commit a6b2f60b4c2ce28991e2b5f1f860c901ab6f8ab8
author Gilles Peskine <Gilles.Peskine@arm.com> Wed Aug 07 13:37:33 2019 +0200
committer Gilles Peskine <Gilles.Peskine@arm.com> Wed Aug 07 13:43:09 2019 +0200
tree fe7b2bd7d29be4ce890b29c12fd539f12019178d
parent b1f6c5fd4d281c6d93600ff3601f7340ab79dfb5

Fix double free in psa_generate_key when psa_generate_random fails

When psa_generate_random fails, psa_generate_key_internal frees the
key buffer but a the pointer to the now-freed buffer in the slot. Then
psa_generate_key calls psa_fail_key_creation which sees the pointer
and calls free() again.

This bug was introduced by ff5f0e7221d54e5a11db13c5198093a6b6bf4d53
"Implement atomic-creation psa_{generate,generator_import}_key" which
changed how psa_generate_key() cleans up on errors. I went through the
code and could not find a similar bug in cleanup on an error during
key creation.

Fix #207

library/psa_crypto.c

diff --git a/library/psa_crypto.c b/library/psa_crypto.c
index f01a4c0..c6bc7a2 100644
--- a/library/psa_crypto.c
+++ b/library/psa_crypto.c
@@ -5718,10 +5718,7 @@
         status = psa_generate_random( slot->data.raw.data,
                                       slot->data.raw.bytes );
         if( status != PSA_SUCCESS )
-        {
-            mbedtls_free( slot->data.raw.data );
             return( status );
-        }
 #if defined(MBEDTLS_DES_C)
         if( type == PSA_KEY_TYPE_DES )
             psa_des_set_key_parity( slot->data.raw.data,