Skip to content

Commit

Permalink
crypto: algif_hash - Remove bogus SGL free on zero-length error path
Browse files Browse the repository at this point in the history
When a zero-length message is hashed by algif_hash, and an error
is triggered, it tries to free an SG list that was never allocated
in the first place.  Fix this by not freeing the SG list on the
zero-length error path.

Reported-by: Shigeru Yoshida <syoshida@redhat.com>
Reported-by: xingwei lee <xrivendell7@gmail.com>
Fixes: b6d972f ("crypto: af_alg/hash: Fix recvmsg() after sendmsg(MSG_MORE)")
Cc: <stable@vger.kernel.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Reported-by: syzbot+3266db0c26d1fbbe3abb@syzkaller.appspotmail.com
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
  • Loading branch information
Herbert Xu committed Feb 2, 2024
1 parent 69fba37 commit 24c890d
Showing 1 changed file with 3 additions and 2 deletions.
5 changes: 3 additions & 2 deletions crypto/algif_hash.c
Original file line number Diff line number Diff line change
Expand Up @@ -91,13 +91,13 @@ static int hash_sendmsg(struct socket *sock, struct msghdr *msg,
if (!(msg->msg_flags & MSG_MORE)) {
err = hash_alloc_result(sk, ctx);
if (err)
goto unlock_free;
goto unlock_free_result;
ahash_request_set_crypt(&ctx->req, NULL,
ctx->result, 0);
err = crypto_wait_req(crypto_ahash_final(&ctx->req),
&ctx->wait);
if (err)
goto unlock_free;
goto unlock_free_result;
}
goto done_more;
}
Expand Down Expand Up @@ -170,6 +170,7 @@ static int hash_sendmsg(struct socket *sock, struct msghdr *msg,

unlock_free:
af_alg_free_sg(&ctx->sgl);
unlock_free_result:
hash_free_result(sk, ctx);
ctx->more = false;
goto unlock;
Expand Down

0 comments on commit 24c890d

Please sign in to comment.