2020-01-20 14:40:44

by Dan Carpenter

[permalink] [raw]
Subject: [PATCH] crypto: rng - Fix a refcounting bug in crypto_rng_reset()

We need to decrement this refcounter on these error paths.

Fixes: f7d76e05d058 ("crypto: user - fix use_after_free of struct xxx_request")
Signed-off-by: Dan Carpenter <[email protected]>
---
crypto/rng.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/crypto/rng.c b/crypto/rng.c
index 1e21231f71c9..1490d210f1a1 100644
--- a/crypto/rng.c
+++ b/crypto/rng.c
@@ -37,12 +37,16 @@ int crypto_rng_reset(struct crypto_rng *tfm, const u8 *seed, unsigned int slen)
crypto_stats_get(alg);
if (!seed && slen) {
buf = kmalloc(slen, GFP_KERNEL);
- if (!buf)
+ if (!buf) {
+ crypto_alg_put(alg);
return -ENOMEM;
+ }

err = get_random_bytes_wait(buf, slen);
- if (err)
+ if (err) {
+ crypto_alg_put(alg);
goto out;
+ }
seed = buf;
}

--
2.11.0


2020-01-20 15:57:10

by Neil Horman

[permalink] [raw]
Subject: Re: [PATCH] crypto: rng - Fix a refcounting bug in crypto_rng_reset()

On Mon, Jan 20, 2020 at 05:38:04PM +0300, Dan Carpenter wrote:
> We need to decrement this refcounter on these error paths.
>
> Fixes: f7d76e05d058 ("crypto: user - fix use_after_free of struct xxx_request")
> Signed-off-by: Dan Carpenter <[email protected]>
> ---
> crypto/rng.c | 8 ++++++--
> 1 file changed, 6 insertions(+), 2 deletions(-)
>
> diff --git a/crypto/rng.c b/crypto/rng.c
> index 1e21231f71c9..1490d210f1a1 100644
> --- a/crypto/rng.c
> +++ b/crypto/rng.c
> @@ -37,12 +37,16 @@ int crypto_rng_reset(struct crypto_rng *tfm, const u8 *seed, unsigned int slen)
> crypto_stats_get(alg);
> if (!seed && slen) {
> buf = kmalloc(slen, GFP_KERNEL);
> - if (!buf)
> + if (!buf) {
> + crypto_alg_put(alg);
> return -ENOMEM;
> + }
>
> err = get_random_bytes_wait(buf, slen);
> - if (err)
> + if (err) {
> + crypto_alg_put(alg);
> goto out;
> + }
> seed = buf;
> }
>
> --
> 2.11.0
>
>
LGTM
Acked-by: Neil Horman <[email protected]>

2020-02-13 09:18:40

by Herbert Xu

[permalink] [raw]
Subject: Re: [PATCH] crypto: rng - Fix a refcounting bug in crypto_rng_reset()

On Mon, Jan 20, 2020 at 05:38:04PM +0300, Dan Carpenter wrote:
> We need to decrement this refcounter on these error paths.
>
> Fixes: f7d76e05d058 ("crypto: user - fix use_after_free of struct xxx_request")
> Signed-off-by: Dan Carpenter <[email protected]>
> ---
> crypto/rng.c | 8 ++++++--
> 1 file changed, 6 insertions(+), 2 deletions(-)

Patch applied. Thanks.
--
Email: Herbert Xu <[email protected]>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt