On Wed, Apr 11, 2018 at 04:31:01PM +0200, Stephan Müller wrote: > Sorry, this time with the proper subject line. > > ---8<--- > > During freeing of the internal buffers used by the DRBG, set the pointer > to NULL. It is possible that the context with the freed buffers is > reused. In case of an error during initialization where the pointers > do not yet point to allocated memory, the NULL value prevents a double > free. > > Signed-off-by: Stephan Mueller <smuel...@chronox.de> > Reported-by: syzbot+75397ee3df5c70164...@syzkaller.appspotmail.com > --- > crypto/drbg.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/crypto/drbg.c b/crypto/drbg.c > index 4faa2781c964..466a112a4446 100644 > --- a/crypto/drbg.c > +++ b/crypto/drbg.c > @@ -1134,8 +1134,10 @@ static inline void drbg_dealloc_state(struct > drbg_state *drbg) > if (!drbg) > return; > kzfree(drbg->Vbuf); > + drbg->Vbuf = NULL; > drbg->V = NULL; > kzfree(drbg->Cbuf); > + drbg->Cbuf = NULL; > drbg->C = NULL; > kzfree(drbg->scratchpadbuf); > drbg->scratchpadbuf = NULL;
Can you please add Fixes and Cc stable? - Eric
