From: Greg Kroah-Hartman Date: Thu, 23 May 2024 11:19:29 +0000 (+0200) Subject: 6.8-stable patches X-Git-Tag: v4.19.315~22 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=f856f13e205c4c28f3c3df8364a67c9c9f683e0c;p=thirdparty%2Fkernel%2Fstable-queue.git 6.8-stable patches added patches: keys-trusted-fix-memory-leak-in-tpm2_key_encode.patch --- diff --git a/queue-6.8/keys-trusted-fix-memory-leak-in-tpm2_key_encode.patch b/queue-6.8/keys-trusted-fix-memory-leak-in-tpm2_key_encode.patch new file mode 100644 index 00000000000..ddd0917991f --- /dev/null +++ b/queue-6.8/keys-trusted-fix-memory-leak-in-tpm2_key_encode.patch @@ -0,0 +1,76 @@ +From ffcaa2172cc1a85ddb8b783de96d38ca8855e248 Mon Sep 17 00:00:00 2001 +From: Jarkko Sakkinen +Date: Mon, 20 May 2024 02:31:53 +0300 +Subject: KEYS: trusted: Fix memory leak in tpm2_key_encode() + +From: Jarkko Sakkinen + +commit ffcaa2172cc1a85ddb8b783de96d38ca8855e248 upstream. + +'scratch' is never freed. Fix this by calling kfree() in the success, and +in the error case. + +Cc: stable@vger.kernel.org # +v5.13 +Fixes: f2219745250f ("security: keys: trusted: use ASN.1 TPM2 key format for the blobs") +Signed-off-by: Jarkko Sakkinen +Signed-off-by: Greg Kroah-Hartman +--- + security/keys/trusted-keys/trusted_tpm2.c | 24 ++++++++++++++++++------ + 1 file changed, 18 insertions(+), 6 deletions(-) + +--- a/security/keys/trusted-keys/trusted_tpm2.c ++++ b/security/keys/trusted-keys/trusted_tpm2.c +@@ -38,6 +38,7 @@ static int tpm2_key_encode(struct truste + u8 *end_work = scratch + SCRATCH_SIZE; + u8 *priv, *pub; + u16 priv_len, pub_len; ++ int ret; + + priv_len = get_unaligned_be16(src) + 2; + priv = src; +@@ -57,8 +58,10 @@ static int tpm2_key_encode(struct truste + unsigned char bool[3], *w = bool; + /* tag 0 is emptyAuth */ + w = asn1_encode_boolean(w, w + sizeof(bool), true); +- if (WARN(IS_ERR(w), "BUG: Boolean failed to encode")) +- return PTR_ERR(w); ++ if (WARN(IS_ERR(w), "BUG: Boolean failed to encode")) { ++ ret = PTR_ERR(w); ++ goto err; ++ } + work = asn1_encode_tag(work, end_work, 0, bool, w - bool); + } + +@@ -69,8 +72,10 @@ static int tpm2_key_encode(struct truste + * trigger, so if it does there's something nefarious going on + */ + if (WARN(work - scratch + pub_len + priv_len + 14 > SCRATCH_SIZE, +- "BUG: scratch buffer is too small")) +- return -EINVAL; ++ "BUG: scratch buffer is too small")) { ++ ret = -EINVAL; ++ goto err; ++ } + + work = asn1_encode_integer(work, end_work, options->keyhandle); + work = asn1_encode_octet_string(work, end_work, pub, pub_len); +@@ -79,10 +84,17 @@ static int tpm2_key_encode(struct truste + work1 = payload->blob; + work1 = asn1_encode_sequence(work1, work1 + sizeof(payload->blob), + scratch, work - scratch); +- if (WARN(IS_ERR(work1), "BUG: ASN.1 encoder failed")) +- return PTR_ERR(work1); ++ if (WARN(IS_ERR(work1), "BUG: ASN.1 encoder failed")) { ++ ret = PTR_ERR(work1); ++ goto err; ++ } + ++ kfree(scratch); + return work1 - payload->blob; ++ ++err: ++ kfree(scratch); ++ return ret; + } + + struct tpm2_key_context { diff --git a/queue-6.8/series b/queue-6.8/series index 3e4755ad1f0..6877a8ad589 100644 --- a/queue-6.8/series +++ b/queue-6.8/series @@ -4,3 +4,4 @@ ice-pass-vsi-pointer-into-ice_vc_isvalid_q_id.patch ice-remove-unnecessary-duplicate-checks-for-vf-vsi-id.patch bluetooth-l2cap-fix-slab-use-after-free-in-l2cap_connect.patch bluetooth-l2cap-fix-div-by-zero-in-l2cap_le_flowctl_init.patch +keys-trusted-fix-memory-leak-in-tpm2_key_encode.patch