-
-
Notifications
You must be signed in to change notification settings - Fork 9.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Coverity 1522032: use after free #20528
Conversation
Fix use after free error.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this fix is not right.
freeing the ctx here seems completely wrong.. The derive did not create the ctx, So it should also not free it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
same on line 1029
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I also dislike multiple exit branches.. it should just set a flag and goto exit.
Better fix in #20534 |
The context free is existing code. I've no idea why it was done that way, I just preserved the behaviour. I don't agree think that #20534 is proper fix: it doesn't cater for loading a provider (or having a dynamic provider) which changes the fetched algorithms between calls to derive. |
Agree this PR clearly fixes the use-after-free of This matches the behaviour in the block at line 1028 when However, there is the issue that only those two error returns (returning 0) free This PR doesn't address the pre-existing "what happens to ctx on errors" confusion, but it does clearly fix the use-after-free on an error path |
Freeing the allocated KDF context seems wrong when derive errors.
I've added a commit that takes out the ctx frees. |
Thanks for changing.. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is clearly an improvement over the existing code!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is line 1125 correct.. ? If these are no longer needed shouldnt they also be set to NULL? (Or is this a downref)..
That line is correct. I was being zealous in nulling out pointers. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
#20534 seems to cover a bit more than is required for this fix.. |
I still think #20534 is more correct. And yeah, I can then rebase it on top of this one if you insist on merging it first. It does not make sense to re-fetch the internal MD and MAC on every derive call (unless the propq is changed). You do not refetch the Argon2 kdf implementation within the ctx so why should the internal details of it be refetched? There are also other unnecessary things within the current code such as saving the kdf output within the ctx but never read it again. That is simply wrong and should be removed which #20534 does. |
Merged. |
Fix use after free error. Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> (Merged from #20528)
Freeing the allocated KDF context seems wrong when derive errors. Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> (Merged from #20528)
Fix use after free error.