From: Ivan Pravdin <ipravdin.official@gmail.com>
Date: Sun, 18 May 2025 22:41:02 +0000 (-0400)
Subject: crypto: algif_hash - fix double free in hash_accept
X-Git-Tag: v5.10.238~31
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=bf7bba75b91539e93615f560893a599c1e1c98bf;p=thirdparty%2Fkernel%2Fstable.git

crypto: algif_hash - fix double free in hash_accept

commit b2df03ed4052e97126267e8c13ad4204ea6ba9b6 upstream.

If accept(2) is called on socket type algif_hash with
MSG_MORE flag set and crypto_ahash_import fails,
sk2 is freed. However, it is also freed in af_alg_release,
leading to slab-use-after-free error.

Fixes: fe869cdb89c9 ("crypto: algif_hash - User-space interface for hash operations")
Cc: <stable@vger.kernel.org>
Signed-off-by: Ivan Pravdin <ipravdin.official@gmail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---

diff --git a/crypto/algif_hash.c b/crypto/algif_hash.c
index 50f7b22f1b482..be21cfdc6dbcd 100644
--- a/crypto/algif_hash.c
+++ b/crypto/algif_hash.c
@@ -262,10 +262,6 @@ static int hash_accept(struct socket *sock, struct socket *newsock, int flags,
 		return err;
 
 	err = crypto_ahash_import(&ctx2->req, state);
-	if (err) {
-		sock_orphan(sk2);
-		sock_put(sk2);
-	}
 
 	return err;
 }