aboutsummaryrefslogtreecommitdiffstats
path: root/module/zpios
diff options
context:
space:
mode:
authorRichard Yao <[email protected]>2022-09-27 15:36:58 -0400
committerTony Hutter <[email protected]>2022-09-28 17:25:10 -0700
commit566e908fa01eb91e0637347987bc61772d47aee1 (patch)
tree0e55ea2c9ce89f3cd7bb878ffddd0a850388ef21 /module/zpios
parenta2705b1dd5f8d186db02091b96efdd5f87e38090 (diff)
Fix bad free in skein code
Clang's static analyzer found a bad free caused by skein_mac_atomic(). It will allocate a context on the stack and then pass it to skein_final(), which attempts to free it. Upon inspection, skein_digest_atomic() also has the same problem. These functions were created to match the OpenSolaris ICP API, so I was curious how we avoided this in other providers and looked at the SHA2 code. It appears that SHA2 has a SHA2Final() helper function that is called by the exported sha2_mac_final()/sha2_digest_final() as well as the sha2_mac_atomic() and sha2_digest_atomic() functions. The real work is done in SHA2Final() while some checks and the free are done in sha2_mac_final()/sha2_digest_final(). We fix the use after free in the skein code by taking inspiration from the SHA2 code. We introduce a skein_final_nofree() that does most of the work, and make skein_final() into a function that calls it and then frees the memory. Reviewed-by: Brian Behlendorf <[email protected]> Reviewed-by: Tony Hutter <[email protected]> Signed-off-by: Richard Yao <[email protected]> Closes #13954
Diffstat (limited to 'module/zpios')
0 files changed, 0 insertions, 0 deletions