| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAK8P3a3PDznLXbaQNtFpgtJyP29mh2gGSm8DeSk0NfZCgZQ_kA@mail.gmail.com>
Date: Mon, 17 Jun 2019 22:38:49 +0200
From: Arnd Bergmann <arnd@...db.de>
To: Roland Kammerer <roland.kammerer@...bit.com>
Cc: Philipp Reisner <philipp.reisner@...bit.com>,
Lars Ellenberg <lars.ellenberg@...bit.com>,
Jens Axboe <axboe@...nel.dk>,
Eric Biggers <ebiggers@...gle.com>,
Herbert Xu <herbert@...dor.apana.org.au>,
"Gustavo A. R. Silva" <gustavo@...eddedor.com>,
Kees Cook <keescook@...omium.org>, drbd-dev@...ts.linbit.com,
linux-block <linux-block@...r.kernel.org>,
Linux Kernel Mailing List <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH] drbd: dynamically allocate shash descriptor
On Mon, Jun 17, 2019 at 4:36 PM Roland Kammerer
<roland.kammerer@...bit.com> wrote:
> > @@ -5572,6 +5579,7 @@ static int drbd_do_auth(struct drbd_connection *connection)
> > kfree(response);
> > kfree(right_response);
> > shash_desc_zero(desc);
> > + kfree(desc);
> >
> > return rv;
> > }
>
> Hi Arnd,
>
> are you sure your cleanup is okay?
>
> > shash_desc_zero(desc);
> > + kfree(desc);
>
> You shash_desc_zero() a potential NULL pointer. memzero_expicit() in the
> function then dereferences it:
>
> memzero_explicit(desc,
> sizeof(*desc) + crypto_shash_descsize(desc->tfm));
>
> Maybe some if (desc) guard?
Good catch. I guess kzfree() would have been the right thing to call.
Arnd
Powered by blists - more mailing lists