diff mbox series

crypto: algif_hash - fix double free in hash_accept

Message ID 20250518224102.478904-1-ipravdin.official@gmail.com
State New
Headers show
Series crypto: algif_hash - fix double free in hash_accept | expand

Commit Message

Ivan Pravdin May 18, 2025, 10:41 p.m. UTC 
If accept(2) is called on socket type algif_hash with
MSG_MORE flag set and crypto_ahash_import fails,
sk2 is freed. However, it is also freed in af_alg_release,
leading to slab-use-after-free error.

Fixes: fe869cdb89c9 ("crypto: algif_hash - User-space interface for hash operations")
Signed-off-by: Ivan Pravdin <ipravdin.official@gmail.com>
---
 crypto/algif_hash.c | 4 ----
 1 file changed, 4 deletions(-)
diff mbox series

Patch

diff --git a/crypto/algif_hash.c b/crypto/algif_hash.c
index 5498a87249d3..e3f1a4852737 100644
--- a/crypto/algif_hash.c
+++ b/crypto/algif_hash.c
@@ -265,10 +265,6 @@  static int hash_accept(struct socket *sock, struct socket *newsock,
 		goto out_free_state;
 
 	err = crypto_ahash_import(&ctx2->req, state);
-	if (err) {
-		sock_orphan(sk2);
-		sock_put(sk2);
-	}
 
 out_free_state:
 	kfree_sensitive(state);