Received: by 10.192.165.148 with SMTP id m20csp4147800imm; Mon, 30 Apr 2018 12:39:37 -0700 (PDT) X-Google-Smtp-Source: AB8JxZqNCA976M2+pNjwjsR7WeBYPPVLED65GNHeXuYxO1y7BCt2lp1tgNDRez5cuy21YRNQ0Ej5 X-Received: by 2002:a63:a84f:: with SMTP id i15-v6mr11074321pgp.367.1525117177590; Mon, 30 Apr 2018 12:39:37 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1525117177; cv=none; d=google.com; s=arc-20160816; b=y8GEVzTdrv2JHN0h6X6B2CRt3fp1ez9pjymhl9Jd2fyCG+uqVLR/3a++FF3CnAt4mV YzxHerDx1NXtzroj4siw2Osiwcqatfi0BiHMpmFSpsIFmBp4zmfomKNIWdRDswLyvSwr e1jgwiSk97IeHlRG5Jk8EK/vLaDvWGlci/qda8Iz8LQeeQzxLoq8aozxHQTiwGJifJTp OpqSTwZbvBxSKN+NSZC04ftwJUurKGbHVkLrU9K5YgLOAurV+t4fZpprFsjQPbq9kud1 t7cvzqSfvkt/pKxYExXhxtwDTnmWo9m37Ym9GFlp7PY+6R39cvBikbLhJXh7RKDFlxJJ 3RdQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from:dmarc-filter :arc-authentication-results; bh=u6tvxNPqdiq+QSxrCPOUS6/9Ap6Pj67O6IG6eYZbxGI=; b=Ub51M3dMm2arrxxEzTYLDRc7L5K8DDbr3Dr7LuEa1z2UBho3SB5NyV2oSEPVWAl/A1 L/IlnYczXbt9/loYjh/Ag/W49xy+N4e1qdTKQhJncOmB+6EJCb4NMia4yRXIyNxmXi8c 0DEptR61GdpSOHyX91Z5BlNOb6xHq86bDI/pJb14M3vJBmLbAFisxxN2xl0gR1FvC8Eb Dmz5X0u/2j6vD3Hi4XYP43g7vhEqlggi54uUgRN0AYhdR5uYxeoKcE3s8Izmcu3bC+E9 LGxu3xnAsaztSjMePrGMTryLfz087QbdC/KgB6XDKaZYb70TPq6eEgzRqK5d5eDOENIU 6fhw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id g1-v6si187489pgq.597.2018.04.30.12.39.23; Mon, 30 Apr 2018 12:39:37 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932330AbeD3T2m (ORCPT + 99 others); Mon, 30 Apr 2018 15:28:42 -0400 Received: from mail.kernel.org ([198.145.29.99]:36602 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1756373AbeD3T2i (ORCPT ); Mon, 30 Apr 2018 15:28:38 -0400 Received: from localhost (unknown [104.132.1.102]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 12C5122DAC; Mon, 30 Apr 2018 19:28:38 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 12C5122DAC Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=linuxfoundation.org Authentication-Results: mail.kernel.org; spf=fail smtp.mailfrom=gregkh@linuxfoundation.org From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Stephan Mueller , syzbot+75397ee3df5c70164154@syzkaller.appspotmail.com, Herbert Xu Subject: [PATCH 4.16 083/113] crypto: drbg - set freed buffers to NULL Date: Mon, 30 Apr 2018 12:24:54 -0700 Message-Id: <20180430184018.696347574@linuxfoundation.org> X-Mailer: git-send-email 2.17.0 In-Reply-To: <20180430184015.043892819@linuxfoundation.org> References: <20180430184015.043892819@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.16-stable review patch. If anyone has any objections, please let me know. ------------------ From: Stephan Mueller commit eea0d3ea7546961f69f55b26714ac8fd71c7c020 upstream. During freeing of the internal buffers used by the DRBG, set the pointer to NULL. It is possible that the context with the freed buffers is reused. In case of an error during initialization where the pointers do not yet point to allocated memory, the NULL value prevents a double free. Cc: stable@vger.kernel.org Fixes: 3cfc3b9721123 ("crypto: drbg - use aligned buffers") Signed-off-by: Stephan Mueller Reported-by: syzbot+75397ee3df5c70164154@syzkaller.appspotmail.com Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman --- crypto/drbg.c | 2 ++ 1 file changed, 2 insertions(+) --- a/crypto/drbg.c +++ b/crypto/drbg.c @@ -1134,8 +1134,10 @@ static inline void drbg_dealloc_state(st if (!drbg) return; kzfree(drbg->Vbuf); + drbg->Vbuf = NULL; drbg->V = NULL; kzfree(drbg->Cbuf); + drbg->Cbuf = NULL; drbg->C = NULL; kzfree(drbg->scratchpadbuf); drbg->scratchpadbuf = NULL;