From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.lore.kernel.org (Postfix) with ESMTPS id 11BC8CD6E49
	for <linux-arm-kernel@archiver.kernel.org>; Fri, 29 May 2026 16:12:24 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=lists.infradead.org; s=bombadil.20210309; h=Sender:List-Subscribe:List-Help
	:List-Post:List-Archive:List-Unsubscribe:List-Id:In-Reply-To:Content-Type:
	MIME-Version:References:Message-ID:Subject:Cc:To:From:Date:Reply-To:
	Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:
	Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner;
	bh=O64NbSrhCjdHeoemZg/mhRJwhCejkHY0XbaaTicTFT4=; b=hpzKxg5xGDmv7+OiUiAyI/L1b2
	TwbFUZrujZgb5FaJyoyW7Z/yAJvZWqQmvIXxd9MqctcTAOVxS4+1Jkn18CP7+zdwwUls3XtYoZAmU
	X+KDzJf18CrEBvywGJIWlEJe3sasKL8DlO0GwefD43iqwGStoWg7gBPTb+Dn6760sv/2XuVZ4+bt3
	eIfBZSI+bmGXIPTyU5Zf3fnTvxQTE8VPrpRQ+Y7ArKQmTRwjwfNbWhIBgrDd36v3wCYo+GE3DDEgQ
	Wq9KxK76h6HlHNVFJFJjAbYMDzqeQwT49RY6JpuKi3ObadRiptkEOMjY5dJmxh9HLcgJc8OLRNU0R
	MxENI2PQ==;
Received: from localhost ([::1] helo=bombadil.infradead.org)
	by bombadil.infradead.org with esmtp (Exim 4.99.1 #2 (Red Hat Linux))
	id 1wSzos-00000007r35-0KjT;
	Fri, 29 May 2026 16:12:22 +0000
Received: from tor.source.kernel.org ([2600:3c04:e001:324:0:1991:8:25])
	by bombadil.infradead.org with esmtps (Exim 4.99.1 #2 (Red Hat Linux))
	id 1wSzoq-00000007r2q-0UPp
	for linux-arm-kernel@lists.infradead.org;
	Fri, 29 May 2026 16:12:20 +0000
Received: from smtp.kernel.org (quasi.space.kernel.org [100.103.45.18])
	by tor.source.kernel.org (Postfix) with ESMTP id 3D2D46022D;
	Fri, 29 May 2026 16:12:19 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 9DC091F00893;
	Fri, 29 May 2026 16:12:18 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kernel.org;
	s=k20260515; t=1780071139;
	bh=O64NbSrhCjdHeoemZg/mhRJwhCejkHY0XbaaTicTFT4=;
	h=Date:From:To:Cc:Subject:References:In-Reply-To;
	b=GIff+iUMDMNmzEm5o/UKkYDLuIwCl/3cYOEXHy4I2sP+yno/IwfE6+EcXvyUHyU4T
	 sgU9NZFO1Rwsr4eakJk+FJbFUwTBS8N/RIEVUAaGHORsvHRr1cquaKLq1zo7rBbRAY
	 mUE5SWOxvTr25/NfBN94R8nJbmKNWDCSlzzXR06L4WW/goIH6Evkv4UU8Q1Mn1WaWY
	 BL0cbfs7bZPXUlKsauL8lmOy6bJWpZft55FQNa/FxnZdAfTtaLDfLpRWUO/a3qj5w9
	 kjAFR81T1yWN32RBQoHtaLFjhzzyo6Qh7/dtzytSgaA8dsklArgHObXc2DgGzPS6vT
	 wFHCQGtqeUjSw==
Date: Fri, 29 May 2026 09:10:57 -0700
From: Eric Biggers <ebiggers@kernel.org>
To: Tianchu Chen <tianchu.chen@linux.dev>
Cc: clabbe.montjoie@gmail.com, herbert@gondor.apana.org.au,
	davem@davemloft.net, wens@kernel.org, jernej.skrabec@gmail.com,
	samuel@sholland.org, linux-crypto@vger.kernel.org,
	linux-arm-kernel@lists.infradead.org, linux-sunxi@lists.linux.dev,
	linux-kernel@vger.kernel.org
Subject: Re: [PATCH v2] crypto: sun4i-ss - clamp PRNG seed length to prevent
 heap overflow
Message-ID: <20260529161057.GA2706@sol>
References: <af749a8447bd7f0e9dd26ca6c87e9c6afecb09d9@linux.dev>
 <4d4407c05835a50413fa1e974e3aa3f4abfe2d5b@linux.dev>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <4d4407c05835a50413fa1e974e3aa3f4abfe2d5b@linux.dev>
X-BeenThere: linux-arm-kernel@lists.infradead.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: <linux-arm-kernel.lists.infradead.org>
List-Unsubscribe: <http://lists.infradead.org/mailman/options/linux-arm-kernel>,
 <mailto:linux-arm-kernel-request@lists.infradead.org?subject=unsubscribe>
List-Archive: <http://lists.infradead.org/pipermail/linux-arm-kernel/>
List-Post: <mailto:linux-arm-kernel@lists.infradead.org>
List-Help: <mailto:linux-arm-kernel-request@lists.infradead.org?subject=help>
List-Subscribe: <http://lists.infradead.org/mailman/listinfo/linux-arm-kernel>,
 <mailto:linux-arm-kernel-request@lists.infradead.org?subject=subscribe>
Sender: "linux-arm-kernel" <linux-arm-kernel-bounces@lists.infradead.org>
Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org

On Fri, May 29, 2026 at 08:08:01AM +0000, Tianchu Chen wrote:
> From: Tianchu Chen <flynnnchen@tencent.com>
> 
> sun4i_ss_prng_seed() copies the user-supplied seed into ss->seed
> using the user-provided length with no bounds check. The crypto core
> does not enforce slen <= seedsize before calling into the driver, so a
> userspace caller via AF_ALG setsockopt(ALG_SET_KEY) can pass up to
> sysctl_optmem_max bytes, overflowing the fixed-size buffer and
> corrupting adjacent heap memory.
> 
> Clamp the copy length to the buffer size, matching the approach used by
> loongson-rng for oversized seeds.
> 
> Discovered by Atuin - Automated Vulnerability Discovery Engine.
> 
> Fixes: 6298e948215f ("crypto: sunxi-ss - Add Allwinner Security System crypto accelerator")
> Cc: stable@vger.kernel.org
> Signed-off-by: Tianchu Chen <flynnnchen@tencent.com>
> ---
> v2: Silently clamp oversized seeds with min_t instead of returning
>     -EINVAL (Herbert Xu).

sun4i-ss-prng.c is useless, is still broken, and should just be deleted.

- Eric