crypto: drbg - set freed buffers to NULL

During freeing of the internal buffers used by the DRBG, set the pointer to NULL. It is possible that the context with the freed buffers is reused. In case of an error during initialization where the pointers do not yet point to allocated memory, the NULL value prevents a double free. Cc: stable@vger.kernel.org Fixes: 3cfc3b9721123 ("crypto: drbg - use aligned buffers") Signed-off-by: Stephan Mueller <smueller@chronox.de> Reported-by: syzbot+75397ee3df5c70164154@syzkaller.appspotmail.com Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
author: Stephan Mueller <smueller@chronox.de> 2018-04-12 08:40:55 +0200
committer: Herbert Xu <herbert@gondor.apana.org.au> 2018-04-21 00:57:00 +0800
commit: eea0d3ea7546961f69f55b26714ac8fd71c7c020 (patch)
tree: 1a8cda1a7a5932789790ff6286791d999307d7c9 /crypto
parent: b346e492d7127e4332d5a9989b844b2095cc4fcd (diff)
download: linux-0-day-eea0d3ea7546961f69f55b26714ac8fd71c7c020.tar.gz
linux-0-day-eea0d3ea7546961f69f55b26714ac8fd71c7c020.tar.xz
1 files changed, 2 insertions, 0 deletions
diff --git a/crypto/drbg.c b/crypto/drbg.c
index 4faa2781c964e..466a112a44468 100644
--- a/crypto/drbg.c
+++ b/crypto/drbg.c
@@ -1134,8 +1134,10 @@ static inline void drbg_dealloc_state(struct drbg_state *drbg)
 	if (!drbg)
 		return;
 	kzfree(drbg->Vbuf);
+	drbg->Vbuf = NULL;
 	drbg->V = NULL;
 	kzfree(drbg->Cbuf);
+	drbg->Cbuf = NULL;
 	drbg->C = NULL;
 	kzfree(drbg->scratchpadbuf);
 	drbg->scratchpadbuf = NULL;
author	Stephan Mueller <smueller@chronox.de>	2018-04-12 08:40:55 +0200
committer	Herbert Xu <herbert@gondor.apana.org.au>	2018-04-21 00:57:00 +0800
commit	eea0d3ea7546961f69f55b26714ac8fd71c7c020 (patch)
tree	1a8cda1a7a5932789790ff6286791d999307d7c9 /crypto
parent	b346e492d7127e4332d5a9989b844b2095cc4fcd (diff)
download	linux-0-day-eea0d3ea7546961f69f55b26714ac8fd71c7c020.tar.gz linux-0-day-eea0d3ea7546961f69f55b26714ac8fd71c7c020.tar.xz