Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 2f946051 authored by Pan Bian's avatar Pan Bian Committed by Greg Kroah-Hartman
Browse files

crypto: do not free algorithm before using 



commit e5bde04ccce64d808f8b00a489a1fe5825d285cb upstream.

In multiple functions, the algorithm fields are read after its reference
is dropped through crypto_mod_put. In this case, the algorithm memory
may be freed, resulting in use-after-free bugs. This patch delays the
put operation until the algorithm is never used.

Fixes: 79c65d17 ("crypto: cbc - Convert to skcipher")
Fixes: a7d85e06 ("crypto: cfb - add support for Cipher FeedBack mode")
Fixes: 043a4400 ("crypto: pcbc - Convert to skcipher")
Cc: <stable@vger.kernel.org>
Signed-off-by: default avatarPan Bian <bianpan2016@163.com>
Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent 35929281

crypto/cbc.c

+4 −2
Original line number Diff line number Diff line
@@ -140,9 +140,8 @@ static int crypto_cbc_create(struct crypto_template *tmpl, struct rtattr **tb) 
	spawn = skcipher_instance_ctx(inst);

	err = crypto_init_spawn(spawn, alg, skcipher_crypto_instance(inst),

				CRYPTO_ALG_TYPE_MASK);

	crypto_mod_put(alg);

	if (err)

		goto err_free_inst;

		goto err_put_alg;



	err = crypto_inst_setname(skcipher_crypto_instance(inst), "cbc", alg);

	if (err)
@@ -174,12 +173,15 @@ static int crypto_cbc_create(struct crypto_template *tmpl, struct rtattr **tb) 
	err = skcipher_register_instance(tmpl, inst);

	if (err)

		goto err_drop_spawn;

	crypto_mod_put(alg);



out:

	return err;



err_drop_spawn:

	crypto_drop_spawn(spawn);

err_put_alg:

	crypto_mod_put(alg);

err_free_inst:

	kfree(inst);

	goto out;

crypto/cfb.c

+4 −2
Original line number Diff line number Diff line
@@ -286,9 +286,8 @@ static int crypto_cfb_create(struct crypto_template *tmpl, struct rtattr **tb) 
	spawn = skcipher_instance_ctx(inst);

	err = crypto_init_spawn(spawn, alg, skcipher_crypto_instance(inst),

				CRYPTO_ALG_TYPE_MASK);

	crypto_mod_put(alg);

	if (err)

		goto err_free_inst;

		goto err_put_alg;



	err = crypto_inst_setname(skcipher_crypto_instance(inst), "cfb", alg);

	if (err)
@@ -317,12 +316,15 @@ static int crypto_cfb_create(struct crypto_template *tmpl, struct rtattr **tb) 
	err = skcipher_register_instance(tmpl, inst);

	if (err)

		goto err_drop_spawn;

	crypto_mod_put(alg);



out:

	return err;



err_drop_spawn:

	crypto_drop_spawn(spawn);

err_put_alg:

	crypto_mod_put(alg);

err_free_inst:

	kfree(inst);

	goto out;

crypto/pcbc.c

+4 −2
Original line number Diff line number Diff line
@@ -244,9 +244,8 @@ static int crypto_pcbc_create(struct crypto_template *tmpl, struct rtattr **tb) 
	spawn = skcipher_instance_ctx(inst);

	err = crypto_init_spawn(spawn, alg, skcipher_crypto_instance(inst),

				CRYPTO_ALG_TYPE_MASK);

	crypto_mod_put(alg);

	if (err)

		goto err_free_inst;

		goto err_put_alg;



	err = crypto_inst_setname(skcipher_crypto_instance(inst), "pcbc", alg);

	if (err)
@@ -275,12 +274,15 @@ static int crypto_pcbc_create(struct crypto_template *tmpl, struct rtattr **tb) 
	err = skcipher_register_instance(tmpl, inst);

	if (err)

		goto err_drop_spawn;

	crypto_mod_put(alg);



out:

	return err;



err_drop_spawn:

	crypto_drop_spawn(spawn);

err_put_alg:

	crypto_mod_put(alg);

err_free_inst:

	kfree(inst);

	goto out;