[PATCH -next] Revert "evm: Fix memleak in init_desc"

Guozihua (Scott) guozihua at huawei.com
Sat Jun 11 02:38:07 UTC 2022


On 2022/6/10 22:20, Mimi Zohar wrote:
> On Fri, 2022-05-27 at 19:17 +0800, Xiu Jianfeng wrote:
>> This reverts commit ccf11dbaa07b328fa469415c362d33459c140a37.
>>
>> Commit ccf11dbaa07b ("evm: Fix memleak in init_desc") said there is
>> memleak in init_desc. That may be incorrect, as we can see, tmp_tfm is
>> saved in one of the two global variables hmac_tfm ohr evm_tfm[hash_algo],
>> then if init_desc is called next time, there is no need to alloc tfm
>> again, so in the error path of kmalloc desc or crypto_shash_init(desc),
>> It is not a problem without freeing tmp_tfm.
>>
>> And also that commit did not reset the global variable to NULL after
>> freeing tmp_tfm and this makes *tfm a dangling pointer which may cause a
>> UAF issue.
>>
>> Signed-off-by: Xiu Jianfeng <xiujianfeng at huawei.com>
> 
> Agreed, thanks.  This was first reported by Guozihua (Scott) <
> guozihua at huawei.com>.  If neither you nor Scott object, I'll add his
> Reported-by tag.
> 
> thanks,
> 
> Mimi
> 
> .

Good for me.

-- 
Best
GUO Zihua



More information about the Linux-security-module-archive mailing list