| Message ID | 20190130213542.17313-1-ramin.blackhat@gmail.com |
|---|---|
| State | Rejected |
| Delegated to: | David Miller |
| Headers | show |
| Series | net: esp4: Fix double free on esp4 functions | expand |
From: Ramin Farajpour Cami <ramin.blackhat@gmail.com> Date: Wed, 30 Jan 2019 21:35:42 +0000 > key/tmp is being kfree'd twice,once in the "aalg_desc->uinfo.auth.icv_fullbits / 8 != crypto_aead_authsize(aead)" call > to "free_key",twice When "crypto_aead_setauthsize(aead, x->aalg->alg_trunc_len / 8)" fails call to again "free_key", > > Signed-off-by: Ramin Farajpour Cami <ramin.blackhat@gmail.com> > --- > net/ipv4/esp4.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/net/ipv4/esp4.c b/net/ipv4/esp4.c > index 5459f41fc26f..5a66e47641b0 100644 > --- a/net/ipv4/esp4.c > +++ b/net/ipv4/esp4.c > @@ -467,6 +467,7 @@ int esp_output_tail(struct xfrm_state *x, struct sk_buff *skb, struct esp_info * > > error_free: > kfree(tmp); > + tmp = NULL; > error: > return err; > } This makes no sense at all, the function returns right after the kfree() and tmp is never referenced again!
On 01/30/2019 01:35 PM, Ramin Farajpour Cami wrote: > key/tmp is being kfree'd twice,once in the "aalg_desc->uinfo.auth.icv_fullbits / 8 != crypto_aead_authsize(aead)" call > to "free_key",twice When "crypto_aead_setauthsize(aead, x->aalg->alg_trunc_len / 8)" fails call to again "free_key", > > Signed-off-by: Ramin Farajpour Cami <ramin.blackhat@gmail.com> > --- > net/ipv4/esp4.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/net/ipv4/esp4.c b/net/ipv4/esp4.c > index 5459f41fc26f..5a66e47641b0 100644 > --- a/net/ipv4/esp4.c > +++ b/net/ipv4/esp4.c > @@ -467,6 +467,7 @@ int esp_output_tail(struct xfrm_state *x, struct sk_buff *skb, struct esp_info * > > error_free: > kfree(tmp); > + tmp = NULL; Clearing tmp right before a "return err;" has no effect at all. > error: > return err; > } > @@ -959,7 +960,7 @@ static int esp_init_authenc(struct xfrm_state *x) > > free_key: > kfree(key); > - > + key = NULL; Same here, this is essentially dead code. > error: > return err; > } >
On Thu, Jan 31, 2019 at 06:32:07AM +0000, Ramin Farajpour Cami wrote: > Hi Eric, > > I going to for avoid double free of resource identifiers we should set > variables initialized in "tmp/key" to NULL if an error occurred int the > "esp_init_authenc()" and "esp_output_tail()" attempts to free the memory > again.my means like this patch c7055fd15ff46d92eb0dd1c16a4fe010d58224c8 > <https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=c7055fd15ff46d92eb0dd1c16a4fe010d58224c8> There is a big difference between the above-noted patch and your patch. You really have to understand the code you are trying to change.
diff --git a/net/ipv4/esp4.c b/net/ipv4/esp4.c index 5459f41fc26f..5a66e47641b0 100644 --- a/net/ipv4/esp4.c +++ b/net/ipv4/esp4.c @@ -467,6 +467,7 @@ int esp_output_tail(struct xfrm_state *x, struct sk_buff *skb, struct esp_info * error_free: kfree(tmp); + tmp = NULL; error: return err; } @@ -959,7 +960,7 @@ static int esp_init_authenc(struct xfrm_state *x) free_key: kfree(key); - + key = NULL; error: return err; }
key/tmp is being kfree'd twice,once in the "aalg_desc->uinfo.auth.icv_fullbits / 8 != crypto_aead_authsize(aead)" call to "free_key",twice When "crypto_aead_setauthsize(aead, x->aalg->alg_trunc_len / 8)" fails call to again "free_key", Signed-off-by: Ramin Farajpour Cami <ramin.blackhat@gmail.com> --- net/ipv4/esp4.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)