From patchwork Thu Apr 12 06:40:55 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stephan Mueller X-Patchwork-Id: 10337923 X-Patchwork-Delegate: herbert@gondor.apana.org.au Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id A950D60329 for ; Thu, 12 Apr 2018 06:41:50 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 9B60D28635 for ; Thu, 12 Apr 2018 06:41:50 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 9013C2864E; Thu, 12 Apr 2018 06:41:50 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.8 required=2.0 tests=BAYES_00,DKIM_SIGNED, MAILING_LIST_MULTI, RCVD_IN_DNSWL_HI, T_DKIM_INVALID autolearn=unavailable version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 379A028635 for ; Thu, 12 Apr 2018 06:41:50 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752652AbeDLGlg (ORCPT ); Thu, 12 Apr 2018 02:41:36 -0400 Received: from mo4-p01-ob.smtp.rzone.de ([81.169.146.167]:19565 "EHLO mo4-p01-ob.smtp.rzone.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752452AbeDLGlf (ORCPT ); Thu, 12 Apr 2018 02:41:35 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1523515293; s=strato-dkim-0002; d=chronox.de; h=Content-Type:Content-Transfer-Encoding:References:In-Reply-To: Message-ID:Date:Subject:Cc:To:From:X-RZG-CLASS-ID:X-RZG-AUTH:From: Subject:Sender; bh=9bFoDWqCu9ad3VU/96v6Y6n5M8S7PPI+KXN+R+y2p4I=; b=o0TcYOwji0WCcxu2yBwphxNaLo4UyqyrtjX6YYlBCZ1CDEoJlAPsoRg/NqvMyieKBI T9fU1w3YhtsYPlfyTRtdlPFV2rlUMUMSUI2IfVftgfTZCKz5wzvtjbfWHYMBjxevANmI kaQRwQ/JUU1tPNUOfpGpBqtyhkaVjd9hEd6Xm9Tw9H0qw4v7Y5Y3Yvv2Of2qkD6E+yzw 086dBqGt6JJ365syOYGibs+1o3oJNjIC3hpouZJxf7lN/V1dTpm8vGfbuCkLOwGx8N48 88Co9sNX0+wtIElEMe9RxciywmP+Lb+ZTCsaGS4p7S6qvN+VJXfsF7xFVzqd+2bgHXT6 ooxA== X-RZG-AUTH: :P2ERcEykfu11Y98lp/T7+hdri+uKZK8TKWEqNyiHySGSa9k9zW4DNhHoQE+naq7Ui96odlL72u36JoRmDtpwjlXNW7PXhKZ/Nh8c7w== X-RZG-CLASS-ID: mo00 Received: from positron.chronox.de by smtp.strato.de (RZmta 43.2 AUTH) with ESMTPSA id 30838au3C6eq5eH (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (curve secp521r1 with 521 ECDH bits, eq. 15360 bits RSA)) (Client did not present a certificate); Thu, 12 Apr 2018 08:40:52 +0200 (CEST) From: Stephan =?ISO-8859-1?Q?M=FCller?= To: Herbert Xu Cc: Dmitry Vyukov , "Theodore Y. Ts'o" , Matthew Wilcox , David Miller , linux-crypto@vger.kernel.org, Eric Biggers , syzbot , linux-fsdevel , LKML , syzkaller-bugs , Al Viro Subject: [PATCH] crypto: drbg - set freed buffers to NULL Date: Thu, 12 Apr 2018 08:40:55 +0200 Message-ID: <2295196.9WStPcntd3@positron.chronox.de> In-Reply-To: <20316956.hJt0ZTxKTH@positron.chronox.de> References: <001a114467482dbc4b05692df8f9@google.com> <2186798.qrgUIDAn9S@positron.chronox.de> <20316956.hJt0ZTxKTH@positron.chronox.de> MIME-Version: 1.0 Sender: linux-crypto-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP Add the Fixes, CC stable tags. ---8<--- During freeing of the internal buffers used by the DRBG, set the pointer to NULL. It is possible that the context with the freed buffers is reused. In case of an error during initialization where the pointers do not yet point to allocated memory, the NULL value prevents a double free. Cc: stable@vger.kernel.org Fixes: 3cfc3b9721123 ("crypto: drbg - use aligned buffers") Signed-off-by: Stephan Mueller Reported-by: syzbot+75397ee3df5c70164154@syzkaller.appspotmail.com --- crypto/drbg.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/crypto/drbg.c b/crypto/drbg.c index 4faa2781c964..466a112a4446 100644 --- a/crypto/drbg.c +++ b/crypto/drbg.c @@ -1134,8 +1134,10 @@ static inline void drbg_dealloc_state(struct drbg_state *drbg) if (!drbg) return; kzfree(drbg->Vbuf); + drbg->Vbuf = NULL; drbg->V = NULL; kzfree(drbg->Cbuf); + drbg->Cbuf = NULL; drbg->C = NULL; kzfree(drbg->scratchpadbuf); drbg->scratchpadbuf = NULL;