From: Kshitiz Varshney Date: Sun, 19 Sep 2021 15:09:53 +0000 (+0200) Subject: board: fsl_validate: Fix Double free Issue X-Git-Url: http://git.dujemihanovic.xyz/posts?a=commitdiff_plain;h=bd2a4eb977232c7062489251cdb5a36a99757fc1;p=u-boot.git board: fsl_validate: Fix Double free Issue Remove Double free issue from calc_img_key_hash() and calc_esbchdr_esbc_hash() function. Verified the secure boot changes using lx2162aqds board. Signed-off-by: Kshitiz Varshney Reviewed-by: Priyanka Jain --- diff --git a/board/freescale/common/fsl_validate.c b/board/freescale/common/fsl_validate.c index c90afe2e21..34875d0b8f 100644 --- a/board/freescale/common/fsl_validate.c +++ b/board/freescale/common/fsl_validate.c @@ -499,12 +499,8 @@ static int calc_img_key_hash(struct fsl_secboot_img_priv *img) return ret; ret = algo->hash_init(algo, &ctx); - if (ret) { - if (ctx) - free(ctx); + if (ret) return ret; - } - /* Update hash for ESBC key */ #ifdef CONFIG_KEY_REVOCATION if (check_srk(img)) { @@ -519,15 +515,12 @@ static int calc_img_key_hash(struct fsl_secboot_img_priv *img) img->img_key, img->key_len, 1); if (ret) return ret; - /* Copy hash at destination buffer */ ret = algo->hash_finish(algo, ctx, hash_val, algo->digest_size); if (ret) { - if (ctx) - free(ctx); + free(ctx); return ret; } - for (i = 0; i < SHA256_BYTES; i++) img->img_key_hash[i] = hash_val[i]; @@ -554,18 +547,14 @@ static int calc_esbchdr_esbc_hash(struct fsl_secboot_img_priv *img) ret = algo->hash_init(algo, &ctx); /* Copy hash at destination buffer */ - if (ret) { - free(ctx); + if (ret) return ret; - } /* Update hash for CSF Header */ ret = algo->hash_update(algo, ctx, (u8 *)&img->hdr, sizeof(struct fsl_secboot_img_hdr), 0); - if (ret) { - free(ctx); + if (ret) return ret; - } /* Update the hash with that of srk table if srk flag is 1 * If IE Table is selected, key is not added in the hash @@ -592,22 +581,17 @@ static int calc_esbchdr_esbc_hash(struct fsl_secboot_img_priv *img) key_hash = 1; } #endif - if (ret) { - free(ctx); + if (ret) return ret; - } if (!key_hash) { free(ctx); return ERROR_KEY_TABLE_NOT_FOUND; } - /* Update hash for actual Image */ ret = algo->hash_update(algo, ctx, (u8 *)(*(img->img_addr_ptr)), img->img_size, 1); - if (ret) { - free(ctx); + if (ret) return ret; - } /* Copy hash at destination buffer */ ret = algo->hash_finish(algo, ctx, hash_val, algo->digest_size); diff --git a/drivers/crypto/fsl/fsl_hash.c b/drivers/crypto/fsl/fsl_hash.c index 8b5c26db07..8039473012 100644 --- a/drivers/crypto/fsl/fsl_hash.c +++ b/drivers/crypto/fsl/fsl_hash.c @@ -1,7 +1,7 @@ // SPDX-License-Identifier: GPL-2.0+ /* * Copyright 2014 Freescale Semiconductor, Inc. - * + * Copyright 2021 NXP */ #include @@ -120,8 +120,8 @@ static int caam_hash_update(void *hash_ctx, const void *buf, * Perform progressive hashing on the given buffer and copy hash at * destination buffer * - * The context is freed after completion of hash operation. - * + * The context is freed after successful completion of hash operation. + * In case of failure, context is not freed. * @hash_ctx: Pointer to the context for hashing * @dest_buf: Pointer to the destination buffer where hash is to be copied * @size: Size of the buffer being hashed @@ -136,7 +136,6 @@ static int caam_hash_finish(void *hash_ctx, void *dest_buf, int i = 0, ret = 0; if (size < driver_hash[caam_algo].digestsize) { - free(ctx); return -EINVAL; } @@ -152,11 +151,12 @@ static int caam_hash_finish(void *hash_ctx, void *dest_buf, ret = run_descriptor_jr(ctx->sha_desc); - if (ret) + if (ret) { debug("Error %x\n", ret); - else + return ret; + } else { memcpy(dest_buf, ctx->hash, sizeof(ctx->hash)); - + } free(ctx); return ret; }