From 4a9dbd021970ffe1b92521328377b699acba7c52 Mon Sep 17 00:00:00 2001

From: Chengfeng Ye <cyeaa@connect.ust.hk>

Date: Thu, 4 Nov 2021 06:28:07 -0700

Subject: [PATCH] crypto: qce - fix uaf on qce_aead_register_one

Git-commit: 4a9dbd021970ffe1b92521328377b699acba7c52

Patch-mainline: v5.17-rc1

References: git-fixes

Pointer alg points to sub field of tmpl, it

is dereferenced after tmpl is freed. Fix

this by accessing alg before free tmpl.

Fixes: 9363efb4 ("crypto: qce - Add support for AEAD algorithms")

Signed-off-by: Chengfeng Ye <cyeaa@connect.ust.hk>

Acked-by: Thara Gopinath <thara.gopinath@linaro.org>

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>

Acked-by: Takashi Iwai <tiwai@suse.de>

---

 drivers/crypto/qce/aead.c | 2 +-

 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/crypto/qce/aead.c b/drivers/crypto/qce/aead.c

index 290e2446a2f3..97a530171f07 100644

--- a/drivers/crypto/qce/aead.c

+++ b/drivers/crypto/qce/aead.c

@@ -802,8 +802,8 @@ static int qce_aead_register_one(const struct qce_aead_def *def, struct qce_devi

 	ret = crypto_register_aead(alg);

 	if (ret) {

-		kfree(tmpl);

 		dev_err(qce->dev, "%s registration failed\n", alg->base.cra_name);

+		kfree(tmpl);

 		return ret;

 	}

-- 

2.31.1