tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security

Pull keys fixes from James Morris:
"From David:

- Fix mpi_powm()'s handling of a number with a zero exponent
[CVE-2016-8650].

Integrate my and Andrey's patches for mpi_powm() and use
mpi_resize() instead of RESIZE_IF_NEEDED() - the latter adds a
duplicate check into the execution path of a trivial case we
don't normally expect to be taken.

- Fix double free in X.509 error handling"

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security:
mpi: Fix NULL ptr dereference in mpi_powm() [ver #3]
X.509: Fix double free in x509_cert_parse() [ver #3]

Linus Torvalds 86b01b54 cd3caefb

+6 -2
-1
crypto/asymmetric_keys/x509_cert_parser.c
··· 133 133 return cert; 134 134 135 135 error_decode: 136 - kfree(cert->pub->key); 137 136 kfree(ctx); 138 137 error_no_ctx: 139 138 x509_free_certificate(cert);
+6 -1
lib/mpi/mpi-pow.c
··· 64 64 if (!esize) { 65 65 /* Exponent is zero, result is 1 mod MOD, i.e., 1 or 0 66 66 * depending on if MOD equals 1. */ 67 - rp[0] = 1; 68 67 res->nlimbs = (msize == 1 && mod->d[0] == 1) ? 0 : 1; 68 + if (res->nlimbs) { 69 + if (mpi_resize(res, 1) < 0) 70 + goto enomem; 71 + rp = res->d; 72 + rp[0] = 1; 73 + } 69 74 res->sign = 0; 70 75 goto leave; 71 76 }