Received: by 2002:a05:6a10:af89:0:0:0:0 with SMTP id iu9csp3583760pxb; Mon, 24 Jan 2022 12:49:12 -0800 (PST) X-Google-Smtp-Source: ABdhPJyw7D/MUHuINTlXK/qAfxP3huBv+DwYMKPT75FN6p9lzLv/hbRcjCenwTZzDDv09voc7ee0 X-Received: by 2002:a17:902:7681:b0:14b:7484:9d72 with SMTP id m1-20020a170902768100b0014b74849d72mr192598pll.99.1643057352335; Mon, 24 Jan 2022 12:49:12 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1643057352; cv=none; d=google.com; s=arc-20160816; b=RHo1H9ILnoN3Wl7yMzY2ImRJfuaan7mxms9Pr0YSGIzxEIRULfiH3VOfKNwM1pW2o3 y3UwN1RtYaDuEjXjdUrcgRuq49YmYLpMPMxvZEOHAs9fRlqu8WALKkJ0mo+vr18n9Hdt nsprhCAdXykNT69GXni88kQrhla9mK7a7RMu1mojJjU34s3KlQcyVLQc7gmdgaKz11OL 0rAuFaunMa0fD01IF5M02XR+WdEoP9gV4Bm/vrvP4WmUchqsA0AWRdaj058vYx82H4E2 8ANXprO8SHL5xlPW//XjirKi0ILKyZ7V07n6duUSAzT+p6H5MAIl4zeeQWsgQ556JPg+ fH+g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=obJz0e7gr/8TeYPSKdX01cW6GT90Fmh9DMSUysVfhm4=; b=PvfzHFMKAtDY46pDldTtf82cv3t4Te4UGQYPBPZgAT4uJV0VlxjRewBj0nKgodcBaN rMN0bYTTNOAXlBx/HSXxiPGwvqZzNs/7SM/GCTWvZHep1CehthkPwUuDzDGppWx+/l0f T5VOgPaVpBO7uHBwK93z8b5KurLzQhYPiZeHTunnw2Z7MK6cSsfH9rLWHlqD49ApsrIE y7yUS4mhi1j5mLSnyia0YoRcz9XJM8pa4ca1FvTh5hp8d5SqXhsCh13OIyc7yIPdTqn9 9OQkM2kU916gzL009DwZp+fXtCNEweaTHru9nQILKI2LHdHrtqo34BHzgrZvs8XN02bs 5FDA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=1OKTi7Zb; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id w16si16098226plg.444.2022.01.24.12.49.00; Mon, 24 Jan 2022 12:49:12 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=1OKTi7Zb; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1345482AbiAXUCz (ORCPT + 99 others); Mon, 24 Jan 2022 15:02:55 -0500 Received: from ams.source.kernel.org ([145.40.68.75]:50344 "EHLO ams.source.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1346328AbiAXT07 (ORCPT ); Mon, 24 Jan 2022 14:26:59 -0500 Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 37559B81235; Mon, 24 Jan 2022 19:26:58 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 5C950C340E5; Mon, 24 Jan 2022 19:26:56 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1643052417; bh=N32OVYcY/f1gbuRqAcysnzXSOICorRmIH14nLnx0rl0=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=1OKTi7ZbxR3sWSY+dB0fVAvhP0XcrlN2efKLy6wXuZ+r9ExGPaDcBWz6DIsM0ePHk VXIuShcuMfbit6KZHlj7i3twmNylCrGGrZ/g7M4pW//sLl/VYpRO314JzcsFVTJDwy 4xo3Z1seZpBWhZu4aB3pLw21CEQN7qreHyieAqW8= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Chengfeng Ye , Thara Gopinath , Herbert Xu , Sasha Levin Subject: [PATCH 5.4 051/320] crypto: qce - fix uaf on qce_ahash_register_one Date: Mon, 24 Jan 2022 19:40:35 +0100 Message-Id: <20220124183955.475962978@linuxfoundation.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20220124183953.750177707@linuxfoundation.org> References: <20220124183953.750177707@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Chengfeng Ye [ Upstream commit b4cb4d31631912842eb7dce02b4350cbb7562d5e ] Pointer base points to sub field of tmpl, it is dereferenced after tmpl is freed. Fix this by accessing base before free tmpl. Fixes: ec8f5d8f ("crypto: qce - Qualcomm crypto engine driver") Signed-off-by: Chengfeng Ye Acked-by: Thara Gopinath Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin --- drivers/crypto/qce/sha.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/crypto/qce/sha.c b/drivers/crypto/qce/sha.c index 0853e74583ade..29b0bad2507b1 100644 --- a/drivers/crypto/qce/sha.c +++ b/drivers/crypto/qce/sha.c @@ -512,8 +512,8 @@ static int qce_ahash_register_one(const struct qce_ahash_def *def, ret = crypto_register_ahash(alg); if (ret) { - kfree(tmpl); dev_err(qce->dev, "%s registration failed\n", base->cra_name); + kfree(tmpl); return ret; } -- 2.34.1