Revert "evm: Fix memleak in init_desc"

stable inclusion from stable-v5.10.132 commit 9d883b3f000d405d19b3484e3d8d97796e6854c6 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I5YS3T Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=9d883b3f000d405d19b3484e3d8d97796e6854c6 -------------------------------- commit 51dd64bb upstream. This reverts commit ccf11dba. Commit ccf11dba ("evm: Fix memleak in init_desc") said there is memleak in init_desc. That may be incorrect, as we can see, tmp_tfm is saved in one of the two global variables hmac_tfm or evm_tfm[hash_algo], then if init_desc is called next time, there is no need to alloc tfm again, so in the error path of kmalloc desc or crypto_shash_init(desc), It is not a problem without freeing tmp_tfm. And also that commit did not reset the global variable to NULL after freeing tmp_tfm and this makes *tfm a dangling pointer which may cause a UAF issue. Reported-by: N Guozihua (Scott) <guozihua@huawei.com> Signed-off-by: N Xiu Jianfeng <xiujianfeng@huawei.com> Signed-off-by: N Mimi Zohar <zohar@linux.ibm.com> Signed-off-by: N Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: N Zheng Zengkai <zhengzengkai@huawei.com> Conflicts: security/integrity/evm/evm_crypto.c Signed-off-by: N Zheng Zengkai <zhengzengkai@huawei.com> Acked-by: N Xie XiuQi <xiexiuqi@huawei.com>

Revert "evm: Fix memleak in init_desc"
stable inclusion from stable-v5.10.132 commit 9d883b3f000d405d19b3484e3d8d97796e6854c6 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I5YS3T Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=9d883b3f000d405d19b3484e3d8d97796e6854c6 -------------------------------- commit 51dd64bb upstream. This reverts commit ccf11dba. Commit ccf11dba ("evm: Fix memleak in init_desc") said there is memleak in init_desc. That may be incorrect, as we can see, tmp_tfm is saved in one of the two global variables hmac_tfm or evm_tfm[hash_algo], then if init_desc is called next time, there is no need to alloc tfm again, so in the error path of kmalloc desc or crypto_shash_init(desc), It is not a problem without freeing tmp_tfm. And also that commit did not reset the global variable to NULL after freeing tmp_tfm and this makes *tfm a dangling pointer which may cause a UAF issue. Reported-by: N Guozihua (Scott) <guozihua@huawei.com> Signed-off-by: N Xiu Jianfeng <xiujianfeng@huawei.com> Signed-off-by: N Mimi Zohar <zohar@linux.ibm.com> Signed-off-by: N Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: N Zheng Zengkai <zhengzengkai@huawei.com> Conflicts: security/integrity/evm/evm_crypto.c Signed-off-by: N Zheng Zengkai <zhengzengkai@huawei.com> Acked-by: N Xie XiuQi <xiexiuqi@huawei.com>
46f6f18b · Xiu Jianfeng · Zheng Zengkai · cce45fde · 46f6f18b
显示空白变更内容
内联并排

Showing with 2 addition and 5 deletion

security/integrity/evm/evm_crypto.c security/integrity/evm/evm_crypto.c +2 -5

未找到文件。
--- a/security/integrity/evm/evm_crypto.c
+++ b/security/integrity/evm/evm_crypto.c
@@ -73,7 +73,7 @@ static struct shash_desc *init_desc(char type, uint8_t hash_algo)
 {
 	long rc;
 	const char *algo;
-	struct crypto_shash **tfm, *tmp_tfm = NULL;
+	struct crypto_shash **tfm, *tmp_tfm;
 	char evm_hmac[CRYPTO_MAX_ALG_NAME];
 	struct shash_desc *desc;
@@ -122,16 +122,13 @@ static struct shash_desc *init_desc(char type, uint8_t hash_algo)
 alloc:
 	desc = kmalloc(sizeof(*desc) + crypto_shash_descsize(*tfm),
 			GFP_KERNEL);
-	if (!desc) {
+	if (!desc)
-		crypto_free_shash(tmp_tfm);
 		return ERR_PTR(-ENOMEM);
-	}
 	desc->tfm = *tfm;
 	rc = crypto_shash_init(desc);
 	if (rc) {
-		crypto_free_shash(tmp_tfm);
 		kfree(desc);
 		return ERR_PTR(rc);
 	}