Re: [PATCH] crypto: drbg - set freed buffers to NULL
On Thu, Apr 12, 2018 at 08:40:55AM +0200, Stephan Müller wrote: > Add the Fixes, CC stable tags. > > ---8<--- > > During freeing of the internal buffers used by the DRBG, set the pointer > to NULL. It is possible that the context with the freed buffers is > reused. In case of an error during initialization where the pointers > do not yet point to allocated memory, the NULL value prevents a double > free. > > Cc: sta...@vger.kernel.org > Fixes: 3cfc3b9721123 ("crypto: drbg - use aligned buffers") > Signed-off-by: Stephan Mueller> Reported-by: syzbot+75397ee3df5c70164...@syzkaller.appspotmail.com Patch applied. Thanks. -- Email: Herbert Xu Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
[PATCH] crypto: drbg - set freed buffers to NULL
Add the Fixes, CC stable tags. ---8<--- During freeing of the internal buffers used by the DRBG, set the pointer to NULL. It is possible that the context with the freed buffers is reused. In case of an error during initialization where the pointers do not yet point to allocated memory, the NULL value prevents a double free. Cc: sta...@vger.kernel.org Fixes: 3cfc3b9721123 ("crypto: drbg - use aligned buffers") Signed-off-by: Stephan MuellerReported-by: syzbot+75397ee3df5c70164...@syzkaller.appspotmail.com --- crypto/drbg.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/crypto/drbg.c b/crypto/drbg.c index 4faa2781c964..466a112a4446 100644 --- a/crypto/drbg.c +++ b/crypto/drbg.c @@ -1134,8 +1134,10 @@ static inline void drbg_dealloc_state(struct drbg_state *drbg) if (!drbg) return; kzfree(drbg->Vbuf); + drbg->Vbuf = NULL; drbg->V = NULL; kzfree(drbg->Cbuf); + drbg->Cbuf = NULL; drbg->C = NULL; kzfree(drbg->scratchpadbuf); drbg->scratchpadbuf = NULL; -- 2.14.3
Re: [PATCH] crypto: drbg - set freed buffers to NULL
On Wed, Apr 11, 2018 at 04:31:01PM +0200, Stephan Müller wrote: > Sorry, this time with the proper subject line. > > ---8<--- > > During freeing of the internal buffers used by the DRBG, set the pointer > to NULL. It is possible that the context with the freed buffers is > reused. In case of an error during initialization where the pointers > do not yet point to allocated memory, the NULL value prevents a double > free. > > Signed-off-by: Stephan Mueller> Reported-by: syzbot+75397ee3df5c70164...@syzkaller.appspotmail.com > --- > crypto/drbg.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/crypto/drbg.c b/crypto/drbg.c > index 4faa2781c964..466a112a4446 100644 > --- a/crypto/drbg.c > +++ b/crypto/drbg.c > @@ -1134,8 +1134,10 @@ static inline void drbg_dealloc_state(struct > drbg_state *drbg) > if (!drbg) > return; > kzfree(drbg->Vbuf); > + drbg->Vbuf = NULL; > drbg->V = NULL; > kzfree(drbg->Cbuf); > + drbg->Cbuf = NULL; > drbg->C = NULL; > kzfree(drbg->scratchpadbuf); > drbg->scratchpadbuf = NULL; Can you please add Fixes and Cc stable? - Eric
[PATCH] crypto: drbg - set freed buffers to NULL
Sorry, this time with the proper subject line. ---8<--- During freeing of the internal buffers used by the DRBG, set the pointer to NULL. It is possible that the context with the freed buffers is reused. In case of an error during initialization where the pointers do not yet point to allocated memory, the NULL value prevents a double free. Signed-off-by: Stephan MuellerReported-by: syzbot+75397ee3df5c70164...@syzkaller.appspotmail.com --- crypto/drbg.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/crypto/drbg.c b/crypto/drbg.c index 4faa2781c964..466a112a4446 100644 --- a/crypto/drbg.c +++ b/crypto/drbg.c @@ -1134,8 +1134,10 @@ static inline void drbg_dealloc_state(struct drbg_state *drbg) if (!drbg) return; kzfree(drbg->Vbuf); + drbg->Vbuf = NULL; drbg->V = NULL; kzfree(drbg->Cbuf); + drbg->Cbuf = NULL; drbg->C = NULL; kzfree(drbg->scratchpadbuf); drbg->scratchpadbuf = NULL; -- 2.14.3