Commit 5ffa772f authored by Christophe JAILLET's avatar Christophe JAILLET Committed by Luis Henriques

TPM: Avoid reference to potentially freed memory

commit eb8ed1eb upstream.

Reference to the 'np' node is dropped before dereferencing the 'sizep' and
'basep' pointers, which could by then point to junk if the node has been
freed.

Refactor code to call 'of_node_put' later.

Fixes: c5df3926 ("drivers/char/tpm: Add securityfs support for event log")
Signed-off-by: default avatarChristophe JAILLET <christophe.jaillet@wanadoo.fr>
Reviewed-by: default avatarJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: default avatarJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Acked-by: default avatarPeter Huewe <PeterHuewe@gmx.de>
[ luis: backported to 3.16: adjusted context ]
Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
parent 23d8e4e8
...@@ -53,17 +53,18 @@ int read_log(struct tpm_bios_log *log) ...@@ -53,17 +53,18 @@ int read_log(struct tpm_bios_log *log)
goto cleanup_eio; goto cleanup_eio;
} }
of_node_put(np);
log->bios_event_log = kmalloc(*sizep, GFP_KERNEL); log->bios_event_log = kmalloc(*sizep, GFP_KERNEL);
if (!log->bios_event_log) { if (!log->bios_event_log) {
pr_err("%s: ERROR - Not enough memory for BIOS measurements\n", pr_err("%s: ERROR - Not enough memory for BIOS measurements\n",
__func__); __func__);
of_node_put(np);
return -ENOMEM; return -ENOMEM;
} }
log->bios_event_log_end = log->bios_event_log + *sizep; log->bios_event_log_end = log->bios_event_log + *sizep;
memcpy(log->bios_event_log, __va(be64_to_cpup(basep)), *sizep); memcpy(log->bios_event_log, __va(be64_to_cpup(basep)), *sizep);
of_node_put(np);
return 0; return 0;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment