From a6b2f60b4c2ce28991e2b5f1f860c901ab6f8ab8 Mon Sep 17 00:00:00 2001
From: Gilles Peskine <Gilles.Peskine@arm.com>
Date: Wed, 7 Aug 2019 13:37:33 +0200
Subject: [PATCH] Fix double free in psa_generate_key when psa_generate_random
 fails

When psa_generate_random fails, psa_generate_key_internal frees the
key buffer but a the pointer to the now-freed buffer in the slot. Then
psa_generate_key calls psa_fail_key_creation which sees the pointer
and calls free() again.

This bug was introduced by ff5f0e7221d54e5a11db13c5198093a6b6bf4d53
"Implement atomic-creation psa_{generate,generator_import}_key" which
changed how psa_generate_key() cleans up on errors. I went through the
code and could not find a similar bug in cleanup on an error during
key creation.

Fix #207
---
 library/psa_crypto.c | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/library/psa_crypto.c b/library/psa_crypto.c
index f01a4c084..c6bc7a267 100644
--- a/library/psa_crypto.c
+++ b/library/psa_crypto.c
@@ -5718,10 +5718,7 @@ static psa_status_t psa_generate_key_internal(
         status = psa_generate_random( slot->data.raw.data,
                                       slot->data.raw.bytes );
         if( status != PSA_SUCCESS )
-        {
-            mbedtls_free( slot->data.raw.data );
             return( status );
-        }
 #if defined(MBEDTLS_DES_C)
         if( type == PSA_KEY_TYPE_DES )
             psa_des_set_key_parity( slot->data.raw.data,