6.9-stable patches

added patches:
	keys-trusted-fix-memory-leak-in-tpm2_key_encode.patch

diff --git a/queue-6.9/keys-trusted-fix-memory-leak-in-tpm2_key_encode.patch b/queue-6.9/keys-trusted-fix-memory-leak-in-tpm2_key_encode.patch
new file mode 100644 (file)
index 0000000..ddd0917
--- /dev/null
+++ b/queue-6.9/keys-trusted-fix-memory-leak-in-tpm2_key_encode.patch
@@ -0,0 +1,76 @@
+From ffcaa2172cc1a85ddb8b783de96d38ca8855e248 Mon Sep 17 00:00:00 2001
+From: Jarkko Sakkinen <jarkko@kernel.org>
+Date: Mon, 20 May 2024 02:31:53 +0300
+Subject: KEYS: trusted: Fix memory leak in tpm2_key_encode()
+
+From: Jarkko Sakkinen <jarkko@kernel.org>
+
+commit ffcaa2172cc1a85ddb8b783de96d38ca8855e248 upstream.
+
+'scratch' is never freed. Fix this by calling kfree() in the success, and
+in the error case.
+
+Cc: stable@vger.kernel.org # +v5.13
+Fixes: f2219745250f ("security: keys: trusted: use ASN.1 TPM2 key format for the blobs")
+Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ security/keys/trusted-keys/trusted_tpm2.c |   24 ++++++++++++++++++------
+ 1 file changed, 18 insertions(+), 6 deletions(-)
+
+--- a/security/keys/trusted-keys/trusted_tpm2.c
++++ b/security/keys/trusted-keys/trusted_tpm2.c
+@@ -38,6 +38,7 @@ static int tpm2_key_encode(struct truste
+       u8 *end_work = scratch + SCRATCH_SIZE;
+       u8 *priv, *pub;
+       u16 priv_len, pub_len;
++      int ret;
+ 
+       priv_len = get_unaligned_be16(src) + 2;
+       priv = src;
+@@ -57,8 +58,10 @@ static int tpm2_key_encode(struct truste
+               unsigned char bool[3], *w = bool;
+               /* tag 0 is emptyAuth */
+               w = asn1_encode_boolean(w, w + sizeof(bool), true);
+-              if (WARN(IS_ERR(w), "BUG: Boolean failed to encode"))
+-                      return PTR_ERR(w);
++              if (WARN(IS_ERR(w), "BUG: Boolean failed to encode")) {
++                      ret = PTR_ERR(w);
++                      goto err;
++              }
+               work = asn1_encode_tag(work, end_work, 0, bool, w - bool);
+       }
+ 
+@@ -69,8 +72,10 @@ static int tpm2_key_encode(struct truste
+        * trigger, so if it does there's something nefarious going on
+        */
+       if (WARN(work - scratch + pub_len + priv_len + 14 > SCRATCH_SIZE,
+-               "BUG: scratch buffer is too small"))
+-              return -EINVAL;
++               "BUG: scratch buffer is too small")) {
++              ret = -EINVAL;
++              goto err;
++      }
+ 
+       work = asn1_encode_integer(work, end_work, options->keyhandle);
+       work = asn1_encode_octet_string(work, end_work, pub, pub_len);
+@@ -79,10 +84,17 @@ static int tpm2_key_encode(struct truste
+       work1 = payload->blob;
+       work1 = asn1_encode_sequence(work1, work1 + sizeof(payload->blob),
+                                    scratch, work - scratch);
+-      if (WARN(IS_ERR(work1), "BUG: ASN.1 encoder failed"))
+-              return PTR_ERR(work1);
++      if (WARN(IS_ERR(work1), "BUG: ASN.1 encoder failed")) {
++              ret = PTR_ERR(work1);
++              goto err;
++      }
+ 
++      kfree(scratch);
+       return work1 - payload->blob;
++
++err:
++      kfree(scratch);
++      return ret;
+ }
+ 
+ struct tpm2_key_context {

diff --git a/queue-6.9/series b/queue-6.9/series
index b9d24226d66ae37d70c8a94c8cc23ed1ab7ac81b..7f58120801924e65c2a5fd37c1f265ba248d1cb5 100644 (file)
--- a/queue-6.9/series
+++ b/queue-6.9/series
@@ -5,3 +5,4 @@ drm-amd-display-fix-division-by-zero-in-setup_dsc_config.patch
 net-ks8851-fix-another-tx-stall-caused-by-wrong-isr-flag-handling.patch
 x86-percpu-use-__force-to-cast-from-__percpu-address-space.patch
 bluetooth-l2cap-fix-div-by-zero-in-l2cap_le_flowctl_init.patch
+keys-trusted-fix-memory-leak-in-tpm2_key_encode.patch