Received: by 2002:a05:7412:b995:b0:f9:9502:5bb8 with SMTP id it21csp7465112rdb; Wed, 3 Jan 2024 18:03:18 -0800 (PST) X-Google-Smtp-Source: AGHT+IHjcUOtvEYQhKtr0Y9iQyTLbTb/ppBXSBndwaCFF1pGvFeunsFMmdF0OxqnBZXoPU7dbos5 X-Received: by 2002:a05:6a21:a58e:b0:197:7b64:3aad with SMTP id gd14-20020a056a21a58e00b001977b643aadmr1402341pzc.69.1704333798080; Wed, 03 Jan 2024 18:03:18 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1704333798; cv=none; d=google.com; s=arc-20160816; b=ERVzMaAEp/qdnsPKHzjNbcqmtC4vehD8r06eCQ8r5BosJdjowvmaL0WThG5jQVwQUE aNiiRhVjMLxu7DqlvAaUy/+LZUSCb5KYgiuRIr9GqfxO4LTiW3OuSOIdQ5h0BKe/Fyxp A9553oQ7dm1/a9EQJOBQBeor2GH5EVqIkIrN7pdBduVNoKfCQupzJA7oOjIJCorVHa+8 dJPkvy2ciyPzwXDGQamIric+C7T+fRVX9vW6920IVXyPYQgBfyR5TShXC0vtf62JfvjM aSnYlFw/5nbYOGU5BPjbWqm1qt2ezhuTCd9dkUckTIUlUlI010+LIGRZaNhgeE6UTYEd sIJg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=in-reply-to:content-disposition:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:message-id:subject:cc :to:from:date; bh=/ndRoA/RersCEzZ7WicDWT/i4MHdCHjTNxdkGE+1g5s=; fh=47esiPvUMQriBVFMABvr7sSiekDOgx/ECIU2Z2renA0=; b=DrwwfsJMEPxBGp8LAPkrgfXERJX6iBj41XxbJgnzPKp305+t2GQ3PbxeCC7XBPmw/w Bb8S6dnzAZH+5H62fsUak/nMtW29pMiw7BnLhMkWfIoIPlOq2QVuhJ0n8AorjDaQrLsA wKYKIZoBw/B6fPJgH4b2Co8yMLJNZa1poZdWtCi+dgdpRU4B782QSxT8taBTvvvLrAZK B1w+WdRbbejzz4gbsyIsnpVSB2+qOlGJSNY8JLGtONc7s2UiXvOXui3gQLVGqC0hXw9b Av4+ftyaBnP3bnmk8S7eGL0dSIhXQebhpKWKThqkNKvh1+o3LdOVWJ4nFiJTgQQYv/pV mm7A== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-crypto+bounces-1225-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-crypto+bounces-1225-linux.lists.archive=gmail.com@vger.kernel.org" Return-Path: Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [139.178.88.99]) by mx.google.com with ESMTPS id 11-20020a17090a098b00b0028cea535075si1966922pjo.177.2024.01.03.18.03.17 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 03 Jan 2024 18:03:18 -0800 (PST) Received-SPF: pass (google.com: domain of linux-crypto+bounces-1225-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) client-ip=139.178.88.99; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-crypto+bounces-1225-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-crypto+bounces-1225-linux.lists.archive=gmail.com@vger.kernel.org" Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id 84D3D28806E for ; Thu, 4 Jan 2024 02:03:17 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 3D5D31C20; Thu, 4 Jan 2024 02:03:12 +0000 (UTC) X-Original-To: linux-crypto@vger.kernel.org Received: from abb.hmeau.com (abb.hmeau.com [144.6.53.87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 26828185B; Thu, 4 Jan 2024 02:03:07 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=gondor.apana.org.au Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gondor.apana.org.au Received: from loth.rohan.me.apana.org.au ([192.168.167.2]) by formenos.hmeau.com with smtp (Exim 4.94.2 #2 (Debian)) id 1rLD4Q-00GebV-PX; Thu, 04 Jan 2024 10:02:55 +0800 Received: by loth.rohan.me.apana.org.au (sSMTP sendmail emulation); Thu, 04 Jan 2024 10:03:06 +0800 Date: Thu, 4 Jan 2024 10:03:06 +0800 From: Herbert Xu To: David Howells Cc: Shigeru Yoshida , davem@davemloft.net, linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH] crypto: af_alg/hash: Fix uninit-value access in af_alg_free_sg() Message-ID: References: <20231211135949.689204-1-syoshida@redhat.com> <386306.1704296211@warthog.procyon.org.uk> Precedence: bulk X-Mailing-List: linux-crypto@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <386306.1704296211@warthog.procyon.org.uk> On Wed, Jan 03, 2024 at 03:36:51PM +0000, David Howells wrote: > Hmmm... Is that going to get you a potential memory leak? > > ctx->sgl.sgt.sgl could (in theory) point to an allocated table. I guess that > would be cleaned up by af_alg_free_areq_sgls(), so there's probably no leak > there. The SG list is only setup in this function, and gets freed before we return. There should be no SG list on entry. It's only because you added the special case for a zero-length hash that we hit the bogus free. So we should fix this by not freeing the SG list in the zero-length case, as it was never allocated. > OTOH, af_alg_free_areq_sgls() is going to call af_alg_free_sg(), so maybe we > want to initialise sgl->sgt.sgl to NULL as well. That has nothing to do with this. This SG list is specific to algif_hash and has nothing to do with the shared SG list used by aead and skcipher. Cheers, -- Email: Herbert Xu Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt