[PATCH] board: fsl_validate: Fix Double free Issue

Kshitiz Varshney kshitiz.varshney at nxp.com
Sun Sep 19 17:09:53 CEST 2021


Remove Double free issue from calc_img_key_hash() and
calc_esbchdr_esbc_hash() function.
Verified the secure boot changes using lx2162aqds board.

Signed-off-by: Kshitiz Varshney <kshitiz.varshney at nxp.com>
---
 board/freescale/common/fsl_validate.c | 28 ++++++---------------------
 drivers/crypto/fsl/fsl_hash.c         | 14 +++++++-------
 2 files changed, 13 insertions(+), 29 deletions(-)

diff --git a/board/freescale/common/fsl_validate.c b/board/freescale/common/fsl_validate.c
index 5cec0131f2..9a22fb8054 100644
--- a/board/freescale/common/fsl_validate.c
+++ b/board/freescale/common/fsl_validate.c
@@ -499,12 +499,8 @@ static int calc_img_key_hash(struct fsl_secboot_img_priv *img)
 		return ret;
 
 	ret = algo->hash_init(algo, &ctx);
-	if (ret) {
-		if (ctx)
-			free(ctx);
+	if (ret)
 		return ret;
-	}
-
 	/* Update hash for ESBC key */
 #ifdef CONFIG_KEY_REVOCATION
 	if (check_srk(img)) {
@@ -519,15 +515,12 @@ static int calc_img_key_hash(struct fsl_secboot_img_priv *img)
 			img->img_key, img->key_len, 1);
 	if (ret)
 		return ret;
-
 	/* Copy hash at destination buffer */
 	ret = algo->hash_finish(algo, ctx, hash_val, algo->digest_size);
 	if (ret) {
-		if (ctx)
-			free(ctx);
+		free(ctx);
 		return ret;
 	}
-
 	for (i = 0; i < SHA256_BYTES; i++)
 		img->img_key_hash[i] = hash_val[i];
 
@@ -554,18 +547,14 @@ static int calc_esbchdr_esbc_hash(struct fsl_secboot_img_priv *img)
 
 	ret = algo->hash_init(algo, &ctx);
 	/* Copy hash at destination buffer */
-	if (ret) {
-		free(ctx);
+	if (ret)
 		return ret;
-	}
 
 	/* Update hash for CSF Header */
 	ret = algo->hash_update(algo, ctx,
 		(u8 *)&img->hdr, sizeof(struct fsl_secboot_img_hdr), 0);
-	if (ret) {
-		free(ctx);
+	if (ret)
 		return ret;
-	}
 
 	/* Update the hash with that of srk table if srk flag is 1
 	 * If IE Table is selected, key is not added in the hash
@@ -592,22 +581,17 @@ static int calc_esbchdr_esbc_hash(struct fsl_secboot_img_priv *img)
 		key_hash = 1;
 	}
 #endif
-	if (ret) {
-		free(ctx);
+	if (ret)
 		return ret;
-	}
 	if (!key_hash) {
 		free(ctx);
 		return ERROR_KEY_TABLE_NOT_FOUND;
 	}
-
 	/* Update hash for actual Image */
 	ret = algo->hash_update(algo, ctx,
 		(u8 *)(*(img->img_addr_ptr)), img->img_size, 1);
-	if (ret) {
-		free(ctx);
+	if (ret)
 		return ret;
-	}
 
 	/* Copy hash at destination buffer */
 	ret = algo->hash_finish(algo, ctx, hash_val, algo->digest_size);
diff --git a/drivers/crypto/fsl/fsl_hash.c b/drivers/crypto/fsl/fsl_hash.c
index 61f953e8a6..43daf1cbe3 100644
--- a/drivers/crypto/fsl/fsl_hash.c
+++ b/drivers/crypto/fsl/fsl_hash.c
@@ -1,7 +1,7 @@
 // SPDX-License-Identifier: GPL-2.0+
 /*
  * Copyright 2014 Freescale Semiconductor, Inc.
- *
+ * Copyright 2021 NXP
  */
 
 #include <common.h>
@@ -120,8 +120,8 @@ static int caam_hash_update(void *hash_ctx, const void *buf,
  * Perform progressive hashing on the given buffer and copy hash at
  * destination buffer
  *
- * The context is freed after completion of hash operation.
- *
+ * The context is freed after successful completion of hash operation.
+ * In case of failure, context is not freed.
  * @hash_ctx: Pointer to the context for hashing
  * @dest_buf: Pointer to the destination buffer where hash is to be copied
  * @size: Size of the buffer being hashed
@@ -136,7 +136,6 @@ static int caam_hash_finish(void *hash_ctx, void *dest_buf,
 	int i = 0, ret = 0;
 
 	if (size < driver_hash[caam_algo].digestsize) {
-		free(ctx);
 		return -EINVAL;
 	}
 
@@ -152,11 +151,12 @@ static int caam_hash_finish(void *hash_ctx, void *dest_buf,
 
 	ret = run_descriptor_jr(ctx->sha_desc);
 
-	if (ret)
+	if (ret) {
 		debug("Error %x\n", ret);
-	else
+		return ret;
+	} else {
 		memcpy(dest_buf, ctx->hash, sizeof(ctx->hash));
-
+	}
 	free(ctx);
 	return ret;
 }
-- 
2.25.1



More information about the U-Boot mailing list