Fix double free in psa_generate_key when psa_generate_random fails

gilles-peskine-arm · gilles-peskine-arm · commit a6b2f60b4c2c · 2019-08-07T13:43:09.000+02:00
When psa_generate_random fails, psa_generate_key_internal frees the key buffer but a the pointer to the now-freed buffer in the slot. Then psa_generate_key calls psa_fail_key_creation which sees the pointer and calls free() again. This bug was introduced by ff5f0e7 "Implement atomic-creation psa_{generate,generator_import}_key" which changed how psa_generate_key() cleans up on errors. I went through the code and could not find a similar bug in cleanup on an error during key creation. Fix #207
diff --git a/library/psa_crypto.c b/library/psa_crypto.c
@@ -5718,10 +5718,7 @@ static psa_status_t psa_generate_key_internal(
         status = psa_generate_random( slot->data.raw.data,
                                       slot->data.raw.bytes );
         if( status != PSA_SUCCESS )
-        {
-            mbedtls_free( slot->data.raw.data );
             return( status );
-        }
 #if defined(MBEDTLS_DES_C)
         if( type == PSA_KEY_TYPE_DES )
             psa_des_set_key_parity( slot->data.raw.data,
