LinuxLists.cc - [PATCH] PKCS#7: fix a possible memory leak when calculating the digest

2022-02-24 19:22:58

Subject: [PATCH] PKCS#7: fix a possible memory leak when calculating the digest

In function `pkcs7_digest`, if there is an error allocating memory
for the `shash_desc` structure, the public key signature digest
remains unfreed.

Signed-off-by: Denis Glazkov <[email protected]>
---
crypto/asymmetric_keys/pkcs7_verify.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/crypto/asymmetric_keys/pkcs7_verify.c b/crypto/asymmetric_keys/pkcs7_verify.c
index 0b4d07aa8811..e6f648dcc02a 100644
--- a/crypto/asymmetric_keys/pkcs7_verify.c
+++ b/crypto/asymmetric_keys/pkcs7_verify.c
@@ -50,7 +50,7 @@ static int pkcs7_digest(struct pkcs7_message *pkcs7,
ret = -ENOMEM;
sig->digest = kmalloc(sig->digest_size, GFP_KERNEL);
if (!sig->digest)
- goto error_no_desc;
+ goto error_no_digest;

desc = kzalloc(desc_size, GFP_KERNEL);
if (!desc)
@@ -117,6 +117,8 @@ static int pkcs7_digest(struct pkcs7_message *pkcs7,
error:
kfree(desc);
error_no_desc:
+ kfree(sig->digest);
+error_no_digest:
crypto_free_shash(tfm);
kleave(" = %d", ret);
return ret;
--
2.25.1

2022-02-24 20:55:11

by Eric Biggers

[permalink] [raw]

Subject: Re: [PATCH] PKCS#7: fix a possible memory leak when calculating the digest

On Thu, Feb 24, 2022 at 07:09:12PM +0000, Denis Glazkov wrote:
> In function `pkcs7_digest`, if there is an error allocating memory
> for the `shash_desc` structure, the public key signature digest
> remains unfreed.
>
> Signed-off-by: Denis Glazkov <[email protected]>
> ---
> crypto/asymmetric_keys/pkcs7_verify.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/crypto/asymmetric_keys/pkcs7_verify.c b/crypto/asymmetric_keys/pkcs7_verify.c
> index 0b4d07aa8811..e6f648dcc02a 100644
> --- a/crypto/asymmetric_keys/pkcs7_verify.c
> +++ b/crypto/asymmetric_keys/pkcs7_verify.c
> @@ -50,7 +50,7 @@ static int pkcs7_digest(struct pkcs7_message *pkcs7,
> ret = -ENOMEM;
> sig->digest = kmalloc(sig->digest_size, GFP_KERNEL);
> if (!sig->digest)
> - goto error_no_desc;
> + goto error_no_digest;
>
> desc = kzalloc(desc_size, GFP_KERNEL);
> if (!desc)
> @@ -117,6 +117,8 @@ static int pkcs7_digest(struct pkcs7_message *pkcs7,
> error:
> kfree(desc);
> error_no_desc:
> + kfree(sig->digest);
> +error_no_digest:
> crypto_free_shash(tfm);
> kleave(" = %d", ret);
> return ret;
> --
> 2.25.1

Doesn't this introduce a double free? public_key_signature_free() frees this
too.

- Eric