random: document crng_fast_key_erasure() destination possibility

stable inclusion from stable-v5.10.119 commit 9dff512945f19afc91515f7b4e0ffe06fab417ed category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I5L6BB Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=9dff512945f19afc91515f7b4e0ffe06fab417ed -------------------------------- commit 8717627d upstream. This reverts 35a33ff3 ("random: use memmove instead of memcpy for remaining 32 bytes"), which was made on a totally bogus basis. The thing it was worried about overlapping came from the stack, not from one of its arguments, as Eric pointed out. But the fact that this confusion even happened draws attention to the fact that it's a bit non-obvious that the random_data parameter can alias chacha_state, and in fact should do so when the caller can't rely on the stack being cleared in a timely manner. So this commit documents that. Reported-by: N Eric Biggers <ebiggers@kernel.org> Reviewed-by: N Eric Biggers <ebiggers@google.com> Signed-off-by: N Jason A. Donenfeld <Jason@zx2c4.com> Signed-off-by: N Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: N Zheng Zengkai <zhengzengkai@huawei.com> Acked-by: N Xie XiuQi <xiexiuqi@huawei.com>

random: document crng_fast_key_erasure() destination possibility
stable inclusion from stable-v5.10.119 commit 9dff512945f19afc91515f7b4e0ffe06fab417ed category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I5L6BB Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=9dff512945f19afc91515f7b4e0ffe06fab417ed -------------------------------- commit 8717627d upstream. This reverts 35a33ff3 ("random: use memmove instead of memcpy for remaining 32 bytes"), which was made on a totally bogus basis. The thing it was worried about overlapping came from the stack, not from one of its arguments, as Eric pointed out. But the fact that this confusion even happened draws attention to the fact that it's a bit non-obvious that the random_data parameter can alias chacha_state, and in fact should do so when the caller can't rely on the stack being cleared in a timely manner. So this commit documents that. Reported-by: N Eric Biggers <ebiggers@kernel.org> Reviewed-by: N Eric Biggers <ebiggers@google.com> Signed-off-by: N Jason A. Donenfeld <Jason@zx2c4.com> Signed-off-by: N Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: N Zheng Zengkai <zhengzengkai@huawei.com> Acked-by: N Xie XiuQi <xiexiuqi@huawei.com>
ed432308 · Jason A. Donenfeld · Zheng Zengkai · 968ea0d0 · ed432308
显示空白变更内容
内联并排

Showing with 7 addition and 0 deletion

drivers/char/random.c drivers/char/random.c +7 -0

未找到文件。
--- a/drivers/char/random.c
+++ b/drivers/char/random.c
@@ -320,6 +320,13 @@ static void crng_reseed(void)
 * the resultant ChaCha state to the user, along with the second
 * half of the block containing 32 bytes of random data that may
 * be used; random_data_len may not be greater than 32.
+ *
+ * The returned ChaCha state contains within it a copy of the old
+ * key value, at index 4, so the state should always be zeroed out
+ * immediately after using in order to maintain forward secrecy.
+ * If the state cannot be erased in a timely manner, then it is
+ * safer to set the random_data parameter to &chacha_state[4] so
+ * that this function overwrites it before returning.
 */
 static void crng_fast_key_erasure(u8 key[CHACHA_KEY_SIZE],
 				  u32 chacha_state[CHACHA_STATE_WORDS],