This is a note to let you know that I've just added the patch titled
crypto: qce - fix uaf on qce_skcipher_register_one
to the 5.10-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
crypto-qce-fix-uaf-on-qce_skcipher_register_one.patch
and it can be found in the queue-5.10 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.
commit 7de565b78cd2ab08acef27561bcdbd3714cb5831
Author: Chengfeng Ye <cyeaa@xxxxxxxxxxxxxx>
Date: Thu Nov 4 06:46:42 2021 -0700
crypto: qce - fix uaf on qce_skcipher_register_one
[ Upstream commit e9c195aaeed1b45c9012adbe29dedb6031e85aa8 ]
Pointer alg points to sub field of tmpl, it
is dereferenced after tmpl is freed. Fix
this by accessing alg before free tmpl.
Fixes: ec8f5d8f ("crypto: qce - Qualcomm crypto engine driver")
Signed-off-by: Chengfeng Ye <cyeaa@xxxxxxxxxxxxxx>
Acked-by: Thara Gopinath <thara.gopinath@xxxxxxxxxx>
Signed-off-by: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>
Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>
diff --git a/drivers/crypto/qce/skcipher.c b/drivers/crypto/qce/skcipher.c
index d8053789c8828..89c7fc3efbd71 100644
--- a/drivers/crypto/qce/skcipher.c
+++ b/drivers/crypto/qce/skcipher.c
@@ -433,8 +433,8 @@ static int qce_skcipher_register_one(const struct qce_skcipher_def *def,
ret = crypto_register_skcipher(alg);
if (ret) {
- kfree(tmpl);
dev_err(qce->dev, "%s registration failed\n", alg->base.cra_name);
+ kfree(tmpl);
return ret;
}
