Received: by 10.192.165.148 with SMTP id m20csp4178499imm;
        Mon, 30 Apr 2018 13:16:46 -0700 (PDT)
X-Google-Smtp-Source: AB8JxZoHCPeuPOUTcJ9o+excSC1tmn7pgXhNnLR4v/vX+RwEubD4dIDxWH70zJMJv2Z7ugbH+ZeI
X-Received: by 2002:a63:755c:: with SMTP id f28-v6mr11354736pgn.30.1525119406243;
        Mon, 30 Apr 2018 13:16:46 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1525119406; cv=none;
        d=google.com; s=arc-20160816;
        b=sVNKXUYCTwPPZ7U3gLTnGeOXRrZTckAAWchABbThRhe8Bb3XK0IE1BdhneMpGh4tyb
         prrn8KnXjqzvEzbdtEtvcCu/88itWIIjdCjmrIB1NjjQ0lf14oBV2Ca15+c9Fa+Xc/fO
         iWJ0idwZgA5pgsNZjrU53CqdLKx9e5FPH+xWRGMGj0Ov/r/ulGkLWjobKWzcNL4z60bo
         fGLWXPr36p+sbMFV4TS/2pnwWs/Z+qTE28RQibRYAGWT1IPbXpltxLQt5xxIGYJ0f+AD
         OhohOotps8H2keBwmDw43kHRwf3bXiCU4RJ/zyLT6UmzgJ3dihQK5ZAP+sqDQNQ9mlCo
         rXzQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:user-agent:references
         :in-reply-to:message-id:date:subject:cc:to:from:dmarc-filter
         :arc-authentication-results;
        bh=ia/z4cV6s8sggu57SMdDb2V1ITC45F1xB9wB1lWQewc=;
        b=hefGr6T4zIhQugpSZtQ1FEZCpT+5rsX6QEqvlqTMI4EHaF0h1GlkXTLbwz2TAbEPJA
         T0SE2z0KTBziizYd3Kv++wYli3JQbNWme9V3gYsoOwP2G2ALuHVn4dQU60Cga5Ntwi0w
         749Joh7N8KoR+5V7p1LK/W+mchJ1DFlN3V1ZWGHV/Aj5pYFPmZ6bYfx8A+OROR3l9+/z
         V6xLBkleO2z+LzRwt9xPdYj0ia0yrJb1sknYtz5ojO9aFw+EhsjmZ++PbQoq0H0U3vSB
         xhOWOxbcrWRxLZqWV4/InkOqMYiWR5IET4a7dIJdzopp/OuI7wTfVKD6TbqlnCJEGA9C
         FnNw==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id a81si7603019pfj.300.2018.04.30.13.16.32;
        Mon, 30 Apr 2018 13:16:46 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S932105AbeD3T1D (ORCPT <rfc822;chaneybenjamini@gmail.com>
        + 99 others); Mon, 30 Apr 2018 15:27:03 -0400
Received: from mail.kernel.org ([198.145.29.99]:32802 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1755800AbeD3T0x (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 30 Apr 2018 15:26:53 -0400
Received: from localhost (unknown [104.132.1.102])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id 8895322E71;
        Mon, 30 Apr 2018 19:26:52 +0000 (UTC)
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 8895322E71
Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=linuxfoundation.org
Authentication-Results: mail.kernel.org; spf=fail smtp.mailfrom=gregkh@linuxfoundation.org
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Stephan Mueller <smueller@chronox.de>,
        syzbot+75397ee3df5c70164154@syzkaller.appspotmail.com,
        Herbert Xu <herbert@gondor.apana.org.au>
Subject: [PATCH 4.9 47/61] crypto: drbg - set freed buffers to NULL
Date:   Mon, 30 Apr 2018 12:24:50 -0700
Message-Id: <20180430183955.325249799@linuxfoundation.org>
X-Mailer: git-send-email 2.17.0
In-Reply-To: <20180430183951.312721450@linuxfoundation.org>
References: <20180430183951.312721450@linuxfoundation.org>
User-Agent: quilt/0.65
X-stable: review
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Stephan Mueller <smueller@chronox.de>

commit eea0d3ea7546961f69f55b26714ac8fd71c7c020 upstream.

During freeing of the internal buffers used by the DRBG, set the pointer
to NULL. It is possible that the context with the freed buffers is
reused. In case of an error during initialization where the pointers
do not yet point to allocated memory, the NULL value prevents a double
free.

Cc: stable@vger.kernel.org
Fixes: 3cfc3b9721123 ("crypto: drbg - use aligned buffers")
Signed-off-by: Stephan Mueller <smueller@chronox.de>
Reported-by: syzbot+75397ee3df5c70164154@syzkaller.appspotmail.com
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 crypto/drbg.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/crypto/drbg.c
+++ b/crypto/drbg.c
@@ -1134,8 +1134,10 @@ static inline void drbg_dealloc_state(st
 	if (!drbg)
 		return;
 	kzfree(drbg->Vbuf);
+	drbg->Vbuf = NULL;
 	drbg->V = NULL;
 	kzfree(drbg->Cbuf);
+	drbg->Cbuf = NULL;
 	drbg->C = NULL;
 	kzfree(drbg->scratchpadbuf);
 	drbg->scratchpadbuf = NULL;