From: Chengfeng Ye <cyeaa@connect.ust.hk>
Date: Thu, 4 Nov 2021 13:46:42 +0000 (-0700)
Subject: crypto: qce - fix uaf on qce_skcipher_register_one
X-Git-Tag: v5.10.95~474
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=867d4ace48da2c117bed8599efa23456378bf8f5;p=platform%2Fkernel%2Flinux-rpi.git

crypto: qce - fix uaf on qce_skcipher_register_one

[ Upstream commit e9c195aaeed1b45c9012adbe29dedb6031e85aa8 ]

Pointer alg points to sub field of tmpl, it
is dereferenced after tmpl is freed. Fix
this by accessing alg before free tmpl.

Fixes: ec8f5d8f ("crypto: qce - Qualcomm crypto engine driver")
Signed-off-by: Chengfeng Ye <cyeaa@connect.ust.hk>
Acked-by: Thara Gopinath <thara.gopinath@linaro.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---

diff --git a/drivers/crypto/qce/skcipher.c b/drivers/crypto/qce/skcipher.c
index d805378..89c7fc3 100644
--- a/drivers/crypto/qce/skcipher.c
+++ b/drivers/crypto/qce/skcipher.c
@@ -433,8 +433,8 @@ static int qce_skcipher_register_one(const struct qce_skcipher_def *def,
 
 	ret = crypto_register_skcipher(alg);
 	if (ret) {
-		kfree(tmpl);
 		dev_err(qce->dev, "%s registration failed\n", alg->base.cra_name);
+		kfree(tmpl);
 		return ret;
 	}