[PATCH -next] Revert "evm: Fix memleak in init_desc"

Mimi Zohar zohar at linux.ibm.com
Fri Jun 10 14:20:15 UTC 2022


On Fri, 2022-05-27 at 19:17 +0800, Xiu Jianfeng wrote:
> This reverts commit ccf11dbaa07b328fa469415c362d33459c140a37.
> 
> Commit ccf11dbaa07b ("evm: Fix memleak in init_desc") said there is
> memleak in init_desc. That may be incorrect, as we can see, tmp_tfm is
> saved in one of the two global variables hmac_tfm ohr evm_tfm[hash_algo],
> then if init_desc is called next time, there is no need to alloc tfm
> again, so in the error path of kmalloc desc or crypto_shash_init(desc),
> It is not a problem without freeing tmp_tfm.
> 
> And also that commit did not reset the global variable to NULL after
> freeing tmp_tfm and this makes *tfm a dangling pointer which may cause a
> UAF issue.
> 
> Signed-off-by: Xiu Jianfeng <xiujianfeng at huawei.com>

Agreed, thanks.  This was first reported by Guozihua (Scott) <
guozihua at huawei.com>.  If neither you nor Scott object, I'll add his
Reported-by tag.

thanks,

Mimi







More information about the Linux-security-module-archive mailing list