Function kmalloc() returns a NULL pointer if there is no enough memory. The function public_key_verify_signature() defined in file crypto/asymmetric_keys/public_key.c calls kmalloc() and checks its return value against NULL (at line 126). When the return value is NULL, the control flow jumps to label "error_free_req" and returns the value of variable ret. Because the check of variable ret at line 121, the value of it must be 0. As a result, function public_key_verify_signature() may return 0 (indicates success) even on failures. Maybe it is better to assign "-ENOMEM" to ret before the jump instruction at line 127. Codes related to this bug are summarised as follows. public_key_verify_signature @@ crypto/asymmetric_keys/public_key.c 79 int public_key_verify_signature(const struct public_key *pkey, 80 const struct public_key_signature *sig) 81 { ... 90 int ret = -ENOMEM; ... 120 ret = crypto_akcipher_set_pub_key(tfm, pkey->key, pkey->keylen); 121 if (ret) 122 goto error_free_req; 123 124 outlen = crypto_akcipher_maxsize(tfm); 125 output = kmalloc(outlen, GFP_KERNEL); 126 if (!output) // insert "ret = -ENOMEM;"? 127 goto error_free_req; ... 155 out_free_output: 156 kfree(output); 157 error_free_req: 158 akcipher_request_free(req); 159 error_free_tfm: 160 crypto_free_akcipher(tfm); 161 pr_devel("<==%s() = %d\n", __func__, ret); 162 return ret; 163 } Thanks very much!
Fixed in linux-v4.10 Patch: https://patchwork.kernel.org/patch/9470901/