[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <20180430184018.696347574@linuxfoundation.org>
Date: Mon, 30 Apr 2018 12:24:54 -0700
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-kernel@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
stable@...r.kernel.org, Stephan Mueller <smueller@...onox.de>,
syzbot+75397ee3df5c70164154@...kaller.appspotmail.com,
Herbert Xu <herbert@...dor.apana.org.au>
Subject: [PATCH 4.16 083/113] crypto: drbg - set freed buffers to NULL
4.16-stable review patch. If anyone has any objections, please let me know.
------------------
From: Stephan Mueller <smueller@...onox.de>
commit eea0d3ea7546961f69f55b26714ac8fd71c7c020 upstream.
During freeing of the internal buffers used by the DRBG, set the pointer
to NULL. It is possible that the context with the freed buffers is
reused. In case of an error during initialization where the pointers
do not yet point to allocated memory, the NULL value prevents a double
free.
Cc: stable@...r.kernel.org
Fixes: 3cfc3b9721123 ("crypto: drbg - use aligned buffers")
Signed-off-by: Stephan Mueller <smueller@...onox.de>
Reported-by: syzbot+75397ee3df5c70164154@...kaller.appspotmail.com
Signed-off-by: Herbert Xu <herbert@...dor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
---
crypto/drbg.c | 2 ++
1 file changed, 2 insertions(+)
--- a/crypto/drbg.c
+++ b/crypto/drbg.c
@@ -1134,8 +1134,10 @@ static inline void drbg_dealloc_state(st
if (!drbg)
return;
kzfree(drbg->Vbuf);
+ drbg->Vbuf = NULL;
drbg->V = NULL;
kzfree(drbg->Cbuf);
+ drbg->Cbuf = NULL;
drbg->C = NULL;
kzfree(drbg->scratchpadbuf);
drbg->scratchpadbuf = NULL;
Powered by blists - more mailing lists