From: Jia Jie Ho jiajie.ho@starfivetech.com
mainline inclusion from mainline-v6.10-rc commit d7f01649f4eaf1878472d3d3f480ae1e50d98f6c category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAB05M CVE: CVE-2024-39478
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=...
----------------------------------------------------------------------
RSA text data uses variable length buffer allocated in software stack. Calling kfree on it causes undefined behaviour in subsequent operations.
Cc: stable@vger.kernel.org #6.7+ Signed-off-by: Jia Jie Ho jiajie.ho@starfivetech.com Signed-off-by: Herbert Xu herbert@gondor.apana.org.au Signed-off-by: Chen Ridong chenridong@huawei.com --- drivers/crypto/starfive/jh7110-rsa.c | 1 - 1 file changed, 1 deletion(-)
diff --git a/drivers/crypto/starfive/jh7110-rsa.c b/drivers/crypto/starfive/jh7110-rsa.c index f31bbd825f88..fb1a99072dcf 100644 --- a/drivers/crypto/starfive/jh7110-rsa.c +++ b/drivers/crypto/starfive/jh7110-rsa.c @@ -299,7 +299,6 @@ static int starfive_rsa_enc_core(struct starfive_cryp_ctx *ctx, int enc)
err_rsa_crypt: writel(STARFIVE_RSA_RESET, cryp->base + STARFIVE_PKA_CACR_OFFSET); - kfree(rctx->rsa_data); return ret; }