Received: by 10.192.165.148 with SMTP id m20csp4160903imm; Mon, 30 Apr 2018 12:57:09 -0700 (PDT) X-Google-Smtp-Source: AB8JxZovWdqN1fjZP69WN7H+fcnFJKzFvZsWYrkAXIZmfnL1R8pOSS0RoCLBywZWNDpBfv0YVfqx X-Received: by 10.98.194.199 with SMTP id w68mr13018941pfk.174.1525118229784; Mon, 30 Apr 2018 12:57:09 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1525118229; cv=none; d=google.com; s=arc-20160816; b=1JK/Fqbyzxjh5lnIh4XkrQWIYNY/xNpL3o+Ffm8pTlWv62I9lKPoqEFXSjkaMSZEhv fpcgnGa+X8fW0Pw/sLvxab00vy1fGs1gFWSiWGJvFv2nn7d63bkppzxZsY1zKZLbjBER BYFTWg/voNujCkE/U7PyK40+TiYW0ysiAKV/fymFsb3lIX1oLDZb5qMwBov4lHKfnyUg A68SZAheKNOExr7Jc0wdyVjkb92iQRWNqxQZtJpPNCwkCRpCcvq1R2UuJQlaLfUXjUpK gQUKtoBO1iLvj1qzdKowWP4nEZ0QIJ8fMMJQ+KIlrRE3g5PC6LzhPco8C6QBp0AaKIzN bwhQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from:dmarc-filter :arc-authentication-results; bh=DXL16JLVbFhVwAsZIQp+1hWYvRb6Yqkq/1VpvZSqt3s=; b=JrpVABLZeDNYFqFdzNbYNHvh233sGVI1AOIehJKtUsWIBJ4E2KaZlYN9LW9zbR5RO4 mu9DlVrqjimEjLxPAfC3atom7dOT8huwMpd6M3DjHm7V7hXr7KnDDg481cRhi2rSl3Um h6pdYG9TLkSvjIDKxyFGfM0/6UFWNT86KHAxr7Gc8WESFGV7rCZg6Mqz3x0GfhSPOo62 AUc45GVAGVlTRyyKt/xgshDs1Kq9AaSnZ7tngwVltxUvrc9X5nXC1v22J2NRQ+g6dfu1 AihD7zM7p10Q346/C/W/K0cbtt5HdvjQz1DG8hBSvjAD67mGw6oW3YQBTMyRTssRRmqI k07A== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id b89-v6si7916531plb.262.2018.04.30.12.56.54; Mon, 30 Apr 2018 12:57:09 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1756227AbeD3T4q (ORCPT + 99 others); Mon, 30 Apr 2018 15:56:46 -0400 Received: from mail.kernel.org ([198.145.29.99]:34696 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1756068AbeD3T1u (ORCPT ); Mon, 30 Apr 2018 15:27:50 -0400 Received: from localhost (unknown [104.132.1.102]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id CE84422E72; Mon, 30 Apr 2018 19:27:49 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org CE84422E72 Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=linuxfoundation.org Authentication-Results: mail.kernel.org; spf=fail smtp.mailfrom=gregkh@linuxfoundation.org From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Stephan Mueller , syzbot+75397ee3df5c70164154@syzkaller.appspotmail.com, Herbert Xu Subject: [PATCH 4.14 71/91] crypto: drbg - set freed buffers to NULL Date: Mon, 30 Apr 2018 12:24:53 -0700 Message-Id: <20180430184007.964340007@linuxfoundation.org> X-Mailer: git-send-email 2.17.0 In-Reply-To: <20180430184004.216234025@linuxfoundation.org> References: <20180430184004.216234025@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.14-stable review patch. If anyone has any objections, please let me know. ------------------ From: Stephan Mueller commit eea0d3ea7546961f69f55b26714ac8fd71c7c020 upstream. During freeing of the internal buffers used by the DRBG, set the pointer to NULL. It is possible that the context with the freed buffers is reused. In case of an error during initialization where the pointers do not yet point to allocated memory, the NULL value prevents a double free. Cc: stable@vger.kernel.org Fixes: 3cfc3b9721123 ("crypto: drbg - use aligned buffers") Signed-off-by: Stephan Mueller Reported-by: syzbot+75397ee3df5c70164154@syzkaller.appspotmail.com Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman --- crypto/drbg.c | 2 ++ 1 file changed, 2 insertions(+) --- a/crypto/drbg.c +++ b/crypto/drbg.c @@ -1134,8 +1134,10 @@ static inline void drbg_dealloc_state(st if (!drbg) return; kzfree(drbg->Vbuf); + drbg->Vbuf = NULL; drbg->V = NULL; kzfree(drbg->Cbuf); + drbg->Cbuf = NULL; drbg->C = NULL; kzfree(drbg->scratchpadbuf); drbg->scratchpadbuf = NULL;