Hi Dimitry, This fix prevents the kernel from crashing when injecting the fault. Stack traces are yet shown but I guess that is expected every time a fault is injected. As to why KASAN did not notice this one, I am not sure. Maybe it is because I use two buffer pointers to point to (almost) the same memory (one that is aligned and one pointing to the complete buffer)? ---8<--- During freeing of the internal buffers used by the DRBG, set the pointer to NULL. It is possible that the context with the freed buffers is reused. In case of an error during initialization where the pointers do not yet point to allocated memory, the NULL value prevents a double free. Signed-off-by: Stephan Mueller <smueller@xxxxxxxxxx> Reported-by: syzbot+75397ee3df5c70164154@xxxxxxxxxxxxxxxxxxxxxxxxx --- crypto/drbg.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/crypto/drbg.c b/crypto/drbg.c index 4faa2781c964..466a112a4446 100644 --- a/crypto/drbg.c +++ b/crypto/drbg.c @@ -1134,8 +1134,10 @@ static inline void drbg_dealloc_state(struct drbg_state *drbg) if (!drbg) return; kzfree(drbg->Vbuf); + drbg->Vbuf = NULL; drbg->V = NULL; kzfree(drbg->Cbuf); + drbg->Cbuf = NULL; drbg->C = NULL; kzfree(drbg->scratchpadbuf); drbg->scratchpadbuf = NULL; -- 2.14.3
