From: Herbert Xu <herbert@gondor.apana.org.au>
To: David Howells <dhowells@redhat.com>
Cc: Shigeru Yoshida <syoshida@redhat.com>,
davem@davemloft.net, linux-crypto@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH] crypto: af_alg/hash: Fix uninit-value access in af_alg_free_sg()
Date: Thu, 4 Jan 2024 10:03:06 +0800 [thread overview]
Message-ID: <ZZYR2qcc2Fmaxqq0@gondor.apana.org.au> (raw)
In-Reply-To: <386306.1704296211@warthog.procyon.org.uk>
On Wed, Jan 03, 2024 at 03:36:51PM +0000, David Howells wrote:
> Hmmm... Is that going to get you a potential memory leak?
>
> ctx->sgl.sgt.sgl could (in theory) point to an allocated table. I guess that
> would be cleaned up by af_alg_free_areq_sgls(), so there's probably no leak
> there.
The SG list is only setup in this function, and gets freed before
we return. There should be no SG list on entry. It's only because
you added the special case for a zero-length hash that we hit the
bogus free. So we should fix this by not freeing the SG list in
the zero-length case, as it was never allocated.
> OTOH, af_alg_free_areq_sgls() is going to call af_alg_free_sg(), so maybe we
> want to initialise sgl->sgt.sgl to NULL as well.
That has nothing to do with this. This SG list is specific to
algif_hash and has nothing to do with the shared SG list used
by aead and skcipher.
Cheers,
--
Email: Herbert Xu <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
next prev parent reply other threads:[~2024-01-04 2:03 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-12-11 13:59 [PATCH] crypto: af_alg/hash: Fix uninit-value access in af_alg_free_sg() Shigeru Yoshida
2023-12-22 3:42 ` Herbert Xu
2023-12-27 4:03 ` Shigeru Yoshida
2024-01-03 15:36 ` David Howells
2024-01-04 2:03 ` Herbert Xu [this message]
-- strict thread matches above, loose matches on Subject: below --
2024-01-03 3:05 xingwei lee
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZZYR2qcc2Fmaxqq0@gondor.apana.org.au \
--to=herbert@gondor.apana.org.au \
--cc=davem@davemloft.net \
--cc=dhowells@redhat.com \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=syoshida@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox