[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Thu, 3 Mar 2022 10:23:37 +0800
From: Jianglei Nie <niejianglei2021@....com>
To: gilad@...yossef.com, herbert@...dor.apana.org.au,
davem@...emloft.net
Cc: linux-crypto@...r.kernel.org, linux-kernel@...r.kernel.org,
Jianglei Nie <niejianglei2021@....com>
Subject: [PATCH] crypto: ccree: Fix use after free in cc_cipher_exit()
kfree_sensitive(ctx_p->user.key) will free the ctx_p->user.key. But
ctx_p->user.key is still used in the next line, which will lead to a
use after free.
We can call kfree_sensitive() after dev_dbg() to avoid the uaf.
Signed-off-by: Jianglei Nie <niejianglei2021@....com>
---
drivers/crypto/ccree/cc_cipher.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/crypto/ccree/cc_cipher.c b/drivers/crypto/ccree/cc_cipher.c
index 78833491f534..309da6334a0a 100644
--- a/drivers/crypto/ccree/cc_cipher.c
+++ b/drivers/crypto/ccree/cc_cipher.c
@@ -257,8 +257,8 @@ static void cc_cipher_exit(struct crypto_tfm *tfm)
&ctx_p->user.key_dma_addr);
/* Free key buffer in context */
- kfree_sensitive(ctx_p->user.key);
dev_dbg(dev, "Free key buffer in context. key=@%p\n", ctx_p->user.key);
+ kfree_sensitive(ctx_p->user.key);
}
struct tdes_keys {
--
2.25.1
Powered by blists - more mailing lists