On Thu, Feb 24, 2022 at 07:09:12PM +0000, Denis Glazkov wrote:
> In function `pkcs7_digest`, if there is an error allocating memory
> for the `shash_desc` structure, the public key signature digest
> remains unfreed.
>
> Signed-off-by: Denis Glazkov <d.glazkov@xxxxxx>
> ---
> crypto/asymmetric_keys/pkcs7_verify.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/crypto/asymmetric_keys/pkcs7_verify.c b/crypto/asymmetric_keys/pkcs7_verify.c
> index 0b4d07aa8811..e6f648dcc02a 100644
> --- a/crypto/asymmetric_keys/pkcs7_verify.c
> +++ b/crypto/asymmetric_keys/pkcs7_verify.c
> @@ -50,7 +50,7 @@ static int pkcs7_digest(struct pkcs7_message *pkcs7,
> ret = -ENOMEM;
> sig->digest = kmalloc(sig->digest_size, GFP_KERNEL);
> if (!sig->digest)
> - goto error_no_desc;
> + goto error_no_digest;
>
> desc = kzalloc(desc_size, GFP_KERNEL);
> if (!desc)
> @@ -117,6 +117,8 @@ static int pkcs7_digest(struct pkcs7_message *pkcs7,
> error:
> kfree(desc);
> error_no_desc:
> + kfree(sig->digest);
> +error_no_digest:
> crypto_free_shash(tfm);
> kleave(" = %d", ret);
> return ret;
> --
> 2.25.1
Doesn't this introduce a double free? public_key_signature_free() frees this
too.
- Eric
