random-mirrors/smaeul-u-boot
1
0
Fork 0
mirror of https://github.com/smaeul/u-boot.git synced 2025-10-14 04:46:01 +01:00
Code Issues Packages Projects Releases Wiki Activity

board: fsl_validate: Fix Double free Issue

Browse Source 
Remove Double free issue from calc_img_key_hash() and
calc_esbchdr_esbc_hash() function.
Verified the secure boot changes using lx2162aqds board.

Signed-off-by: Kshitiz Varshney <kshitiz.varshney@nxp.com>
Reviewed-by: Priyanka Jain <priyanka.jain@nxp.com>
This commit is contained in:
Kshitiz Varshney 2021-09-19 17:09:53 +02:00 committed by Priyanka Jain
parent c0e0cf4989
commit bd2a4eb977
2 changed files with 13 additions and 29 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
board/freescale/common/fsl_validate.c
View File

@ -499,12 +499,8 @@ static int calc_img_key_hash(struct fsl_secboot_img_priv *img)
return ret; return ret;
ret = algo->hash_init(algo, &ctx); ret = algo->hash_init(algo, &ctx);
if (ret) { if (ret)
if (ctx)
free(ctx);
return ret; return ret;
}
/* Update hash for ESBC key */ /* Update hash for ESBC key */
#ifdef CONFIG_KEY_REVOCATION #ifdef CONFIG_KEY_REVOCATION
if (check_srk(img)) { if (check_srk(img)) {
@ -519,15 +515,12 @@ static int calc_img_key_hash(struct fsl_secboot_img_priv *img)
img->img_key, img->key_len, 1); img->img_key, img->key_len, 1);
if (ret) if (ret)
return ret; return ret;
/* Copy hash at destination buffer */ /* Copy hash at destination buffer */
ret = algo->hash_finish(algo, ctx, hash_val, algo->digest_size); ret = algo->hash_finish(algo, ctx, hash_val, algo->digest_size);
if (ret) { if (ret) {
if (ctx)
free(ctx); free(ctx);
return ret; return ret;
} }
for (i = 0; i < SHA256_BYTES; i++) for (i = 0; i < SHA256_BYTES; i++)
img->img_key_hash[i] = hash_val[i]; img->img_key_hash[i] = hash_val[i];
@ -554,18 +547,14 @@ static int calc_esbchdr_esbc_hash(struct fsl_secboot_img_priv *img)
ret = algo->hash_init(algo, &ctx); ret = algo->hash_init(algo, &ctx);
/* Copy hash at destination buffer */ /* Copy hash at destination buffer */
if (ret) { if (ret)
free(ctx);
return ret; return ret;
}
/* Update hash for CSF Header */ /* Update hash for CSF Header */
ret = algo->hash_update(algo, ctx, ret = algo->hash_update(algo, ctx,
(u8 *)&img->hdr, sizeof(struct fsl_secboot_img_hdr), 0); (u8 *)&img->hdr, sizeof(struct fsl_secboot_img_hdr), 0);
if (ret) { if (ret)
free(ctx);
return ret; return ret;
}
/* Update the hash with that of srk table if srk flag is 1 /* Update the hash with that of srk table if srk flag is 1
* If IE Table is selected, key is not added in the hash * If IE Table is selected, key is not added in the hash
@ -592,22 +581,17 @@ static int calc_esbchdr_esbc_hash(struct fsl_secboot_img_priv *img)
key_hash = 1; key_hash = 1;
} }
#endif #endif
if (ret) { if (ret)
free(ctx);
return ret; return ret;
}
if (!key_hash) { if (!key_hash) {
free(ctx); free(ctx);
return ERROR_KEY_TABLE_NOT_FOUND; return ERROR_KEY_TABLE_NOT_FOUND;
} }
/* Update hash for actual Image */ /* Update hash for actual Image */
ret = algo->hash_update(algo, ctx, ret = algo->hash_update(algo, ctx,
(u8 *)(*(img->img_addr_ptr)), img->img_size, 1); (u8 *)(*(img->img_addr_ptr)), img->img_size, 1);
if (ret) { if (ret)
free(ctx);
return ret; return ret;
}
/* Copy hash at destination buffer */ /* Copy hash at destination buffer */
ret = algo->hash_finish(algo, ctx, hash_val, algo->digest_size); ret = algo->hash_finish(algo, ctx, hash_val, algo->digest_size);

14
drivers/crypto/fsl/fsl_hash.c
View File

@ -1,7 +1,7 @@
// SPDX-License-Identifier: GPL-2.0+ // SPDX-License-Identifier: GPL-2.0+
/* /*
* Copyright 2014 Freescale Semiconductor, Inc. * Copyright 2014 Freescale Semiconductor, Inc.
* * Copyright 2021 NXP
*/ */
#include <common.h> #include <common.h>
@ -120,8 +120,8 @@ static int caam_hash_update(void *hash_ctx, const void *buf,
* Perform progressive hashing on the given buffer and copy hash at * Perform progressive hashing on the given buffer and copy hash at
* destination buffer * destination buffer
* *
* The context is freed after completion of hash operation. * The context is freed after successful completion of hash operation.
* * In case of failure, context is not freed.
* @hash_ctx: Pointer to the context for hashing * @hash_ctx: Pointer to the context for hashing
* @dest_buf: Pointer to the destination buffer where hash is to be copied * @dest_buf: Pointer to the destination buffer where hash is to be copied
* @size: Size of the buffer being hashed * @size: Size of the buffer being hashed
@ -136,7 +136,6 @@ static int caam_hash_finish(void *hash_ctx, void *dest_buf,
int i = 0, ret = 0; int i = 0, ret = 0;
if (size < driver_hash[caam_algo].digestsize) { if (size < driver_hash[caam_algo].digestsize) {
free(ctx);
return -EINVAL; return -EINVAL;
} }
@ -152,11 +151,12 @@ static int caam_hash_finish(void *hash_ctx, void *dest_buf,
ret = run_descriptor_jr(ctx->sha_desc); ret = run_descriptor_jr(ctx->sha_desc);
if (ret) if (ret) {
debug("Error %x\n", ret); debug("Error %x\n", ret);
else return ret;
} else {
memcpy(dest_buf, ctx->hash, sizeof(ctx->hash)); memcpy(dest_buf, ctx->hash, sizeof(ctx->hash));
}
free(ctx); free(ctx);
return ret; return ret;
} }