From patchwork Wed Nov 1 22:25:16 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Biggers X-Patchwork-Id: 10037687 X-Patchwork-Delegate: herbert@gondor.apana.org.au Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 76C116032D for ; Wed, 1 Nov 2017 22:28:35 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 6684528C28 for ; Wed, 1 Nov 2017 22:28:35 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 5B11028C2B; Wed, 1 Nov 2017 22:28:35 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM, RCVD_IN_DNSWL_HI, RCVD_IN_SORBS_SPAM autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 4ED2E28C28 for ; Wed, 1 Nov 2017 22:28:34 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S933547AbdKAW2c (ORCPT ); Wed, 1 Nov 2017 18:28:32 -0400 Received: from mail-io0-f194.google.com ([209.85.223.194]:55524 "EHLO mail-io0-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S933526AbdKAW23 (ORCPT ); Wed, 1 Nov 2017 18:28:29 -0400 Received: by mail-io0-f194.google.com with SMTP id p186so9502579ioe.12; Wed, 01 Nov 2017 15:28:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=gxdWzNqK2+78IGs8XhX+zbztBdiDmx49HhJJjJ9VrF0=; b=ZhznglaUlX4hX6r4hkTFu61M8TG3Jm8XkGoPacOKxoaljW1Nq941yOprWY/Nx1uXBd CAgvXRJ15IdsUeStNWQWUOLTpYKi+NZ3J2Pjv/AW20l7/QoHUbt8piq5NRmUDVNBXpwO cOHbdQ2vNJxpEaeaGmKiMpUC3EH9mIXDSR9IoWBo72GZrHzm92Q6rNk+9C6x8iflXkc9 X1Xm7VpSY7fD7TYFLWahOG/0nEy9JxfHT/K9VtTGQGw2tPbx3wy5Xi0RLzoQGrvA5kbS I6VU3hNa1xDrJllEJKKmFEaAcIVUYh4fa3F4/lGbkqaG+gc+/wW9a4XOdE1eGS4+iMgA yagQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=gxdWzNqK2+78IGs8XhX+zbztBdiDmx49HhJJjJ9VrF0=; b=fua/2p8EuYNkWNtpHNH7FfQ2jGIhu8gzF6/mrvhnwc/T7jYAXfbMdfhDpzid6ll8Ln eHsArtkhTV5MPFzXAgegTg1FrqKSXoErC2n6hocMNpkUPzTXfV/s9rDFCeIibCH69ydI eAyTevn3NHnQFLSepf9HFl/bpSxDBqlHeX7iisMd0Ycbx7E4eKw/McSjmUM9YMEPySHv ThcbrI6Pe3/pHJSjDXKlQqtB1jnmI1wA+QWhbhzpGKe/awBEjRxvNU4VDfw+jyzfOaro oXG4P6639bTEUXw/9ijrY2cykwaar+/SB8FVGmDK3G/C4gyxWTrzMzS5EtaqWlX3+QB1 B3MQ== X-Gm-Message-State: AMCzsaULksBVLwdiogC9Cl4D/85byk9dd85xm2+rBbPmFgWpFrqDJNBC mkUuMPNYINWNCVgLPSAbTdbghSk8 X-Google-Smtp-Source: ABhQp+SgKfSv4Vj/igdxjXqKMaDTPMZ4PCX9AaAOzpL9cU4Wfhi2P22DQLL8J/FPnLEK4NshY6oIXg== X-Received: by 10.107.183.197 with SMTP id h188mr1761824iof.183.1509575308582; Wed, 01 Nov 2017 15:28:28 -0700 (PDT) Received: from ebiggers-linuxstation.kir.corp.google.com ([100.66.175.88]) by smtp.gmail.com with ESMTPSA id z201sm753387iod.6.2017.11.01.15.28.27 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 01 Nov 2017 15:28:28 -0700 (PDT) From: Eric Biggers To: linux-crypto@vger.kernel.org, Herbert Xu Cc: keyrings@vger.kernel.org, Tudor-Dan Ambarus , Mat Martineau , Salvatore Benedetto , Stephan Mueller , Eric Biggers , stable@vger.kernel.org Subject: [PATCH 3/4] crypto: qat - fix double free of ctx->p Date: Wed, 1 Nov 2017 15:25:16 -0700 Message-Id: <20171101222517.41602-4-ebiggers3@gmail.com> X-Mailer: git-send-email 2.15.0.403.gc27cc4dac6-goog In-Reply-To: <20171101222517.41602-1-ebiggers3@gmail.com> References: <20171101222517.41602-1-ebiggers3@gmail.com> Sender: linux-crypto-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP From: Eric Biggers When setting the secret with the "qat-dh" Diffie-Hellman implementation, if allocating 'g' failed, then 'p' was freed twice: once immediately, and once later when the crypto_kpp tfm was destroyed. Fix it by using qat_dh_clear_ctx() in the error paths, as that sets the pointers to NULL. Fixes: c9839143ebbf ("crypto: qat - Add DH support") Cc: # v4.8+ Signed-off-by: Eric Biggers --- drivers/crypto/qat/qat_common/qat_asym_algs.c | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/drivers/crypto/qat/qat_common/qat_asym_algs.c b/drivers/crypto/qat/qat_common/qat_asym_algs.c index 6f5dd68449c6..7655fdb499de 100644 --- a/drivers/crypto/qat/qat_common/qat_asym_algs.c +++ b/drivers/crypto/qat/qat_common/qat_asym_algs.c @@ -462,11 +462,8 @@ static int qat_dh_set_params(struct qat_dh_ctx *ctx, struct dh *params) } ctx->g = dma_zalloc_coherent(dev, ctx->p_size, &ctx->dma_g, GFP_KERNEL); - if (!ctx->g) { - dma_free_coherent(dev, ctx->p_size, ctx->p, ctx->dma_p); - ctx->p = NULL; + if (!ctx->g) return -ENOMEM; - } memcpy(ctx->g + (ctx->p_size - params->g_size), params->g, params->g_size); @@ -507,18 +504,22 @@ static int qat_dh_set_secret(struct crypto_kpp *tfm, const void *buf, ret = qat_dh_set_params(ctx, ¶ms); if (ret < 0) - return ret; + goto err_clear_ctx; ctx->xa = dma_zalloc_coherent(dev, ctx->p_size, &ctx->dma_xa, GFP_KERNEL); if (!ctx->xa) { - qat_dh_clear_ctx(dev, ctx); - return -ENOMEM; + ret = -ENOMEM; + goto err_clear_ctx; } memcpy(ctx->xa + (ctx->p_size - params.key_size), params.key, params.key_size); return 0; + +err_clear_ctx: + qat_dh_clear_ctx(dev, ctx); + return ret; } static unsigned int qat_dh_max_size(struct crypto_kpp *tfm)