Patch "crypto: algif_hash - Remove bogus SGL free on zero-length error path" has been added to the 6.6-stable tree

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



This is a note to let you know that I've just added the patch titled

    crypto: algif_hash - Remove bogus SGL free on zero-length error path

to the 6.6-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     crypto-algif_hash-remove-bogus-sgl-free-on-zero-length-error-path.patch
and it can be found in the queue-6.6 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.


>From 24c890dd712f6345e382256cae8c97abb0406b70 Mon Sep 17 00:00:00 2001
From: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>
Date: Thu, 1 Feb 2024 13:49:09 +0800
Subject: crypto: algif_hash - Remove bogus SGL free on zero-length error path

From: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>

commit 24c890dd712f6345e382256cae8c97abb0406b70 upstream.

When a zero-length message is hashed by algif_hash, and an error
is triggered, it tries to free an SG list that was never allocated
in the first place.  Fix this by not freeing the SG list on the
zero-length error path.

Reported-by: Shigeru Yoshida <syoshida@xxxxxxxxxx>
Reported-by: xingwei lee <xrivendell7@xxxxxxxxx>
Fixes: b6d972f68983 ("crypto: af_alg/hash: Fix recvmsg() after sendmsg(MSG_MORE)")
Cc: <stable@xxxxxxxxxxxxxxx>
Signed-off-by: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>
Reported-by: syzbot+3266db0c26d1fbbe3abb@xxxxxxxxxxxxxxxxxxxxxxxxx
Signed-off-by: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
 crypto/algif_hash.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/crypto/algif_hash.c b/crypto/algif_hash.c
index 82c44d4899b9..e24c829d7a01 100644
--- a/crypto/algif_hash.c
+++ b/crypto/algif_hash.c
@@ -91,13 +91,13 @@ static int hash_sendmsg(struct socket *sock, struct msghdr *msg,
 		if (!(msg->msg_flags & MSG_MORE)) {
 			err = hash_alloc_result(sk, ctx);
 			if (err)
-				goto unlock_free;
+				goto unlock_free_result;
 			ahash_request_set_crypt(&ctx->req, NULL,
 						ctx->result, 0);
 			err = crypto_wait_req(crypto_ahash_final(&ctx->req),
 					      &ctx->wait);
 			if (err)
-				goto unlock_free;
+				goto unlock_free_result;
 		}
 		goto done_more;
 	}
@@ -170,6 +170,7 @@ static int hash_sendmsg(struct socket *sock, struct msghdr *msg,
 
 unlock_free:
 	af_alg_free_sg(&ctx->sgl);
+unlock_free_result:
 	hash_free_result(sk, ctx);
 	ctx->more = false;
 	goto unlock;
-- 
2.43.2



Patches currently in stable-queue which might be from herbert@xxxxxxxxxxxxxxxxxxx are

queue-6.6/crypto-algif_hash-remove-bogus-sgl-free-on-zero-length-error-path.patch
queue-6.6/crypto-ccp-fix-null-pointer-dereference-in-__sev_platform_shutdown_locked.patch




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux