Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security

Pull keys fixes from James Morris:
 "From David:

   - Fix mpi_powm()'s handling of a number with a zero exponent
     [CVE-2016-8650].

     Integrate my and Andrey's patches for mpi_powm() and use
     mpi_resize() instead of RESIZE_IF_NEEDED() - the latter adds a
     duplicate check into the execution path of a trivial case we
     don't normally expect to be taken.

   - Fix double free in X.509 error handling"

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security:
  mpi: Fix NULL ptr dereference in mpi_powm() [ver #3]
  X.509: Fix double free in x509_cert_parse() [ver #3]

1 files changed, 6 insertions, 1 deletions

diff --git a/lib/mpi/mpi-pow.c b/lib/mpi/mpi-pow.c
index 5464c8744ea9..e24388a863a7 100644
--- a/lib/mpi/mpi-pow.c
+++ b/lib/mpi/mpi-pow.c
@@ -64,8 +64,13 @@ int mpi_powm(MPI res, MPI base, MPI exp, MPI mod)
         if (!esize) {
                 /* Exponent is zero, result is 1 mod MOD, i.e., 1 or 0
                  * depending on if MOD equals 1.  */
-                rp[0] = 1;
                 res->nlimbs = (msize == 1 && mod->d[0] == 1) ? 0 : 1;
+                if (res->nlimbs) {
+                        if (mpi_resize(res, 1) < 0)
+                                goto enomem;
+                        rp = res->d;
+                        rp[0] = 1;
+                }
                 res->sign = 0;
                 goto leave;
         }