From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mo4-p02-ob.smtp.rzone.de ([81.169.146.171]:11855 "EHLO mo4-p02-ob.smtp.rzone.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753056AbeDKObm (ORCPT ); Wed, 11 Apr 2018 10:31:42 -0400 From: Stephan =?ISO-8859-1?Q?M=FCller?= To: Stephan =?ISO-8859-1?Q?M=FCller?= Cc: Dmitry Vyukov , "Theodore Y. Ts'o" , Matthew Wilcox , Herbert Xu , David Miller , linux-crypto@vger.kernel.org, Eric Biggers , syzbot , linux-fsdevel , LKML , syzkaller-bugs , Al Viro Subject: [PATCH] crypto: drbg - set freed buffers to NULL Date: Wed, 11 Apr 2018 16:31:01 +0200 Message-ID: <20316956.hJt0ZTxKTH@positron.chronox.de> In-Reply-To: <2186798.qrgUIDAn9S@positron.chronox.de> References: <001a114467482dbc4b05692df8f9@google.com> <2186798.qrgUIDAn9S@positron.chronox.de> MIME-Version: 1.0 Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii" Sender: linux-fsdevel-owner@vger.kernel.org List-ID: Sorry, this time with the proper subject line. ---8<--- During freeing of the internal buffers used by the DRBG, set the pointer to NULL. It is possible that the context with the freed buffers is reused. In case of an error during initialization where the pointers do not yet point to allocated memory, the NULL value prevents a double free. Signed-off-by: Stephan Mueller Reported-by: syzbot+75397ee3df5c70164154@syzkaller.appspotmail.com --- crypto/drbg.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/crypto/drbg.c b/crypto/drbg.c index 4faa2781c964..466a112a4446 100644 --- a/crypto/drbg.c +++ b/crypto/drbg.c @@ -1134,8 +1134,10 @@ static inline void drbg_dealloc_state(struct drbg_state *drbg) if (!drbg) return; kzfree(drbg->Vbuf); + drbg->Vbuf = NULL; drbg->V = NULL; kzfree(drbg->Cbuf); + drbg->Cbuf = NULL; drbg->C = NULL; kzfree(drbg->scratchpadbuf); drbg->scratchpadbuf = NULL; -- 2.14.3