* [PATCH 0/2] authencesn: Refactor in-place decryption
@ 2026-05-15 8:36 scott_gzh
2026-05-15 8:36 ` [PATCH 1/2] scatterlist: Introduce sglist_shift_{left,right} helpers scott_gzh
` (2 more replies)
0 siblings, 3 replies; 10+ messages in thread
From: scott_gzh @ 2026-05-15 8:36 UTC (permalink / raw)
To: herbert, davem; +Cc: linux-crypto, Scott GUO
From: Scott GUO <scottzhguo@tencent.com>
This patch set introduced the sglist_shift_{left,right} helper
and refactor the sequence number handling for authencesn
decryption. Avoiding write to the auth part of the sg list.
Scott GUO (2):
scatterlist: Introduce sglist_shift_{left,right} helpers
authencesn: Refactor inplace-decryption with sglist shift helper
crypto/authencesn.c | 38 ++++++-----------
crypto/scatterwalk.c | 79 ++++++++++++++++++++++++++++++++++++
include/crypto/scatterwalk.h | 6 +++
3 files changed, 97 insertions(+), 26 deletions(-)
--
2.41.3
^ permalink raw reply [flat|nested] 10+ messages in thread* [PATCH 1/2] scatterlist: Introduce sglist_shift_{left,right} helpers 2026-05-15 8:36 [PATCH 0/2] authencesn: Refactor in-place decryption scott_gzh @ 2026-05-15 8:36 ` scott_gzh 2026-05-15 8:36 ` [PATCH 2/2] authencesn: Refactor inplace-decryption with sglist shift helper scott_gzh 2026-05-15 10:41 ` [PATCH 0/2] authencesn: Refactor in-place decryption Scott Guo 2 siblings, 0 replies; 10+ messages in thread From: scott_gzh @ 2026-05-15 8:36 UTC (permalink / raw) To: herbert, davem; +Cc: linux-crypto, Scott GUO From: Scott GUO <scottzhguo@tencent.com> These helpers shifts data within sglist in a chunck by chunck manner. Signed-off-by: GUO Zihua <scottzhguo@tencent.com> --- crypto/scatterwalk.c | 79 ++++++++++++++++++++++++++++++++++++ include/crypto/scatterwalk.h | 6 +++ 2 files changed, 85 insertions(+) diff --git a/crypto/scatterwalk.c b/crypto/scatterwalk.c index be0e24843806..958ab7e20d9d 100644 --- a/crypto/scatterwalk.c +++ b/crypto/scatterwalk.c @@ -180,6 +180,85 @@ void memcpy_sglist(struct scatterlist *dst, struct scatterlist *src, } EXPORT_SYMBOL_GPL(memcpy_sglist); +static unsigned int sglist_total_len(struct scatterlist *sg) +{ + unsigned int total = 0; + + for (; sg; sg = sg_next(sg)) + total += sg->length; + return total; +} + +/** + * sglist_shift_left - shift a region of data left within a scatterlist + * @sg: scatterlist to operate on + * @dst_off: destination offset in bytes (must be <= @src_off) + * @src_off: source offset in bytes (start of the region to move) + * @nbytes: number of bytes to move + * + * Moves [src_off, src_off+nbytes) to [dst_off, dst_off+nbytes). + * Handles overlapping regions safely by copying forward (low to high). + */ +void sglist_shift_left(struct scatterlist *sg, unsigned int dst_off, + unsigned int src_off, unsigned int nbytes) +{ + u8 buf[16]; + + if (!nbytes || dst_off == src_off) + return; + if (WARN_ON_ONCE(dst_off > src_off)) + return; + if (WARN_ON_ONCE(src_off + nbytes > sglist_total_len(sg))) + return; + + while (nbytes) { + unsigned int chunk = min_t(unsigned int, nbytes, sizeof(buf)); + + memcpy_from_sglist(buf, sg, src_off, chunk); + memcpy_to_sglist(sg, dst_off, buf, chunk); + src_off += chunk; + dst_off += chunk; + nbytes -= chunk; + } +} +EXPORT_SYMBOL_GPL(sglist_shift_left); + +/** + * sglist_shift_right - shift a region of data right within a scatterlist + * @sg: scatterlist to operate on + * @dst_off: destination offset in bytes (must be >= @src_off) + * @src_off: source offset in bytes (start of the region to move) + * @nbytes: number of bytes to move + * + * Moves [src_off, src_off+nbytes) to [dst_off, dst_off+nbytes). + * Handles overlapping regions safely by copying backward (high to low). + */ +void sglist_shift_right(struct scatterlist *sg, unsigned int dst_off, + unsigned int src_off, unsigned int nbytes) +{ + unsigned int src_end = src_off + nbytes; + unsigned int dst_end = dst_off + nbytes; + u8 buf[16]; + + if (!nbytes || dst_off == src_off) + return; + if (WARN_ON_ONCE(dst_off < src_off)) + return; + if (WARN_ON_ONCE(dst_end > sglist_total_len(sg))) + return; + + while (nbytes) { + unsigned int chunk = min_t(unsigned int, nbytes, sizeof(buf)); + + src_end -= chunk; + dst_end -= chunk; + memcpy_from_sglist(buf, sg, src_end, chunk); + memcpy_to_sglist(sg, dst_end, buf, chunk); + nbytes -= chunk; + } +} +EXPORT_SYMBOL_GPL(sglist_shift_right); + struct scatterlist *scatterwalk_ffwd(struct scatterlist dst[2], struct scatterlist *src, unsigned int len) diff --git a/include/crypto/scatterwalk.h b/include/crypto/scatterwalk.h index 624fab589c2c..eed6aee5bf9c 100644 --- a/include/crypto/scatterwalk.h +++ b/include/crypto/scatterwalk.h @@ -249,6 +249,12 @@ static inline void scatterwalk_map_and_copy(void *buf, struct scatterlist *sg, memcpy_from_sglist(buf, sg, start, nbytes); } +void sglist_shift_left(struct scatterlist *sg, unsigned int dst_off, + unsigned int src_off, unsigned int nbytes); + +void sglist_shift_right(struct scatterlist *sg, unsigned int dst_off, + unsigned int src_off, unsigned int nbytes); + struct scatterlist *scatterwalk_ffwd(struct scatterlist dst[2], struct scatterlist *src, unsigned int len); -- 2.41.3 ^ permalink raw reply related [flat|nested] 10+ messages in thread
* [PATCH 2/2] authencesn: Refactor inplace-decryption with sglist shift helper 2026-05-15 8:36 [PATCH 0/2] authencesn: Refactor in-place decryption scott_gzh 2026-05-15 8:36 ` [PATCH 1/2] scatterlist: Introduce sglist_shift_{left,right} helpers scott_gzh @ 2026-05-15 8:36 ` scott_gzh 2026-05-15 10:41 ` [PATCH 0/2] authencesn: Refactor in-place decryption Scott Guo 2 siblings, 0 replies; 10+ messages in thread From: scott_gzh @ 2026-05-15 8:36 UTC (permalink / raw) To: herbert, davem; +Cc: linux-crypto, Scott GUO From: Scott GUO <scottzhguo@tencent.com> By using shift helpers, we shift assoc data and crypt data in-place , avoid writing the ICV tag part during decryption. This patch also merge the code for in-place and non-in-place decryption together once again. Fixes: e02494114ebf ("crypto: authencesn - Do not place hiseq at end of dst for out-of-place decryption") Signed-off-by: GUO Zihua <scottzhguo@tencent.com> --- crypto/authencesn.c | 38 ++++++++++++-------------------------- 1 file changed, 12 insertions(+), 26 deletions(-) diff --git a/crypto/authencesn.c b/crypto/authencesn.c index 522df41365d8..a81003a69a18 100644 --- a/crypto/authencesn.c +++ b/crypto/authencesn.c @@ -210,18 +210,14 @@ static int crypto_authenc_esn_decrypt_tail(struct aead_request *req, struct scatterlist *src = req->src; struct scatterlist *dst = req->dst; u8 *ihash = ohash + crypto_ahash_digestsize(auth); - u32 tmp[2]; + u32 tmp; if (!authsize) goto decrypt; - if (src == dst) { - /* Move high-order bits of sequence number back. */ - scatterwalk_map_and_copy(tmp, dst, 4, 4, 0); - scatterwalk_map_and_copy(tmp + 1, dst, assoclen + cryptlen, 4, 0); - scatterwalk_map_and_copy(tmp, dst, 0, 8, 1); - } else - memcpy_sglist(dst, src, assoclen); + memcpy_from_sglist(&tmp, dst, assoclen + cryptlen - 4, 4); + sglist_shift_right(dst, 8, 4, assoclen + cryptlen - 8); + memcpy_to_sglist(dst, 4, &tmp, 4); if (crypto_memneq(ihash, ohash, authsize)) return -EBADMSG; @@ -264,7 +260,7 @@ static int crypto_authenc_esn_decrypt(struct aead_request *req) u8 *ihash = ohash + crypto_ahash_digestsize(auth); struct scatterlist *src = req->src; struct scatterlist *dst = req->dst; - u32 tmp[2]; + u32 tmp; int err; if (assoclen < 8) @@ -274,24 +270,14 @@ static int crypto_authenc_esn_decrypt(struct aead_request *req) goto tail; cryptlen -= authsize; - scatterwalk_map_and_copy(ihash, req->src, assoclen + cryptlen, - authsize, 0); + memcpy_from_sglist(ihash, req->src, assoclen + cryptlen, authsize); - /* Move high-order bits of sequence number to the end. */ - scatterwalk_map_and_copy(tmp, src, 0, 8, 0); - if (src == dst) { - scatterwalk_map_and_copy(tmp, dst, 4, 4, 1); - scatterwalk_map_and_copy(tmp + 1, dst, assoclen + cryptlen, 4, 1); - dst = scatterwalk_ffwd(areq_ctx->dst, dst, 4); - } else { - scatterwalk_map_and_copy(tmp, dst, 0, 4, 1); - scatterwalk_map_and_copy(tmp + 1, dst, assoclen + cryptlen - 4, 4, 1); - - src = scatterwalk_ffwd(areq_ctx->src, src, 8); - dst = scatterwalk_ffwd(areq_ctx->dst, dst, 4); - memcpy_sglist(dst, src, assoclen + cryptlen - 8); - dst = req->dst; - } + memcpy_from_sglist(&tmp, src, 4, 4); + if (src != dst) + memcpy_sglist(dst, src, assoclen + cryptlen); + + sglist_shift_left(dst, 4, 8, assoclen + cryptlen - 8); + memcpy_to_sglist(dst, assoclen + cryptlen - 4, &tmp, 4); ahash_request_set_tfm(ahreq, auth); ahash_request_set_crypt(ahreq, dst, ohash, assoclen + cryptlen); -- 2.41.3 ^ permalink raw reply related [flat|nested] 10+ messages in thread
* Re: [PATCH 0/2] authencesn: Refactor in-place decryption 2026-05-15 8:36 [PATCH 0/2] authencesn: Refactor in-place decryption scott_gzh 2026-05-15 8:36 ` [PATCH 1/2] scatterlist: Introduce sglist_shift_{left,right} helpers scott_gzh 2026-05-15 8:36 ` [PATCH 2/2] authencesn: Refactor inplace-decryption with sglist shift helper scott_gzh @ 2026-05-15 10:41 ` Scott Guo 2026-05-15 11:01 ` Scott Guo 2 siblings, 1 reply; 10+ messages in thread From: Scott Guo @ 2026-05-15 10:41 UTC (permalink / raw) To: herbert, davem; +Cc: linux-crypto, Scott GUO BTW, this should fix the Fragnesia vulnerability. 在 2026/5/15 16:36, scott_gzh@163.com 写道: > From: Scott GUO <scottzhguo@tencent.com> > > This patch set introduced the sglist_shift_{left,right} helper > and refactor the sequence number handling for authencesn > decryption. Avoiding write to the auth part of the sg list. > > Scott GUO (2): > scatterlist: Introduce sglist_shift_{left,right} helpers > authencesn: Refactor inplace-decryption with sglist shift helper > > crypto/authencesn.c | 38 ++++++----------- > crypto/scatterwalk.c | 79 ++++++++++++++++++++++++++++++++++++ > include/crypto/scatterwalk.h | 6 +++ > 3 files changed, 97 insertions(+), 26 deletions(-) > ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH 0/2] authencesn: Refactor in-place decryption 2026-05-15 10:41 ` [PATCH 0/2] authencesn: Refactor in-place decryption Scott Guo @ 2026-05-15 11:01 ` Scott Guo 2026-05-18 2:33 ` Herbert Xu 0 siblings, 1 reply; 10+ messages in thread From: Scott Guo @ 2026-05-15 11:01 UTC (permalink / raw) To: herbert, davem; +Cc: linux-crypto, Scott GUO Another thought: even with this fix, Fragnesia should still funciton. It just block current PoCs which pass in the page cache in the position for auth data. Avoid changing the auth part would not be enough because attacker would still be able to link a page cache page within the cryptlen part and override it with the 4 bytes from sequence number. 