[PATCH] crypto: caam - Fix DMA corruption on long hmac keys

[PATCH] crypto: caam - Fix DMA corruption on long hmac keys

[Herbert Xu]

When a key longer than block size is supplied, it is copied and then
hashed into the real key.  The memory allocated for the copy needs to
be rounded to DMA cache alignment, as otherwise the hashed key may
corrupt neighbouring memory.

The rounding was performed, but never actually used for the allocation.
Fix this by using the rounded value when calling kmemdup.

Fixes: 199354d7fb6e ("crypto: caam - Remove GFP_DMA and add DMA alignment padding")
Reported-by: Paul Bunyan <pbunyan@redhat.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>

diff --git a/drivers/crypto/caam/caamhash.c b/drivers/crypto/caam/caamhash.c
index e0a23c55c10e..aded03c8601c 100644
--- a/drivers/crypto/caam/caamhash.c
+++ b/drivers/crypto/caam/caamhash.c
@@ -441,7 +441,7 @@ static int ahash_setkey(struct crypto_ahash *ahash,
 		if (aligned_len < keylen)
 			return -EOVERFLOW;
 
-		hashed_key = kmemdup(key, keylen, GFP_KERNEL);
+		hashed_key = kmemdup(key, aligned_len, GFP_KERNEL);
 		if (!hashed_key)
 			return -ENOMEM;
 		ret = hash_digest_key(ctx, &keylen, hashed_key, digestsize);
-- 
Email: Herbert Xu <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

Re: [PATCH] crypto: caam - Fix DMA corruption on long hmac keys

[Horia Geantă]

On 3/9/2026 11:14 AM, Herbert Xu wrote:
> When a key longer than block size is supplied, it is copied and then
> hashed into the real key.  The memory allocated for the copy needs to
> be rounded to DMA cache alignment, as otherwise the hashed key may
> corrupt neighbouring memory.
>
> The rounding was performed, but never actually used for the allocation.
Thanks for catching this.
> Fix this by using the rounded value when calling kmemdup.
Unfortunately, kmemdup can't be used in this case.
>
> Fixes: 199354d7fb6e ("crypto: caam - Remove GFP_DMA and add DMA alignment padding")
> Reported-by: Paul Bunyan <pbunyan@redhat.com>
> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
>
> diff --git a/drivers/crypto/caam/caamhash.c b/drivers/crypto/caam/caamhash.c
> index e0a23c55c10e..aded03c8601c 100644
> --- a/drivers/crypto/caam/caamhash.c
> +++ b/drivers/crypto/caam/caamhash.c
> @@ -441,7 +441,7 @@ static int ahash_setkey(struct crypto_ahash *ahash,
>   		if (aligned_len < keylen)
>   			return -EOVERFLOW;
>   
> -		hashed_key = kmemdup(key, keylen, GFP_KERNEL);
> +		hashed_key = kmemdup(key, aligned_len, GFP_KERNEL);

When aligned_len is bigger than keylen, kmemdup would go beyond the end 
of "key" buffer.

Looks like kzalloc + memcpy should be used instead of kmemdup.

Double checking the faulty commit, I've found the same pattern in 
ahash_setkey from drivers/crypto/caam/caamalg_qi2.c. Let me know if 
you'd send a fix for this or I should do it.

Thanks,
Horia

Re: [PATCH] crypto: caam - Fix DMA corruption on long hmac keys

[Herbert Xu]

On Tue, Mar 10, 2026 at 05:12:10PM +0200, Horia Geantă wrote:
>
> > diff --git a/drivers/crypto/caam/caamhash.c b/drivers/crypto/caam/caamhash.c
> > index e0a23c55c10e..aded03c8601c 100644
> > --- a/drivers/crypto/caam/caamhash.c
> > +++ b/drivers/crypto/caam/caamhash.c
> > @@ -441,7 +441,7 @@ static int ahash_setkey(struct crypto_ahash *ahash,
> >   		if (aligned_len < keylen)
> >   			return -EOVERFLOW;
> > -		hashed_key = kmemdup(key, keylen, GFP_KERNEL);
> > +		hashed_key = kmemdup(key, aligned_len, GFP_KERNEL);
> 
> When aligned_len is bigger than keylen, kmemdup would go beyond the end of
> "key" buffer.
> 
> Looks like kzalloc + memcpy should be used instead of kmemdup.
> 
> Double checking the faulty commit, I've found the same pattern in
> ahash_setkey from drivers/crypto/caam/caamalg_qi2.c. Let me know if you'd
> send a fix for this or I should do it.

Good catch.  Please feel free to send a patch for both issues.

Thanks,
-- 
Email: Herbert Xu <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

Re: [PATCH] crypto: caam - Fix DMA corruption on long hmac keys

[Herbert Xu]

On Tue, Mar 10, 2026 at 05:12:10PM +0200, Horia Geantă wrote:
> 
> When aligned_len is bigger than keylen, kmemdup would go beyond the end of
> "key" buffer.
> 
> Looks like kzalloc + memcpy should be used instead of kmemdup.
> 
> Double checking the faulty commit, I've found the same pattern in
> ahash_setkey from drivers/crypto/caam/caamalg_qi2.c. Let me know if you'd
> send a fix for this or I should do it.

Hi Horia:

While we should still fix this, it turns out that the original
problem went beyond the memory allocation.

The root cause of the self-test failure is actually caused by
the parallel self-test mechanism which became the default in
2024.

It appears the caam is unable to deal with this because the
ahash_setkey function will fail if caam_jr_enqueue returns
ENOSPC, which is bound to happen sooner or later in a parallel
environment.

So it'll either need to deal with ENOSPC, or switch to a
software fallback.

Thanks,
-- 
Email: Herbert Xu <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt