Revision - 2b95fda - X.509: Fix double free in x509_cert_parse() [ver #3] - origin: https://github.com/torvalds/linux

visit type:

https://github.com/torvalds/linux

17 May 2024, 09:02:56 UTC

Revision 2b95fda2c4fcb6d6625963f889247538f247fce0 authored by Andrey Ryabinin on 24 November 2016, 13:23:03 UTC, committed by James Morris on 25 November 2016, 01:57:48 UTC

X.509: Fix double free in x509_cert_parse() [ver #3]

We shouldn't free cert->pub->key in x509_cert_parse() because
x509_free_certificate() also does this:
	BUG: Double free or freeing an invalid pointer
	...
	Call Trace:
	 [<ffffffff81896c20>] dump_stack+0x63/0x83
	 [<ffffffff81356571>] kasan_object_err+0x21/0x70
	 [<ffffffff81356ed9>] kasan_report_double_free+0x49/0x60
	 [<ffffffff813561ad>] kasan_slab_free+0x9d/0xc0
	 [<ffffffff81350b7a>] kfree+0x8a/0x1a0
	 [<ffffffff81844fbf>] public_key_free+0x1f/0x30
	 [<ffffffff818455d4>] x509_free_certificate+0x24/0x90
	 [<ffffffff818460bc>] x509_cert_parse+0x2bc/0x300
	 [<ffffffff81846cae>] x509_key_preparse+0x3e/0x330
	 [<ffffffff818444cf>] asymmetric_key_preparse+0x6f/0x100
	 [<ffffffff8178bec0>] key_create_or_update+0x260/0x5f0
	 [<ffffffff8178e6d9>] SyS_add_key+0x199/0x2a0
	 [<ffffffff821d823b>] entry_SYSCALL_64_fastpath+0x1e/0xad
	Object at ffff880110bd1900, in cache kmalloc-512 size: 512
	....
	Freed:
	PID = 2579
	[<ffffffff8104283b>] save_stack_trace+0x1b/0x20
	[<ffffffff813558f6>] save_stack+0x46/0xd0
	[<ffffffff81356183>] kasan_slab_free+0x73/0xc0
	[<ffffffff81350b7a>] kfree+0x8a/0x1a0
	[<ffffffff818460a3>] x509_cert_parse+0x2a3/0x300
	[<ffffffff81846cae>] x509_key_preparse+0x3e/0x330
	[<ffffffff818444cf>] asymmetric_key_preparse+0x6f/0x100
	[<ffffffff8178bec0>] key_create_or_update+0x260/0x5f0
	[<ffffffff8178e6d9>] SyS_add_key+0x199/0x2a0
	[<ffffffff821d823b>] entry_SYSCALL_64_fastpath+0x1e/0xad

Fixes: db6c43bd2132 ("crypto: KEYS: convert public key and digsig asym to the akcipher api")
Signed-off-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: James Morris <james.l.morris@oracle.com>

1 parent 16ae16c

Files
Changes

Permalinks

Tip revision: 2b95fda2c4fcb6d6625963f889247538f247fce0 authored by Andrey Ryabinin on 24 November 2016, 13:23:03 UTC
X.509: Fix double free in x509_cert_parse() [ver #3]

