From: Eric Biggers <ebiggers@kernel.org>
To: Demi Marie Obenour <demiobenour@gmail.com>
Cc: oss-security@lists.openwall.com,
Jan Schaumann <jschauma@netmeister.org>,
iwd@lists.linux.dev
Subject: Re: [oss-security] CVE-2026-31431: CopyFail: linux local privilege scalation
Date: Sat, 2 May 2026 03:35:56 +0000 [thread overview]
Message-ID: <20260502033556.GA3872267@google.com> (raw)
In-Reply-To: <c13dd3c5-ddc1-431e-bc7d-2de39c551f8e@gmail.com>
On Fri, May 01, 2026 at 08:21:27PM -0400, Demi Marie Obenour wrote:
> I think the single biggest hardening win for AF_ALG would be to move
> to the crypto library. The recent CVEs you mentioned mostly seem
> to relate to the crypto API, and with a hard-coded list of allowed
> algorithms there's no need to use the crypto API anymore. I'm not
> familiar enough with kernel code to do this easily, but for anyone
> with basic knowledge of the existing code it should (hopefully) be
> straightforward.
>
> In the meantime, only using synchronous algorithms and not using
> hardware drivers would also be a useful simplification. The latter
> would make it especially clear that AF_ALG is deprecated, because
> its one potential advantage (being able to use hardware acceleration)
> would no longer be present.
The kernel's crypto library
(https://docs.kernel.org/crypto/libcrypto.html) does greatly simplify a
lot of kernel code that needs to use crypto algorithms. Yes, AF_ALG
doesn't use it directly yet. Currently AF_ALG puts all the data in
(zero-copy) scatterlists, then invokes the "traditional crypto API"
which is very complex and has full scatterlist support, asynchronous
execution support, an algorithm template system, etc. In some cases the
crypto library is then used internally, but it's not called directly.
So the idea would be something along the lines of:
- Add an algorithm allowlist to AF_ALG. It would include only what the
small set of userspace programs that uses it actually needs. Bizarre
stuff like "authencesn" wouldn't be included.
- Change AF_ALG to make it copy any data written to an AF_ALG file
descriptor into an internal kernel buffer. Put the output in another
internal kernel buffer, then copy it to userspace. No zero-copy, and
no scatterlists. Both restrictions would greatly reduce the chance of
bugs: the actual crypto algorithms would operate only on these
internal buffers, not on pagecache data (e.g. the contents of 'su') or
buffers that userspace can concurrently modify. The use of simple
virtual addresses would eliminate all the scatterlist complexity.
- AF_ALG would implement each algorithm by invoking the corresponding
the crypto library functions
(https://docs.kernel.org/crypto/libcrypto.html#api-documentation). No
asynchronous execution, no buggy hardware crypto drivers, etc.
It sounds good to me. For people who feel like the su binary on their
system is a bit too restrictive and would like to fix that, these
changes might not be all that great for them. But for the rest of us,
they should work rather well.
Of course, it'll also be a fair a bit of work, and unfortunately I also
expect pushback from people who (incorrectly IMO) think that AF_ALG
performance is important, even moreso than security.
Either way, the first step will be to create the algorithm allowlist,
which should happen anyway, regardless of the other changes.
(By the way, for context: I maintain the kernel's crypto library, but
not the kernel's "traditional crypto API". The latter is where AF_ALG
and all these problems are, unfortunately.)
- Eric
next prev parent reply other threads:[~2026-05-02 3:35 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <afJorKIje4O6dXbH@netmeister.org>
[not found] ` <d6111caa-db61-498a-92cb-ea7a0aa0a5e2@ehuk.net>
[not found] ` <87se8dgicq.fsf@gentoo.org>
[not found] ` <afL-QhLfEKqHZqka@eldamar.lan>
[not found] ` <20260430071917.GB54208@sol>
[not found] ` <177abb5d-8ba9-4bb9-8b23-9fbc868ed3cd@gmail.com>
[not found] ` <20260501180028.GA2260@sol>
2026-05-01 19:24 ` [oss-security] CVE-2026-31431: CopyFail: linux local privilege scalation Demi Marie Obenour
2026-05-01 20:18 ` Eric Biggers
2026-05-02 0:21 ` Demi Marie Obenour
2026-05-02 3:35 ` Eric Biggers [this message]
2026-05-02 3:54 ` Eric Biggers
2026-05-02 6:39 ` Demi Marie Obenour
2026-05-02 4:52 ` AF_ALG hardening Demi Marie Obenour
2026-05-02 8:19 ` Simon Richter
2026-05-02 20:42 ` Demi Marie Obenour
2026-05-02 19:16 ` Eric Biggers
2026-05-04 19:01 ` Simon Richter
2026-05-04 19:54 ` Eric Biggers
2026-05-04 5:57 ` [oss-security] CVE-2026-31431: CopyFail: linux local privilege scalation Milan Broz
2026-05-04 6:13 ` Demi Marie Obenour
2026-05-04 6:43 ` Eric Biggers
2026-05-04 7:14 ` Milan Broz
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260502033556.GA3872267@google.com \
--to=ebiggers@kernel.org \
--cc=demiobenour@gmail.com \
--cc=iwd@lists.linux.dev \
--cc=jschauma@netmeister.org \
--cc=oss-security@lists.openwall.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox