Commit a9fb94a9 authored by Pi-Hsun Shih's avatar Pi-Hsun Shih Committed by Kees Cook

pstore: Set tfm to NULL on free_buf_for_compression

Set tfm to NULL on free_buf_for_compression() after crypto_free_comp().

This avoid a use-after-free when allocate_buf_for_compression()
and free_buf_for_compression() are called twice. Although
free_buf_for_compression() freed the tfm, allocate_buf_for_compression()
won't reinitialize the tfm since the tfm pointer is not NULL.

Fixes: 95047b05 ("pstore: Refactor compression initialization")
Signed-off-by: default avatarPi-Hsun Shih <pihsun@chromium.org>
Cc: stable@vger.kernel.org
Signed-off-by: default avatarKees Cook <keescook@chromium.org>
parent a188339c
...@@ -347,8 +347,10 @@ static void allocate_buf_for_compression(void) ...@@ -347,8 +347,10 @@ static void allocate_buf_for_compression(void)
static void free_buf_for_compression(void) static void free_buf_for_compression(void)
{ {
if (IS_ENABLED(CONFIG_PSTORE_COMPRESS) && tfm) if (IS_ENABLED(CONFIG_PSTORE_COMPRESS) && tfm) {
crypto_free_comp(tfm); crypto_free_comp(tfm);
tfm = NULL;
}
kfree(big_oops_buf); kfree(big_oops_buf);
big_oops_buf = NULL; big_oops_buf = NULL;
big_oops_buf_sz = 0; big_oops_buf_sz = 0;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment