdoost <navid.emamdoost@gmail.com> > > Release all allocated memory if sha type is invalid: > In ccp_run_sha_cmd, if the type of sha is invalid, the allocated > hmac_buf should be released. > > v2: fix the goto. > > Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com> > Acked-by: Gary R Hook <gary.hook@amd.com> > Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> > > CVE-2019-18808 > > (cherry picked from 128c66429247add5128c03dc1e144ca56f05a4e2) > Signed-off-by: William Breathitt Gray <william.gray@canonical.com> > --- > drivers/crypto/ccp/ccp-ops.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/drivers/crypto/ccp/ccp-ops.c b/drivers/crypto/ccp/ccp-ops.c > index 330853a2702f..43b74cf0787e 100644 > --- a/drivers/crypto/ccp/ccp-ops.c > +++ b/drivers/crypto/ccp/ccp-ops.c > @@ -1783,8 +1783,9 @@ ccp_run_sha_cmd(struct ccp_cmd_queue *cmd_q, struct ccp_cmd *cmd) > LSB_ITEM_SIZE); > break; > default: > + kfree(hmac_buf); > ret = -EINVAL; > - goto e_ctx; > + goto e_data; > } > > memset(&hmac_cmd, 0, sizeof(hmac_cmd)); > -- > 2.25.1 > > > -- > kernel-team mailing list > kernel-team@lists.ubuntu.com > https://lists.ubuntu.com/mailman/listinfo/kernel-team
diff --git a/drivers/crypto/ccp/ccp-ops.c b/drivers/crypto/ccp/ccp-ops.c index 330853a2702f..43b74cf0787e 100644 --- a/drivers/crypto/ccp/ccp-ops.c +++ b/drivers/crypto/ccp/ccp-ops.c @@ -1783,8 +1783,9 @@ ccp_run_sha_cmd(struct ccp_cmd_queue *cmd_q, struct ccp_cmd *cmd) LSB_ITEM_SIZE); break; default: + kfree(hmac_buf); ret = -EINVAL; - goto e_ctx; + goto e_data; } memset(&hmac_cmd, 0, sizeof(hmac_cmd));