Re: lib/mpi: Fix karactx leak in mpi_powm

[Eric Biggers <ebiggers@kernel.org>]

On Mon, Jun 24, 2019 at 06:32:26PM +0800, Herbert Xu wrote:
> On Mon, Jun 24, 2019 at 12:27:08AM -0700, syzbot wrote:
> > Hello,
> > 
> > syzbot found the following crash on:
> > 
> > HEAD commit:    abf02e29 Merge tag 'pm-5.2-rc6' of git://git.kernel.org/pu..
> > git tree:       upstream
> > console output: https://syzkaller.appspot.com/x/log.txt?x=17a8bfeaa00000
> > kernel config:  https://syzkaller.appspot.com/x/.config?x=56f1da14935c3cce
> > dashboard link: https://syzkaller.appspot.com/bug?extid=f7baccc38dcc1e094e77
> > compiler:       gcc (GCC) 9.0.0 20181231 (experimental)
> > syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=171aa7e6a00000
> > C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=153306cea00000
> > 
> > IMPORTANT: if you fix the bug, please add the following tag to the commit:
> > Reported-by: syzbot+f7baccc38dcc1e094e77@syzkaller.appspotmail.com
> 
> The only memory leak that I can find is on the out-of-memory error
> path:
> 
> ---8<---
> Sometimes mpi_powm will leak karactx because a memory allocation
> failure causes a bail-out that skips the freeing of karactx.  This
> patch moves the freeing of karactx to the end of the function like
> everything else so that it can't be skipped.
> 
> Reported-by: syzbot+f7baccc38dcc1e094e77@syzkaller.appspotmail.com
> Fixes: cdec9cb5167a ("crypto: GnuPG based MPI lib - source files...")
> Cc: <stable@vger.kernel.org>
> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
> 
> diff --git a/lib/mpi/mpi-pow.c b/lib/mpi/mpi-pow.c
> index 82b19e4f1189..2fd7a46d55ec 100644
> --- a/lib/mpi/mpi-pow.c
> +++ b/lib/mpi/mpi-pow.c
> @@ -24,6 +24,7 @@
>  int mpi_powm(MPI res, MPI base, MPI exp, MPI mod)
>  {
>  	mpi_ptr_t mp_marker = NULL, bp_marker = NULL, ep_marker = NULL;
> +	struct karatsuba_ctx karactx = {};
>  	mpi_ptr_t xp_marker = NULL;
>  	mpi_ptr_t tspace = NULL;
>  	mpi_ptr_t rp, ep, mp, bp;
> @@ -150,13 +151,11 @@ int mpi_powm(MPI res, MPI base, MPI exp, MPI mod)
>  		int c;
>  		mpi_limb_t e;
>  		mpi_limb_t carry_limb;
> -		struct karatsuba_ctx karactx;
>  
>  		xp = xp_marker = mpi_alloc_limb_space(2 * (msize + 1));
>  		if (!xp)
>  			goto enomem;
>  
> -		memset(&karactx, 0, sizeof karactx);
>  		negative_result = (ep[0] & 1) && base->sign;
>  
>  		i = esize - 1;
> @@ -281,8 +280,6 @@ int mpi_powm(MPI res, MPI base, MPI exp, MPI mod)
>  		if (mod_shift_cnt)
>  			mpihelp_rshift(rp, rp, rsize, mod_shift_cnt);
>  		MPN_NORMALIZE(rp, rsize);
> -
> -		mpihelp_release_karatsuba_ctx(&karactx);
>  	}
>  
>  	if (negative_result && rsize) {
> @@ -299,6 +296,7 @@ int mpi_powm(MPI res, MPI base, MPI exp, MPI mod)
>  leave:
>  	rc = 0;
>  enomem:
> +	mpihelp_release_karatsuba_ctx(&karactx);
>  	if (assign_rp)
>  		mpi_assign_limb_space(res, rp, size);
>  	if (mp_marker)
> -- 

Reviewed-by: Eric Biggers <ebiggers@kernel.org>

- Eric