在 2026/5/15 18:41, Scott Guo 写道: > BTW, this should fix the Fragnesia vulnerability. > > 在 2026/5/15 16:36, scott_gzh@163.com 写道: >> From: Scott GUO <scottzhguo@tencent.com> >> >> This patch set introduced the sglist_shift_{left,right} helper >> and refactor the sequence number handling for authencesn >> decryption. Avoiding write to the auth part of the sg list. >> >> Scott GUO (2): >> scatterlist: Introduce sglist_shift_{left,right} helpers >> authencesn: Refactor inplace-decryption with sglist shift helper >> >> crypto/authencesn.c | 38 ++++++----------- >> crypto/scatterwalk.c | 79 ++++++++++++++++++++++++++++++++++++ >> include/crypto/scatterwalk.h | 6 +++ >> 3 files changed, 97 insertions(+), 26 deletions(-) >> ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH 0/2] authencesn: Refactor in-place decryption 2026-05-15 11:01 ` Scott Guo @ 2026-05-18 2:33 ` Herbert Xu 2026-05-18 2:55 ` Scott Guo 0 siblings, 1 reply; 10+ messages in thread From: Herbert Xu @ 2026-05-18 2:33 UTC (permalink / raw) To: Scott Guo; +Cc: davem, linux-crypto, Scott GUO On Fri, May 15, 2026 at 07:01:43PM +0800, Scott Guo wrote: > Another thought: even with this fix, Fragnesia should still funciton. It > just block current PoCs which pass in the page cache in the position for > auth data. > > Avoid changing the auth part would not be enough because attacker would > still be able to link a page cache page within the cryptlen part and > override it with the 4 bytes from sequence number. Exactly. The real fix is to not put read-only pages into the destination scatterlist. The whole point of a destination is that it will be written to. Cheers, -- Email: Herbert Xu <herbert@gondor.apana.org.au> Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH 0/2] authencesn: Refactor in-place decryption 2026-05-18 2:33 ` Herbert Xu @ 2026-05-18 2:55 ` Scott Guo 2026-05-18 3:17 ` Herbert Xu 0 siblings, 1 reply; 10+ messages in thread From: Scott Guo @ 2026-05-18 2:55 UTC (permalink / raw) To: Herbert Xu; +Cc: davem, linux-crypto, Scott GUO BTW, I am wondering whether we should disable inplace decryption for now? I think that to mitigate vulnerabilities like Fragnesia, maybe something has to be done on the memory side. Maybe something like forcing a pagefault when trying to write to these pages? 在 2026/5/18 10:33, Herbert Xu 写道: > On Fri, May 15, 2026 at 07:01:43PM +0800, Scott Guo wrote: >> Another thought: even with this fix, Fragnesia should still funciton. It >> just block current PoCs which pass in the page cache in the position for >> auth data. >> >> Avoid changing the auth part would not be enough because attacker would >> still be able to link a page cache page within the cryptlen part and >> override it with the 4 bytes from sequence number. > > Exactly. The real fix is to not put read-only pages into the > destination scatterlist. > > The whole point of a destination is that it will be written to. > > Cheers, ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH 0/2] authencesn: Refactor in-place decryption 2026-05-18 2:55 ` Scott Guo @ 2026-05-18 3:17 ` Herbert Xu 2026-05-18 6:48 ` Scott Guo 0 siblings, 1 reply; 10+ messages in thread From: Herbert Xu @ 2026-05-18 3:17 UTC (permalink / raw) To: Scott Guo; +Cc: davem, linux-crypto, Scott GUO, netdev On Mon, May 18, 2026 at 10:55:38AM +0800, Scott Guo wrote: > BTW, I am wondering whether we should disable inplace decryption for now? I > think that to mitigate vulnerabilities like Fragnesia, maybe something has > to be done on the memory side. Maybe something like forcing a pagefault when > trying to write to these pages? I think stopping ESP from