From: "Tianchu Chen" <tianchu.chen@linux.dev>
To: ebiggers@kernel.org
Cc: clabbe.montjoie@gmail.com, herbert@gondor.apana.org.au,
jernej.skrabec@gmail.com, linux-arm-kernel@lists.infradead.org,
linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org,
linux-sunxi@lists.linux.dev, samuel@sholland.org,
stable@vger.kernel.org, wens@kernel.org
Subject: Re: [PATCH] crypto: sun4i-ss - Remove insecure and unused rng_alg
Date: Mon, 01 Jun 2026 09:19:23 +0000 [thread overview]
Message-ID: <d52449abfd8e1e46c8bfe9ebdc00d931fc0e4147@linux.dev> (raw)
From: Tianchu Chen <flynnnchen@tencent.com>
In-Reply-To: <20260529193648.18172-1-ebiggers@kernel.org>
References: <20260529193648.18172-1-ebiggers@kernel.org>
On Fri, May 29, 2026 at 12:36:48PM -0700, Eric Biggers wrote:
> Remove sun4i_ss_rng, as it is insecure and unused:
>
> - It has multiple vulnerabilities. sun4i_ss_prng_seed() is missing
> locking and has a buffer overflow.
Thanks for cleaning this up.
For the record, the sun4i_ss_prng_seed() buffer overflow you mention here
is the same issue we reported earlier with a targeted fix:
https://lore.kernel.org/linux-crypto/20260529194152.GA3628@quark/
It is an unauthenticated, unbounded memcpy() into the 24-byte ss->seed[]
buffer, reachable from any user via AF_ALG ALG_SET_KEY with no privileges
on affected Allwinner sun4i hardware.
Please note that this should be treated as a security fix. For the earlier
stable releases, keeping the rng_alg but adding a proper bounds check in
sun4i_ss_prng_seed() might still be a preferable option to consider.
Given the above, would you mind adding the following trailers to the commit
message? Besides crediting the discovery and report, they would also make
this security issue easier to track and reference across the stable trees:
Discovered by Atuin - Automated Vulnerability Discovery Engine
Reported-by: Tianchu Chen <flynnnchen@tencent.com>
Thanks,
Tianchu
next reply other threads:[~2026-06-01 9:19 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-01 9:19 Tianchu Chen [this message]
2026-06-01 15:54 ` [PATCH] crypto: sun4i-ss - Remove insecure and unused rng_alg Eric Biggers
-- strict thread matches above, loose matches on Subject: below --
2026-05-29 19:36 Eric Biggers
[not found] ` <20260529195725.5C7B91F00898@smtp.kernel.org>
2026-05-29 20:54 ` Eric Biggers
2026-06-01 15:08 ` Corentin Labbe
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=d52449abfd8e1e46c8bfe9ebdc00d931fc0e4147@linux.dev \
--to=tianchu.chen@linux.dev \
--cc=clabbe.montjoie@gmail.com \
--cc=ebiggers@kernel.org \
--cc=herbert@gondor.apana.org.au \
--cc=jernej.skrabec@gmail.com \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-sunxi@lists.linux.dev \
--cc=samuel@sholland.org \
--cc=stable@vger.kernel.org \
--cc=wens@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox