crypto: drbg - set freed buffers to NULL

commit eea0d3ea7546961f69f55b26714ac8fd71c7c020 upstream. During freeing of the internal buffers used by the DRBG, set the pointer to NULL. It is possible that the context with the freed buffers is reused. In case of an error during initialization where the pointers do not yet point to allocated memory, the NULL value prevents a double free. Cc: stable@vger.kernel.org Fixes: 3cfc3b9721123 ("crypto: drbg - use aligned buffers") Signed-off-by: Stephan Mueller <smueller@chronox.de> Reported-by: syzbot+75397ee3df5c70164154@syzkaller.appspotmail.com Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
author: Stephan Mueller <smueller@chronox.de> 2018-04-12 08:40:55 +0200
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2018-05-01 15:13:08 -0700
commit: 2e2d6f1e783fc6d827ca32a6ca41ebdda855cfd8 (patch)
tree: a88ba82ec18967ef10731609ed1142aebca1fff2 /crypto
parent: 8970c12ac9b917b27e42c0537ab7fce0357f0cf3 (diff)
1 files changed, 2 insertions, 0 deletions
diff --git a/crypto/drbg.c b/crypto/drbg.c
index 942ddff68408..4bb5f93c94cd 100644
--- a/crypto/drbg.c
+++ b/crypto/drbg.c
@@ -1134,8 +1134,10 @@ static inline void drbg_dealloc_state(struct drbg_state *drbg)
 	if (!drbg)
 		return;
 	kzfree(drbg->Vbuf);
+	drbg->Vbuf = NULL;
 	drbg->V = NULL;
 	kzfree(drbg->Cbuf);
+	drbg->Cbuf = NULL;
 	drbg->C = NULL;
 	kzfree(drbg->scratchpadbuf);
 	drbg->scratchpadbuf = NULL;
author	Stephan Mueller <smueller@chronox.de>	2018-04-12 08:40:55 +0200
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2018-05-01 15:13:08 -0700
commit	2e2d6f1e783fc6d827ca32a6ca41ebdda855cfd8 (patch)
tree	a88ba82ec18967ef10731609ed1142aebca1fff2 /crypto
parent	8970c12ac9b917b27e42c0537ab7fce0357f0cf3 (diff)