Tip revision: 2b95fda

File	Mode	Size
asymmetric_keys
async_tx
.gitignore	-rw-r--r--	12 bytes
842.c	-rw-r--r--	2.6 KB
Kconfig	-rw-r--r--	49.0 KB
Makefile	-rw-r--r--	5.0 KB
ablk_helper.c	-rw-r--r--	4.4 KB
ablkcipher.c	-rw-r--r--	12.9 KB
aead.c	-rw-r--r--	10.1 KB
aes_generic.c	-rw-r--r--	62.0 KB
af_alg.c	-rw-r--r--	10.6 KB
ahash.c	-rw-r--r--	14.7 KB
akcipher.c	-rw-r--r--	3.9 KB
algapi.c	-rw-r--r--	21.1 KB
algboss.c	-rw-r--r--	6.3 KB
algif_aead.c	-rw-r--r--	18.8 KB
algif_hash.c	-rw-r--r--	10.4 KB
algif_rng.c	-rw-r--r--	5.2 KB
algif_skcipher.c	-rw-r--r--	21.0 KB
ansi_cprng.c	-rw-r--r--	10.9 KB
anubis.c	-rw-r--r--	27.8 KB
api.c	-rw-r--r--	13.8 KB
arc4.c	-rw-r--r--	3.4 KB
authenc.c	-rw-r--r--	13.9 KB
authencesn.c	-rw-r--r--	15.2 KB
blkcipher.c	-rw-r--r--	15.0 KB
blowfish_common.c	-rw-r--r--	15.7 KB
blowfish_generic.c	-rw-r--r--	3.4 KB
camellia_generic.c	-rw-r--r--	34.9 KB
cast5_generic.c	-rw-r--r--	20.9 KB
cast6_generic.c	-rw-r--r--	9.5 KB
cast_common.c	-rw-r--r--	13.1 KB
cbc.c	-rw-r--r--	7.5 KB
ccm.c	-rw-r--r--	22.7 KB
chacha20_generic.c	-rw-r--r--	3.9 KB
chacha20poly1305.c	-rw-r--r--	19.3 KB
cipher.c	-rw-r--r--	3.3 KB
cmac.c	-rw-r--r--	7.5 KB
compress.c	-rw-r--r--	1.3 KB
crc32_generic.c	-rw-r--r--	3.8 KB
crc32c_generic.c	-rw-r--r--	4.3 KB
crct10dif_common.c	-rw-r--r--	3.6 KB
crct10dif_generic.c	-rw-r--r--	3.2 KB
cryptd.c	-rw-r--r--	28.6 KB
crypto_engine.c	-rw-r--r--	12.2 KB
crypto_null.c	-rw-r--r--	5.3 KB
crypto_user.c	-rw-r--r--	12.6 KB
crypto_wq.c	-rw-r--r--	972 bytes
ctr.c	-rw-r--r--	12.4 KB
cts.c	-rw-r--r--	12.2 KB
deflate.c	-rw-r--r--	5.4 KB
des_generic.c	-rw-r--r--	35.7 KB
dh.c	-rw-r--r--	3.7 KB
dh_helper.c	-rw-r--r--	2.6 KB
drbg.c	-rw-r--r--	56.9 KB
ecb.c	-rw-r--r--	4.9 KB
ecc.c	-rw-r--r--	24.4 KB
ecc.h	-rw-r--r--	3.4 KB
ecc_curve_defs.h	-rw-r--r--	1.5 KB
ecdh.c	-rw-r--r--	3.5 KB
ecdh_helper.c	-rw-r--r--	2.3 KB
echainiv.c	-rw-r--r--	4.6 KB
fcrypt.c	-rw-r--r--	18.0 KB
fips.c	-rw-r--r--	1.6 KB
gcm.c	-rw-r--r--	33.2 KB
gf128mul.c	-rw-r--r--	13.2 KB
ghash-generic.c	-rw-r--r--	3.6 KB
hash_info.c	-rw-r--r--	1.9 KB
hmac.c	-rw-r--r--	6.8 KB
internal.h	-rw-r--r--	4.2 KB
jitterentropy-kcapi.c	-rw-r--r--	6.0 KB
jitterentropy.c	-rw-r--r--	23.9 KB
keywrap.c	-rw-r--r--	12.6 KB
khazad.c	-rw-r--r--	51.8 KB
kpp.c	-rw-r--r--	2.9 KB
lrw.c	-rw-r--r--	9.2 KB
lz4.c	-rw-r--r--	2.5 KB
lz4hc.c	-rw-r--r--	2.6 KB
lzo.c	-rw-r--r--	2.6 KB
mcryptd.c	-rw-r--r--	17.4 KB
md4.c	-rw-r--r--	6.2 KB
md5.c	-rw-r--r--	4.1 KB
memneq.c	-rw-r--r--	6.1 KB
michael_mic.c	-rw-r--r--	3.6 KB
pcbc.c	-rw-r--r--	7.7 KB
pcrypt.c	-rw-r--r--	13.2 KB
poly1305_generic.c	-rw-r--r--	8.0 KB
proc.c	-rw-r--r--	3.0 KB
ripemd.h	-rw-r--r--	974 bytes
rmd128.c	-rw-r--r--	10.2 KB
rmd160.c	-rw-r--r--	12.6 KB
rmd256.c	-rw-r--r--	10.6 KB
rmd320.c	-rw-r--r--	13.1 KB
rng.c	-rw-r--r--	5.0 KB
rsa-pkcs1pad.c	-rw-r--r--	17.6 KB
rsa.c	-rw-r--r--	7.5 KB
rsa_helper.c	-rw-r--r--	4.2 KB
rsaprivkey.asn1	-rw-r--r--	316 bytes
rsapubkey.asn1	-rw-r--r--	82 bytes
salsa20_generic.c	-rw-r--r--	6.7 KB
scatterwalk.c	-rw-r--r--	2.2 KB
seed.c	-rw-r--r--	17.4 KB
seqiv.c	-rw-r--r--	5.4 KB
serpent_generic.c	-rw-r--r--	21.2 KB
sha1_generic.c	-rw-r--r--	2.6 KB
sha256_generic.c	-rw-r--r--	11.0 KB
sha3_generic.c	-rw-r--r--	7.0 KB
sha512_generic.c	-rw-r--r--	7.1 KB
shash.c	-rw-r--r--	14.1 KB
skcipher.c	-rw-r--r--	12.0 KB
tcrypt.c	-rw-r--r--	50.8 KB
tcrypt.h	-rw-r--r--	4.3 KB
tea.c	-rw-r--r--	6.6 KB
testmgr.c	-rw-r--r--	90.1 KB
testmgr.h	-rw-r--r--	1.2 MB
tgr192.c	-rw-r--r--	30.5 KB
twofish_common.c	-rw-r--r--	37.8 KB
twofish_generic.c	-rw-r--r--	6.3 KB
vmac.c	-rw-r--r--	18.9 KB
wp512.c	-rw-r--r--	59.8 KB
xcbc.c	-rw-r--r--	7.2 KB
xor.c	-rw-r--r--	4.0 KB
xts.c	-rw-r--r--	8.5 KB

Showing with 0 additions and 0 deletions (0 / 0 diffs computed)

Computing file changes ...