On Mon, Jun 24, 2019 at 06:32:26PM +0800, Herbert Xu wrote: > On Mon, Jun 24, 2019 at 12:27:08AM -0700, syzbot wrote: > > Hello, > > > > syzbot found the following crash on: > > > > HEAD commit: abf02e29 Merge tag 'pm-5.2-rc6' of git://git.kernel.org/pu.. > > git tree: upstream > > console output: https://syzkaller.appspot.com/x/log.txt?x=17a8bfeaa00000 > > kernel config: https://syzkaller.appspot.com/x/.config?x=56f1da14935c3cce > > dashboard link: https://syzkaller.appspot.com/bug?extid=f7baccc38dcc1e094e77 > > compiler: gcc (GCC) 9.0.0 20181231 (experimental) > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=171aa7e6a00000 > > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=153306cea00000 > > > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > > Reported-by: syzbot+f7baccc38dcc1e094e77@xxxxxxxxxxxxxxxxxxxxxxxxx > > The only memory leak that I can find is on the out-of-memory error > path: > > ---8<--- > Sometimes mpi_powm will leak karactx because a memory allocation > failure causes a bail-out that skips the freeing of karactx. This > patch moves the freeing of karactx to the end of the function like > everything else so that it can't be skipped. > > Reported-by: syzbot+f7baccc38dcc1e094e77@xxxxxxxxxxxxxxxxxxxxxxxxx > Fixes: cdec9cb5167a ("crypto: GnuPG based MPI lib - source files...") > Cc: <stable@xxxxxxxxxxxxxxx> > Signed-off-by: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx> > > diff --git a/lib/mpi/mpi-pow.c b/lib/mpi/mpi-pow.c > index 82b19e4f1189..2fd7a46d55ec 100644 > --- a/lib/mpi/mpi-pow.c > +++ b/lib/mpi/mpi-pow.c > @@ -24,6 +24,7 @@ > int mpi_powm(MPI res, MPI base, MPI exp, MPI mod) > { > mpi_ptr_t mp_marker = NULL, bp_marker = NULL, ep_marker = NULL; > + struct karatsuba_ctx karactx = {}; > mpi_ptr_t xp_marker = NULL; > mpi_ptr_t tspace = NULL; > mpi_ptr_t rp, ep, mp, bp; > @@ -150,13 +151,11 @@ int mpi_powm(MPI res, MPI base, MPI exp, MPI mod) > int c; > mpi_limb_t e; > mpi_limb_t carry_limb; > - struct karatsuba_ctx karactx; > > xp = xp_marker = mpi_alloc_limb_space(2 * (msize + 1)); > if (!xp) > goto enomem; > > - memset(&karactx, 0, sizeof karactx); > negative_result = (ep[0] & 1) && base->sign; > > i = esize - 1; > @@ -281,8 +280,6 @@ int mpi_powm(MPI res, MPI base, MPI exp, MPI mod) > if (mod_shift_cnt) > mpihelp_rshift(rp, rp, rsize, mod_shift_cnt); > MPN_NORMALIZE(rp, rsize); > - > - mpihelp_release_karatsuba_ctx(&karactx); > } > > if (negative_result && rsize) { > @@ -299,6 +296,7 @@ int mpi_powm(MPI res, MPI base, MPI exp, MPI mod) > leave: > rc = 0; > enomem: > + mpihelp_release_karatsuba_ctx(&karactx); > if (assign_rp) > mpi_assign_limb_space(res, rp, size); > if (mp_marker) > -- Reviewed-by: Eric Biggers <ebiggers@xxxxxxxxxx> - Eric
