diff options
author | Tadeusz Struk <tadeusz.struk@intel.com> | 2018-05-09 20:55:35 +0200 |
---|---|---|
committer | Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> | 2018-05-14 12:56:06 +0200 |
commit | 8c81c24758ffbf17cf06c6835d361ffa57be2f0e (patch) | |
tree | 1d8e67f52711db039a4396a0d79c656c6aa02cfb /drivers/char/tpm | |
parent | tpm: reduce poll sleep time in tpm_transmit() (diff) | |
download | linux-8c81c24758ffbf17cf06c6835d361ffa57be2f0e.tar.xz linux-8c81c24758ffbf17cf06c6835d361ffa57be2f0e.zip |
tpm: fix use after free in tpm2_load_context()
If load context command returns with TPM2_RC_HANDLE or TPM2_RC_REFERENCE_H0
then we have use after free in line 114 and double free in 117.
Fixes: 4d57856a21ed2 ("tpm2: add session handle context saving and restoring to the space code")
Cc: stable@vger.kernel.org
Signed-off-by: Tadeusz Struk <tadeusz.struk@intel.com>
Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off--by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Diffstat (limited to 'drivers/char/tpm')
-rw-r--r-- | drivers/char/tpm/tpm2-space.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/drivers/char/tpm/tpm2-space.c b/drivers/char/tpm/tpm2-space.c index 4e4014eabdb9..6122d3276f72 100644 --- a/drivers/char/tpm/tpm2-space.c +++ b/drivers/char/tpm/tpm2-space.c @@ -102,8 +102,9 @@ static int tpm2_load_context(struct tpm_chip *chip, u8 *buf, * TPM_RC_REFERENCE_H0 means the session has been * flushed outside the space */ - rc = -ENOENT; + *handle = 0; tpm_buf_destroy(&tbuf); + return -ENOENT; } else if (rc > 0) { dev_warn(&chip->dev, "%s: failed with a TPM error 0x%04X\n", __func__, rc); |