Re: [PATCH V3] crypto: Mark intermediary memory as clean

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Stephan Mueller <smueller@chronox.de>
To: Edward Adam Davis <eadavis@qq.com>
Cc: davem@davemloft.net, eadavis@qq.com, herbert@gondor.apana.org.au,
	linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org,
	syzbot+e8bcd7ee3db6cb5cb875@syzkaller.appspotmail.com,
	syzkaller-bugs@googlegroups.com
Subject: Re: [PATCH V3] crypto: Mark intermediary memory as clean
Date: Mon, 18 Aug 2025 15:32:43 +0200	[thread overview]
Message-ID: <2401599.22IY78Rhhi@tauon> (raw)
In-Reply-To: <tencent_65C6578989EEED6EE78C8B67E586DE92EB06@qq.com>

Am Montag, 18. August 2025, 15:24:17 Mitteleuropäische Sommerzeit schrieb 
Edward Adam Davis:

Hi Edward,

> This is not a leak! The stack memroy is hashed and fed into the
> entropy pool. We can't recover the original kernel memory from it.
> 
> Reported-by: syzbot+e8bcd7ee3db6cb5cb875@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=e8bcd7ee3db6cb5cb875
> Signed-off-by: Edward Adam Davis <eadavis@qq.com>

Thank you for the patch. Just for the records:

- the intermediary buffer could be initialized to 0 without any effect on the 
Jitter RNG, because all it wants is actually the execution of the Keccak 
operation as part of crypto_shhash_finup.

- the intermediary buffer is inserted into the Jitter RNG state to ensure that 
the compiler cannot optimize away the loop if the intermediary buffer would 
not be used at all

- the intermediary buffer is not credited with any entropy as we only want the 
Keccak operation

- by keeping the intermediary uninitialized, the Jitter RNG may get some 
variations from the uninitialized buffer so that its internal state may 
benefit from it

That said, I am fine with this current patch. But if there is still lingering 
concern, I am equally fine to have it initialized to zero.

Thanks a lot
Stephan

> ---
> V1 -> V2: mark it as unpoison
> V2 -> V3: replace to sizeof, minimize the possibilities where
> inconsistencies can occur
> 
>  crypto/jitterentropy-kcapi.c | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/crypto/jitterentropy-kcapi.c b/crypto/jitterentropy-kcapi.c
> index 1266eb790708..4020a6e41b0e 100644
> --- a/crypto/jitterentropy-kcapi.c
> +++ b/crypto/jitterentropy-kcapi.c
> @@ -117,6 +117,7 @@ int jent_hash_time(void *hash_state, __u64 time, u8
> *addtl, pr_warn_ratelimited("Unexpected digest size\n");
>  		return -EINVAL;
>  	}
> +	kmsan_unpoison_memory(intermediary, sizeof(intermediary));
> 
>  	/*
>  	 * This loop fills a buffer which is injected into the entropy pool.


Ciao
Stephan

next prev parent reply	other threads:[~2025-08-18 13:50 UTC|newest]

Thread overview: 17+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-08-08  8:07 [syzbot] [crypto?] KMSAN: kernel-infoleak in rng_recvmsg syzbot
2025-08-09  7:19 ` Edward Adam Davis
2025-08-09  9:52   ` syzbot
2025-08-09  9:59 ` [PATCH] crypto: Prevent " Edward Adam Davis
2025-08-16  9:17   ` Herbert Xu
2025-08-17  8:51     ` Herbert Xu
2025-08-17 10:59       ` [PATCH V2] crypto: Mark intermediary memory as clean Edward Adam Davis
2025-08-17 11:40         ` Herbert Xu
2025-08-18 12:17           ` Edward Adam Davis
2025-08-18 12:30             ` Herbert Xu
2025-08-18 12:43               ` Edward Adam Davis
2025-08-18 13:13                 ` Stephan Mueller
2025-08-18 13:24                   ` [PATCH V3] " Edward Adam Davis
2025-08-18 13:32                     ` Stephan Mueller [this message]
2025-08-30  8:45                     ` Herbert Xu
2025-08-26 13:51     ` [PATCH] crypto: Prevent kernel-infoleak in rng_recvmsg Ard Biesheuvel
2025-08-26 16:58       ` Kees Cook

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=2401599.22IY78Rhhi@tauon \
    --to=smueller@chronox.de \
    --cc=davem@davemloft.net \
    --cc=eadavis@qq.com \
    --cc=herbert@gondor.apana.org.au \
    --cc=linux-crypto@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=syzbot+e8bcd7ee3db6cb5cb875@syzkaller.appspotmail.com \
    --cc=syzkaller-bugs@googlegroups.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.