From: Tadeusz Struk Date: Wed, 9 May 2018 18:55:35 +0000 (-0700) Subject: tpm: fix use after free in tpm2_load_context() X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=1bf1a5e21798518fd6a025c6e0c0168955f5e8e6;p=GitHub%2Fmoto-9609%2Fandroid_kernel_motorola_exynos9610.git tpm: fix use after free in tpm2_load_context() commit 8c81c24758ffbf17cf06c6835d361ffa57be2f0e upstream. If load context command returns with TPM2_RC_HANDLE or TPM2_RC_REFERENCE_H0 then we have use after free in line 114 and double free in 117. Fixes: 4d57856a21ed2 ("tpm2: add session handle context saving and restoring to the space code") Cc: stable@vger.kernel.org Signed-off-by: Tadeusz Struk Reviewed-by: Jarkko Sakkinen Signed-off--by: Jarkko Sakkinen Signed-off-by: Greg Kroah-Hartman --- diff --git a/drivers/char/tpm/tpm2-space.c b/drivers/char/tpm/tpm2-space.c index e2e059d8ffec..d26ea7513226 100644 --- a/drivers/char/tpm/tpm2-space.c +++ b/drivers/char/tpm/tpm2-space.c @@ -102,8 +102,9 @@ static int tpm2_load_context(struct tpm_chip *chip, u8 *buf, * TPM_RC_REFERENCE_H0 means the session has been * flushed outside the space */ - rc = -ENOENT; + *handle = 0; tpm_buf_destroy(&tbuf); + return -ENOENT; } else if (rc > 0) { dev_warn(&chip->dev, "%s: failed with a TPM error 0x%04X\n", __func__, rc);