putting frags into the dst SG list would be prudent until the whole stack has been audited. Alternatively switch from the black-list to a white-list approach and only allow ESP to do in-place processing of packets from a source that's known to be writable. Cheers, -- Email: Herbert Xu <herbert@gondor.apana.org.au> Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH 0/2] authencesn: Refactor in-place decryption 2026-05-18 3:17 ` Herbert Xu @ 2026-05-18 6:48 ` Scott Guo 2026-05-18 8:21 ` Herbert Xu 0 siblings, 1 reply; 10+ messages in thread From: Scott Guo @ 2026-05-18 6:48 UTC (permalink / raw) To: Herbert Xu; +Cc: davem, linux-crypto, Scott GUO, netdev Then the problem comes down to whether ESP will be able to identify all the path and mitigate all of it. I am also wondering whether this in-place crypto + SG list method would have simular issue with other crypto such as SKCipher. Copy Failed, Dirty Frag and Fragnesia is ultimately an attack that craft specific bytes with encryption and decryption. Attacker would potentially be able to archieve a collision attack on say the record for root in passwd file and use it on any machine where their passwd files are in a simular format. 在 2026/5/18 11:17, Herbert Xu 写道: > On Mon, May 18, 2026 at 10:55:38AM +0800, Scott Guo wrote: >> BTW, I am wondering whether we should disable inplace decryption for now? I >> think that to mitigate vulnerabilities like Fragnesia, maybe something has >> to be done on the memory side. Maybe something like forcing a pagefault when >> trying to write to these pages? > > I think stopping ESP from putting frags into the dst SG list would > be prudent until the whole stack has been audited. > > Alternatively switch from the black-list to a white-list approach > and only allow ESP to do in-place processing of packets from a > source that's known to be writable. > > Cheers, ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH 0/2] authencesn: Refactor in-place decryption 2026-05-18 6:48 ` Scott Guo @ 2026-05-18 8:21 ` Herbert Xu 0 siblings, 0 replies; 10+ messages in thread From: Herbert Xu @ 2026-05-18 8:21 UTC (permalink / raw) To: Scott Guo; +Cc: davem, linux-crypto, Scott GUO, netdev On Mon, May 18, 2026 at 02:48:39PM +0800, Scott Guo wrote: > Then the problem comes down to whether ESP will be able to identify all the > path and mitigate all of it. Please don't top-post. That's why I suggested a white-list, so only known-to-be safe paths use zero-copy. > 在 2026/5/18 11:17, Herbert Xu 写道: > > > Alternatively switch from the black-list to a white-list approach > > and only allow ESP to do in-place processing of packets from a > > source that's known to be writable. -- Email: Herbert Xu <herbert@gondor.apana.org.au> Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt ^ permalink raw reply [flat|nested] 10+ messages in thread
end of thread, other threads:[~2026-05-18 8:21 UTC | newest]
Thread overview: 10+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-05-15 8:36 [PATCH 0/2] authencesn: Refactor in-place decryption scott_gzh
2026-05-15 8:36 ` [PATCH 1/2] scatterlist: Introduce sglist_shift_{left,right} helpers scott_gzh
2026-05-15 8:36 ` [PATCH 2/2] authencesn: Refactor inplace-decryption with sglist shift helper scott_gzh
2026-05-15 10:41 ` [PATCH 0/2] authencesn: Refactor in-place decryption Scott Guo
2026-05-15 11:01 ` Scott Guo
2026-05-18 2:33 ` Herbert Xu
2026-05-18 2:55 ` Scott Guo
2026-05-18 3:17 ` Herbert Xu
2026-05-18 6:48 ` Scott Guo
2026-05-18 8:21 ` Herbert Xu
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox