tpm: fix use after free in tpm2_load_context()

commit 8c81c24758ffbf17cf06c6835d361ffa57be2f0e upstream. If load context command returns with TPM2_RC_HANDLE or TPM2_RC_REFERENCE_H0 then we have use after free in line 114 and double free in 117. Fixes: 4d57856a21ed2 ("tpm2: add session handle context saving and restoring to the space code") Cc: stable@vger.kernel.org Signed-off-by: Tadeusz Struk <tadeusz.struk@intel.com> Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> Signed-off--by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
author: Tadeusz Struk <tadeusz.struk@intel.com> 2018-05-09 11:55:35 -0700
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2018-07-03 11:24:53 +0200
commit: 1bf1a5e21798518fd6a025c6e0c0168955f5e8e6 (patch)
tree: ff413c450766fc75220ad8fa9bc1ba8610890661 /drivers/char/tpm
parent: 1ed6871464b813c9fbdfac6878ce96af7725f614 (diff)
1 files changed, 2 insertions, 1 deletions
diff --git a/drivers/char/tpm/tpm2-space.c b/drivers/char/tpm/tpm2-space.c
index e2e059d8ffec..d26ea7513226 100644
--- a/drivers/char/tpm/tpm2-space.c
+++ b/drivers/char/tpm/tpm2-space.c
@@ -102,8 +102,9 @@ static int tpm2_load_context(struct tpm_chip *chip, u8 *buf,
 		 * TPM_RC_REFERENCE_H0 means the session has been
 		 * flushed outside the space
 		 */
-		rc = -ENOENT;
+		*handle = 0;
 		tpm_buf_destroy(&tbuf);
+		return -ENOENT;
 	} else if (rc > 0) {
 		dev_warn(&chip->dev, "%s: failed with a TPM error 0x%04X\n",
 			 __func__, rc);
author	Tadeusz Struk <tadeusz.struk@intel.com>	2018-05-09 11:55:35 -0700
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2018-07-03 11:24:53 +0200
commit	1bf1a5e21798518fd6a025c6e0c0168955f5e8e6 (patch)
tree	ff413c450766fc75220ad8fa9bc1ba8610890661 /drivers/char/tpm
parent	1ed6871464b813c9fbdfac6878ce96af7725f614 (diff)