From c2b786cceb10dc8dc83b7cdbdb72164be3373b50 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Thu, 23 May 2024 13:19:39 +0200 Subject: [PATCH] 6.9-stable patches added patches: keys-trusted-fix-memory-leak-in-tpm2_key_encode.patch --- ...d-fix-memory-leak-in-tpm2_key_encode.patch | 76 +++++++++++++++++++ queue-6.9/series | 1 + 2 files changed, 77 insertions(+) create mode 100644 queue-6.9/keys-trusted-fix-memory-leak-in-tpm2_key_encode.patch diff --git a/queue-6.9/keys-trusted-fix-memory-leak-in-tpm2_key_encode.patch b/queue-6.9/keys-trusted-fix-memory-leak-in-tpm2_key_encode.patch new file mode 100644 index 00000000000..ddd0917991f --- /dev/null +++ b/queue-6.9/keys-trusted-fix-memory-leak-in-tpm2_key_encode.patch @@ -0,0 +1,76 @@ +From ffcaa2172cc1a85ddb8b783de96d38ca8855e248 Mon Sep 17 00:00:00 2001 +From: Jarkko Sakkinen +Date: Mon, 20 May 2024 02:31:53 +0300 +Subject: KEYS: trusted: Fix memory leak in tpm2_key_encode() + +From: Jarkko Sakkinen + +commit ffcaa2172cc1a85ddb8b783de96d38ca8855e248 upstream. + +'scratch' is never freed. Fix this by calling kfree() in the success, and +in the error case. + +Cc: stable@vger.kernel.org # +v5.13 +Fixes: f2219745250f ("security: keys: trusted: use ASN.1 TPM2 key format for the blobs") +Signed-off-by: Jarkko Sakkinen +Signed-off-by: Greg Kroah-Hartman +--- + security/keys/trusted-keys/trusted_tpm2.c | 24 ++++++++++++++++++------ + 1 file changed, 18 insertions(+), 6 deletions(-) + +--- a/security/keys/trusted-keys/trusted_tpm2.c ++++ b/security/keys/trusted-keys/trusted_tpm2.c +@@ -38,6 +38,7 @@ static int tpm2_key_encode(struct truste + u8 *end_work = scratch + SCRATCH_SIZE; + u8 *priv, *pub; + u16 priv_len, pub_len; ++ int ret; + + priv_len = get_unaligned_be16(src) + 2; + priv = src; +@@ -57,8 +58,10 @@ static int tpm2_key_encode(struct truste + unsigned char bool[3], *w = bool; + /* tag 0 is emptyAuth */ + w = asn1_encode_boolean(w, w + sizeof(bool), true); +- if (WARN(IS_ERR(w), "BUG: Boolean failed to encode")) +- return PTR_ERR(w); ++ if (WARN(IS_ERR(w), "BUG: Boolean failed to encode")) { ++ ret = PTR_ERR(w); ++ goto err; ++ } + work = asn1_encode_tag(work, end_work, 0, bool, w - bool); + } + +@@ -69,8 +72,10 @@ static int tpm2_key_encode(struct truste + * trigger, so if it does there's something nefarious going on + */ + if (WARN(work - scratch + pub_len + priv_len + 14 > SCRATCH_SIZE, +- "BUG: scratch buffer is too small")) +- return -EINVAL; ++ "BUG: scratch buffer is too small")) { ++ ret = -EINVAL; ++ goto err; ++ } + + work = asn1_encode_integer(work, end_work, options->keyhandle); + work = asn1_encode_octet_string(work, end_work, pub, pub_len); +@@ -79,10 +84,17 @@ static int tpm2_key_encode(struct truste + work1 = payload->blob; + work1 = asn1_encode_sequence(work1, work1 + sizeof(payload->blob), + scratch, work - scratch); +- if (WARN(IS_ERR(work1), "BUG: ASN.1 encoder failed")) +- return PTR_ERR(work1); ++ if (WARN(IS_ERR(work1), "BUG: ASN.1 encoder failed")) { ++ ret = PTR_ERR(work1); ++ goto err; ++ } + ++ kfree(scratch); + return work1 - payload->blob; ++ ++err: ++ kfree(scratch); ++ return ret; + } + + struct tpm2_key_context { diff --git a/queue-6.9/series b/queue-6.9/series index b9d24226d66..7f581208019 100644 --- a/queue-6.9/series +++ b/queue-6.9/series @@ -5,3 +5,4 @@ drm-amd-display-fix-division-by-zero-in-setup_dsc_config.patch net-ks8851-fix-another-tx-stall-caused-by-wrong-isr-flag-handling.patch x86-percpu-use-__force-to-cast-from-__percpu-address-space.patch bluetooth-l2cap-fix-div-by-zero-in-l2cap_le_flowctl_init.patch +keys-trusted-fix-memory-leak-in-tpm2_key_encode.patch -- 2.47.3