lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Thu, 24 Feb 2022 11:34:17 -0800
From:   Eric Biggers <ebiggers@...nel.org>
To:     Denis Glazkov <d.glazkov@....ru>
Cc:     David Howells <dhowells@...hat.com>,
        Herbert Xu <herbert@...dor.apana.org.au>,
        "David S. Miller" <davem@...emloft.net>,
        "keyrings@...r.kernel.org" <keyrings@...r.kernel.org>,
        "linux-crypto@...r.kernel.org" <linux-crypto@...r.kernel.org>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH] PKCS#7: fix a possible memory leak when calculating the
 digest

On Thu, Feb 24, 2022 at 07:09:12PM +0000, Denis Glazkov wrote:
> In function `pkcs7_digest`, if there is an error allocating memory
> for the `shash_desc` structure, the public key signature digest
> remains unfreed.
> 
> Signed-off-by: Denis Glazkov <d.glazkov@....ru>
> ---
>  crypto/asymmetric_keys/pkcs7_verify.c | 4 +++-
>  1 file changed, 3 insertions(+), 1 deletion(-)
> 
> diff --git a/crypto/asymmetric_keys/pkcs7_verify.c b/crypto/asymmetric_keys/pkcs7_verify.c
> index 0b4d07aa8811..e6f648dcc02a 100644
> --- a/crypto/asymmetric_keys/pkcs7_verify.c
> +++ b/crypto/asymmetric_keys/pkcs7_verify.c
> @@ -50,7 +50,7 @@ static int pkcs7_digest(struct pkcs7_message *pkcs7,
>  	ret = -ENOMEM;
>  	sig->digest = kmalloc(sig->digest_size, GFP_KERNEL);
>  	if (!sig->digest)
> -		goto error_no_desc;
> +		goto error_no_digest;
>  
>  	desc = kzalloc(desc_size, GFP_KERNEL);
>  	if (!desc)
> @@ -117,6 +117,8 @@ static int pkcs7_digest(struct pkcs7_message *pkcs7,
>  error:
>  	kfree(desc);
>  error_no_desc:
> +	kfree(sig->digest);
> +error_no_digest:
>  	crypto_free_shash(tfm);
>  	kleave(" = %d", ret);
>  	return ret;
> -- 
> 2.25.1

Doesn't this introduce a double free?  public_key_signature_free() frees this
too.

- Eric

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