From: Chengfeng Ye <cyeaa@connect.ust.hk>
Date: Thu, 4 Nov 2021 13:28:07 +0000 (-0700)
Subject: crypto: qce - fix uaf on qce_aead_register_one
X-Git-Tag: accepted/tizen/unified/20230118.172025~3574
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=cf984b11cdecf54816540de99dcca559ff8fab7d;p=platform%2Fkernel%2Flinux-rpi.git

crypto: qce - fix uaf on qce_aead_register_one

[ Upstream commit 4a9dbd021970ffe1b92521328377b699acba7c52 ]

Pointer alg points to sub field of tmpl, it
is dereferenced after tmpl is freed. Fix
this by accessing alg before free tmpl.

Fixes: 9363efb4 ("crypto: qce - Add support for AEAD algorithms")
Signed-off-by: Chengfeng Ye <cyeaa@connect.ust.hk>
Acked-by: Thara Gopinath <thara.gopinath@linaro.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---

diff --git a/drivers/crypto/qce/aead.c b/drivers/crypto/qce/aead.c
index 290e244..97a5301 100644
--- a/drivers/crypto/qce/aead.c
+++ b/drivers/crypto/qce/aead.c
@@ -802,8 +802,8 @@ static int qce_aead_register_one(const struct qce_aead_def *def, struct qce_devi
 
 	ret = crypto_register_aead(alg);
 	if (ret) {
-		kfree(tmpl);
 		dev_err(qce->dev, "%s registration failed\n", alg->base.cra_name);
+		kfree(tmpl);
 		return ret;
 	}