linux-crypto.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH][next] crypto: marvell: fix double free of ptr
@ 2020-04-01 23:10 Colin King
  2020-04-03  4:41 ` Herbert Xu
  0 siblings, 1 reply; 2+ messages in thread
From: Colin King @ 2020-04-01 23:10 UTC (permalink / raw)
  To: Boris Brezillon, Arnaud Ebalard, Srujana Challa, Herbert Xu,
	David S . Miller, Lukasz Bartosik, linux-crypto
  Cc: kernel-janitors, linux-kernel

From: Colin Ian King <colin.king@canonical.com>

Currently in the case where eq->src != req->ds, the allocation of
ptr is kfree'd at the end of the code block. However later on in
the case where enc is not null any of the error return paths that
return via the error handling return path end up performing an
erroneous second kfree of ptr.

Fix this by adding an error exit label error_free and only jump to
this when ptr needs kfree'ing thus avoiding the double free issue.

Addresses-Coverity: ("Double free")
Fixes: 10b4f09491bf ("crypto: marvell - add the Virtual Function driver for CPT")
Signed-off-by: Colin Ian King <colin.king@canonical.com>
---
 drivers/crypto/marvell/octeontx/otx_cptvf_algs.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/drivers/crypto/marvell/octeontx/otx_cptvf_algs.c b/drivers/crypto/marvell/octeontx/otx_cptvf_algs.c
index 946fb62949b2..06202bcffb33 100644
--- a/drivers/crypto/marvell/octeontx/otx_cptvf_algs.c
+++ b/drivers/crypto/marvell/octeontx/otx_cptvf_algs.c
@@ -1161,13 +1161,13 @@ static inline u32 create_aead_null_output_list(struct aead_request *req,
 					   inputlen);
 		if (status != inputlen) {
 			status = -EINVAL;
-			goto error;
+			goto error_free;
 		}
 		status = sg_copy_from_buffer(req->dst, sg_nents(req->dst), ptr,
 					     inputlen);
 		if (status != inputlen) {
 			status = -EINVAL;
-			goto error;
+			goto error_free;
 		}
 		kfree(ptr);
 	}
@@ -1209,8 +1209,10 @@ static inline u32 create_aead_null_output_list(struct aead_request *req,
 
 	req_info->outcnt = argcnt;
 	return 0;
-error:
+
+error_free:
 	kfree(ptr);
+error:
 	return status;
 }
 
-- 
2.25.1


^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: [PATCH][next] crypto: marvell: fix double free of ptr
  2020-04-01 23:10 [PATCH][next] crypto: marvell: fix double free of ptr Colin King
@ 2020-04-03  4:41 ` Herbert Xu
  0 siblings, 0 replies; 2+ messages in thread
From: Herbert Xu @ 2020-04-03  4:41 UTC (permalink / raw)
  To: Colin King
  Cc: Boris Brezillon, Arnaud Ebalard, Srujana Challa,
	David S . Miller, Lukasz Bartosik, linux-crypto, kernel-janitors,
	linux-kernel

On Thu, Apr 02, 2020 at 12:10:12AM +0100, Colin King wrote:
> From: Colin Ian King <colin.king@canonical.com>
> 
> Currently in the case where eq->src != req->ds, the allocation of
> ptr is kfree'd at the end of the code block. However later on in
> the case where enc is not null any of the error return paths that
> return via the error handling return path end up performing an
> erroneous second kfree of ptr.
> 
> Fix this by adding an error exit label error_free and only jump to
> this when ptr needs kfree'ing thus avoiding the double free issue.
> 
> Addresses-Coverity: ("Double free")
> Fixes: 10b4f09491bf ("crypto: marvell - add the Virtual Function driver for CPT")
> Signed-off-by: Colin Ian King <colin.king@canonical.com>
> ---
>  drivers/crypto/marvell/octeontx/otx_cptvf_algs.c | 8 +++++---
>  1 file changed, 5 insertions(+), 3 deletions(-)

Patch applied.  Thanks.
-- 
Email: Herbert Xu <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2020-04-03  4:42 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-04-01 23:10 [PATCH][next] crypto: marvell: fix double free of ptr Colin King
2020-04-03  4:41 ` Herbert Xu

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).