From: Pratik Senapati <psenapati@marvell.com>
To: <dev@dpdk.org>
Cc: <gakhil@marvell.com>, <anoobj@marvell.com>,
<gmuthukrishn@marvell.com>, <kai.ji@intel.com>, <stable@dpdk.org>
Subject: [PATCH] crypto/openssl: fix use-after-free bug and cleanup
Date: Thu, 28 May 2026 13:28:22 +0530 [thread overview]
Message-ID: <20260528075822.2206494-1-psenapati@marvell.com> (raw)
params is freed before it is used by
EVP_PKEY_decapsulate_init() causing a
use-after-free issue. Pass NULL to
EVP_PKEY_decapsulate_init() instead of params
to avoid it.
Add resource cleanup for all error paths in the ML-KEM
decapsulate handler and consolidate cleanup into
two goto labels err_pkey and err_decap.
Fixes: 5f761d7b60 ("crypto/openssl: support ML-KEM and ML-DSA")
Cc: stable@dpdk.org
Signed-off-by: Pratik Senapati <psenapati@marvell.com>
---
.mailmap | 1 +
drivers/crypto/openssl/rte_openssl_pmd.c | 30 +++++++++++-------------
2 files changed, 15 insertions(+), 16 deletions(-)
diff --git a/.mailmap b/.mailmap
index 4f93307aed..031becba8c 100644
--- a/.mailmap
+++ b/.mailmap
@@ -1929,3 +1929,4 @@ Zoltan Kiss <zoltan.kiss@schaman.hu> <zoltan.kiss@linaro.org>
Zorik Machulsky <zorik@amazon.com>
Zyta Szpak <zyta@marvell.com> <zr@semihalf.com>
Zyta Szpak <zyta@marvell.com> <zyta.szpak@semihalf.com>
+Pratik Senapati <psenapati@marvell.com>
diff --git a/drivers/crypto/openssl/rte_openssl_pmd.c b/drivers/crypto/openssl/rte_openssl_pmd.c
index 4f171f48cc..5bc51b8f0f 100644
--- a/drivers/crypto/openssl/rte_openssl_pmd.c
+++ b/drivers/crypto/openssl/rte_openssl_pmd.c
@@ -3683,38 +3683,29 @@ mlkem_decap_op_evp(struct rte_crypto_op *cop,
}
cctx = EVP_PKEY_CTX_new_from_pkey(NULL, pkey, NULL);
- if (cctx == NULL) {
- EVP_PKEY_free(pkey);
- cop->status = RTE_CRYPTO_OP_STATUS_ERROR;
- return -1;
- }
+ if (cctx == NULL)
+ goto err_pkey;
- if (EVP_PKEY_decapsulate_init(cctx, params) != 1) {
+ if (EVP_PKEY_decapsulate_init(cctx, NULL) != 1) {
cop->status = RTE_CRYPTO_OP_STATUS_ERROR;
- return -1;
+ goto err_decap;
}
if (EVP_PKEY_decapsulate(cctx, NULL, &keylen,
op->decap.cipher.data, op->decap.cipher.length) != 1) {
OPENSSL_LOG(ERR, "Failed to determine output length");
- EVP_PKEY_free(pkey);
- cop->status = RTE_CRYPTO_OP_STATUS_ERROR;
- return -1;
+ goto err_decap;
}
if (keylen > op->decap.sk.length) {
OPENSSL_LOG(ERR, "Insufficient buffer for shared key");
- EVP_PKEY_free(pkey);
- cop->status = RTE_CRYPTO_OP_STATUS_ERROR;
- return -1;
+ goto err_decap;
}
if (EVP_PKEY_decapsulate(cctx, op->decap.sk.data, &keylen,
op->decap.cipher.data, op->decap.cipher.length) != 1) {
OPENSSL_LOG(ERR, "Failed to decapsulate");
- EVP_PKEY_free(pkey);
- cop->status = RTE_CRYPTO_OP_STATUS_ERROR;
- return -1;
+ goto err_decap;
}
op->decap.sk.length = keylen;
@@ -3724,6 +3715,13 @@ mlkem_decap_op_evp(struct rte_crypto_op *cop,
ret = 0;
cop->status = RTE_CRYPTO_OP_STATUS_SUCCESS;
return ret;
+
+err_decap:
+ EVP_PKEY_CTX_free(cctx);
+err_pkey:
+ EVP_PKEY_free(pkey);
+ cop->status = RTE_CRYPTO_OP_STATUS_ERROR;
+ return -1;
}
static int
--
2.43.0
next reply other threads:[~2026-05-28 8:01 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-28 7:58 Pratik Senapati [this message]
2026-06-02 9:03 ` [PATCH] crypto/openssl: fix use-after-free bug and cleanup Akhil Goyal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260528075822.2206494-1-psenapati@marvell.com \
--to=psenapati@marvell.com \
--cc=anoobj@marvell.com \
--cc=dev@dpdk.org \
--cc=gakhil@marvell.com \
--cc=gmuthukrishn@marvell.com \
--cc=kai.ji@intel.com \
--cc=stable@dpdk.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox