This is a note to let you know that I've just added the patch titled
crypto: af_alg - Fix socket double-free when accept fails
to the 4.3-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
crypto-af_alg-fix-socket-double-free-when-accept-fails.patch
and it can be found in the queue-4.3 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.
>From a383292c86663bbc31ac62cc0c04fc77504636a6 Mon Sep 17 00:00:00 2001
From: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>
Date: Wed, 30 Dec 2015 20:24:17 +0800
Subject: crypto: af_alg - Fix socket double-free when accept fails
From: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>
commit a383292c86663bbc31ac62cc0c04fc77504636a6 upstream.
When we fail an accept(2) call we will end up freeing the socket
twice, once due to the direct sk_free call and once again through
newsock.
This patch fixes this by removing the sk_free call.
Reported-by: Dmitry Vyukov <dvyukov@xxxxxxxxxx>
Signed-off-by: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
crypto/af_alg.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
--- a/crypto/af_alg.c
+++ b/crypto/af_alg.c
@@ -285,10 +285,8 @@ int af_alg_accept(struct sock *sk, struc
security_sk_clone(sk, sk2);
err = type->accept(ask->private, sk2);
- if (err) {
- sk_free(sk2);
+ if (err)
goto unlock;
- }
sk2->sk_family = PF_ALG;
Patches currently in stable-queue which might be from herbert@xxxxxxxxxxxxxxxxxxx are
queue-4.3/crypto-fix-test-vector-for-rsa.patch
queue-4.3/crypto-algif_skcipher-use-new-skcipher-interface.patch
queue-4.3/crypto-af_alg-disallow-bind-setkey-...-after-accept-2.patch
queue-4.3/crypto-crc32c-pclmul-use-.rodata-instead-of-.rotata.patch
queue-4.3/crypto-caam-fix-non-block-aligned-hash-calculation.patch
queue-4.3/crypto-nx-fix-timing-leak-in-gcm-and-ccm-decryption.patch
queue-4.3/crypto-skcipher-copy-iv-from-desc-even-for-0-len-walks.patch
queue-4.3/crypto-skcipher-add-crypto_skcipher_has_setkey.patch
queue-4.3/crypto-algif_skcipher-add-key-check-exception-for-cipher_null.patch
queue-4.3/crypto-algif_skcipher-require-setkey-before-accept-2.patch
queue-4.3/crypto-algif_skcipher-add-nokey-compatibility-path.patch
queue-4.3/crypto-hash-add-crypto_ahash_has_setkey.patch
queue-4.3/crypto-af_alg-add-nokey-compatibility-path.patch
queue-4.3/crypto-sun4i-ss-add-missing-statesize.patch
queue-4.3/crypto-algif_hash-require-setkey-before-accept-2.patch
queue-4.3/crypto-qat-don-t-use-userspace-pointer.patch
queue-4.3/crypto-talitos-fix-timing-leak-in-esp-icv-verification.patch
queue-4.3/crypto-algif_hash-only-export-and-import-on-sockets-with-data.patch
queue-4.3/crypto-af_alg-fix-socket-double-free-when-accept-fails.patch
--
To unsubscribe from this list: send the line "unsubscribe stable" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html