Skip to content

Commit

Permalink
crypto: do not free algorithm before using
Browse files Browse the repository at this point in the history 
In multiple functions, the algorithm fields are read after its reference
is dropped through crypto_mod_put. In this case, the algorithm memory
may be freed, resulting in use-after-free bugs. This patch delays the
put operation until the algorithm is never used.

Fixes: 79c65d1 ("crypto: cbc - Convert to skcipher")
Fixes: a7d85e0 ("crypto: cfb - add support for Cipher FeedBack mode")
Fixes: 043a440 ("crypto: pcbc - Convert to skcipher")
Cc: <[email protected]>
Signed-off-by: Pan Bian <[email protected]>
Signed-off-by: Herbert Xu <[email protected]>
  • Loading branch information
@SinkFinder @herbertx
SinkFinder authored and herbertx committed Nov 29, 2018
1 parent 9f4debe commit e5bde04
Show file tree
Hide file tree
Showing 3 changed files with 12 additions and 6 deletions.
6 changes: 4 additions & 2 deletions crypto/cbc.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -140,9 +140,8 @@ static int crypto_cbc_create(struct crypto_template *tmpl, struct rtattr **tb)
spawn = skcipher_instance_ctx(inst);
err = crypto_init_spawn(spawn, alg, skcipher_crypto_instance(inst),
CRYPTO_ALG_TYPE_MASK);
crypto_mod_put(alg);
if (err)
goto err_free_inst;
goto err_put_alg;

err = crypto_inst_setname(skcipher_crypto_instance(inst), "cbc", alg);
if (err)
Expand Down Expand Up @@ -174,12 +173,15 @@ static int crypto_cbc_create(struct crypto_template *tmpl, struct rtattr **tb)
err = skcipher_register_instance(tmpl, inst);
if (err)
goto err_drop_spawn;
crypto_mod_put(alg);

out:
return err;

err_drop_spawn:
crypto_drop_spawn(spawn);
err_put_alg:
crypto_mod_put(alg);
err_free_inst:
kfree(inst);
goto out;
Expand Down
6 changes: 4 additions & 2 deletions crypto/cfb.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -286,9 +286,8 @@ static int crypto_cfb_create(struct crypto_template *tmpl, struct rtattr **tb)
spawn = skcipher_instance_ctx(inst);
err = crypto_init_spawn(spawn, alg, skcipher_crypto_instance(inst),
CRYPTO_ALG_TYPE_MASK);
crypto_mod_put(alg);
if (err)
goto err_free_inst;
goto err_put_alg;

err = crypto_inst_setname(skcipher_crypto_instance(inst), "cfb", alg);
if (err)
Expand Down Expand Up @@ -317,12 +316,15 @@ static int crypto_cfb_create(struct crypto_template *tmpl, struct rtattr **tb)
err = skcipher_register_instance(tmpl, inst);
if (err)
goto err_drop_spawn;
crypto_mod_put(alg);

out:
return err;

err_drop_spawn:
crypto_drop_spawn(spawn);
err_put_alg:
crypto_mod_put(alg);
err_free_inst:
kfree(inst);
goto out;
Expand Down
6 changes: 4 additions & 2 deletions crypto/pcbc.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -244,9 +244,8 @@ static int crypto_pcbc_create(struct crypto_template *tmpl, struct rtattr **tb)
spawn = skcipher_instance_ctx(inst);
err = crypto_init_spawn(spawn, alg, skcipher_crypto_instance(inst),
CRYPTO_ALG_TYPE_MASK);
crypto_mod_put(alg);
if (err)
goto err_free_inst;
goto err_put_alg;

err = crypto_inst_setname(skcipher_crypto_instance(inst), "pcbc", alg);
if (err)
Expand Down Expand Up @@ -275,12 +274,15 @@ static int crypto_pcbc_create(struct crypto_template *tmpl, struct rtattr **tb)
err = skcipher_register_instance(tmpl, inst);
if (err)
goto err_drop_spawn;
crypto_mod_put(alg);

out:
return err;

err_drop_spawn:
crypto_drop_spawn(spawn);
err_put_alg:
crypto_mod_put(alg);
err_free_inst:
kfree(inst);
goto out;
Expand Down

0 comments on commit e5bde04

Please sign in to comment.