crypto: drbg - set freed buffers to NULL

During freeing of the internal buffers used by the DRBG, set the pointer to NULL. It is possible that the context with the freed buffers is reused. In case of an error during initialization where the pointers do not yet point to allocated memory, the NULL value prevents a double free. Cc: stable@vger.kernel.org Fixes: 3cfc3b9721123 ("crypto: drbg - use aligned buffers") Signed-off-by: Stephan Mueller <smueller@chronox.de> Reported-by: syzbot+75397ee3df5c70164154@syzkaller.appspotmail.com Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
author: Stephan Mueller 2018-04-12 08:40:55 +0200
committer: Herbert Xu 2018-04-20 18:57:00 +0200
commit: eea0d3ea7546961f69f55b26714ac8fd71c7c020 (patch)
tree: 1a8cda1a7a5932789790ff6286791d999307d7c9
parent: crypto: api - fix finding algorithm currently being tested (diff)
download: kernel-qcow2-linux-eea0d3ea7546961f69f55b26714ac8fd71c7c020.tar.gz
kernel-qcow2-linux-eea0d3ea7546961f69f55b26714ac8fd71c7c020.tar.xz
kernel-qcow2-linux-eea0d3ea7546961f69f55b26714ac8fd71c7c020.zip
1 files changed, 2 insertions, 0 deletions
diff --git a/crypto/drbg.c b/crypto/drbg.c
index 4faa2781c964..466a112a4446 100644
--- a/crypto/drbg.c
+++ b/crypto/drbg.c
@@ -1134,8 +1134,10 @@ static inline void drbg_dealloc_state(struct drbg_state *drbg)
 	if (!drbg)
 		return;
 	kzfree(drbg->Vbuf);
+	drbg->Vbuf = NULL;
 	drbg->V = NULL;
 	kzfree(drbg->Cbuf);
+	drbg->Cbuf = NULL;
 	drbg->C = NULL;
 	kzfree(drbg->scratchpadbuf);
 	drbg->scratchpadbuf = NULL;
author	Stephan Mueller	2018-04-12 08:40:55 +0200
committer	Herbert Xu	2018-04-20 18:57:00 +0200
commit	eea0d3ea7546961f69f55b26714ac8fd71c7c020 (patch)
tree	1a8cda1a7a5932789790ff6286791d999307d7c9
parent	crypto: api - fix finding algorithm currently being tested (diff)
download	kernel-qcow2-linux-eea0d3ea7546961f69f55b26714ac8fd71c7c020.tar.gz kernel-qcow2-linux-eea0d3ea7546961f69f55b26714ac8fd71c7c020.tar.xz kernel-qcow2-linux-eea0d3ea7546961f69f55b26714ac8fd71c7c020.zip