Devicetree
 help / color / mirror / Atom feed
From: sashiko-bot@kernel.org
To: "Saravanakrishnan Krishnamoorthy" <skrishnamoorthy@rambus.com>
Cc: robh@kernel.org, conor+dt@kernel.org, devicetree@vger.kernel.org
Subject: Re: [PATCH v2 10/19] crypto: cmh - add ChaCha20-Poly1305
Date: Thu, 09 Jul 2026 20:46:58 +0000	[thread overview]
Message-ID: <20260709204658.9F1211F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260709203037.1884436-11-skrishnamoorthy@rambus.com>

Thank you for your contribution! Sashiko AI review found 3 potential issue(s) to consider:
- [Critical] Failure to reset `total_len` during an error in `cmh_poly_update` causes `cmh_poly_final` to leak uninitialized kernel heap memory.
- [High] Unbounded kernel memory exhaustion (DoS) in Poly1305 driver due to missing request destructor and improper re-initialization.
- [Medium] Using `dma_addr_t` as a boolean check in the error path of `cmh_poly_final` leaks a DMA mapping if the mapped address is 0.
--

--- Patch [10]: [PATCH v2 10/19] crypto: cmh - add ChaCha20-Poly1305 ---
commit 23c814e3e61faada221bb1fbcd27c935e6800b9b
Author: Alex Ousherovitch <aousherovitch@rambus.com>

crypto: cmh - add ChaCha20-Poly1305

Register ChaCha20-Poly1305 AEAD and ChaCha20 skcipher algorithms
using the CMH CCP core (core ID 0x18).  Also registers the Poly1305
ahash for standalone use.

> diff --git a/drivers/crypto/cmh/cmh_ccp_poly.c b/drivers/crypto/cmh/cmh_ccp_poly.c
> new file mode 100644
> index 0000000000000..020a98fbe6070
> --- /dev/null
> +++ b/drivers/crypto/cmh/cmh_ccp_poly.c

[ ... ]

> +static int cmh_poly_init(struct ahash_request *req)
> +{
> +	struct cmh_poly_reqctx *rctx = ahash_request_ctx(req);
> +
> +	memset(rctx, 0, sizeof(*rctx));

[Severity: High]
Does this code leak dynamically allocated chunks? If a user-space application
creates an AF_ALG socket, accumulates data, and then either closes the request
or re-initializes it by calling cmh_poly_init() again, the request context is
zeroed here, losing the pointers to the chunks while they remain on the TFM
list.

The ahash API does not have a freereq callback to handle early closure
cleanups.

> +	INIT_LIST_HEAD(&rctx->chunks);
> +	return 0;
> +}

[ ... ]

> +err_free_chunks:
> +	/*
> +	 * Terminal error -- free all previously accumulated chunks.
> +	 * Callers may not call .final() on error, so they would leak.
> +	 */
> +	cmh_poly_free_chunks(rctx, tctx);
> +	return ret;

[Severity: Critical]
Could this leak uninitialized kernel memory? When cmh_poly_update() encounters
an error and frees the chunks here, it does not reset rctx->total_len to 0.

If cmh_poly_final() is subsequently called, it allocates an uninitialized
kmalloc buffer of size total_len, skips the memcpy loop because the chunk list
is empty, and maps it for DMA.

An attacker providing the key could potentially recover the plaintext of the
uninitialized kernel heap data by reversing the resulting MAC.

> +}

[ ... ]

> +static int cmh_poly_final(struct ahash_request *req)
> +{
> +	struct crypto_ahash *tfm = crypto_ahash_reqtfm(req);
> +	struct cmh_poly_tfm_ctx *tctx = crypto_ahash_ctx(tfm);
> +	struct cmh_poly_reqctx *rctx = ahash_request_ctx(req);
> +	struct vcq_cmd cmds[CMH_POLY_MAX_PAYLOAD];
> +	struct core_dispatch d;
> +	s32 target_mbx;
> +	u32 core_id;
> +	u32 idx;
> +	int ret;
> +	gfp_t gfp;

[ ... ]

> +out_unmap_in:
> +	if (rctx->total_len > 0 && rctx->in_dma)
> +		cmh_dma_unmap_single(rctx->in_dma, rctx->total_len,
> +				     DMA_TO_DEVICE);

[Severity: Medium]
Does this code inadvertently leak a DMA mapping on architectures where 0 is a
valid DMA address? Checking if a dma_addr_t is non-zero will fail when the
mapped address happens to be exactly 0, skipping the unmap call.

> +out_unmap_tag:
> +	cmh_dma_unmap_single(rctx->tag_dma, POLY1305_DIGEST_SIZE,
> +			     DMA_FROM_DEVICE);

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260709203037.1884436-1-skrishnamoorthy@rambus.com?part=10

  reply	other threads:[~2026-07-09 20:46 UTC|newest]

Thread overview: 41+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-07-09 20:30 [PATCH v2 00/19] crypto: cmh - add CRI CryptoManager Hub driver Saravanakrishnan Krishnamoorthy
2026-07-09 20:30 ` [PATCH v2 01/19] dt-bindings: crypto: add Rambus CryptoManager Hub Saravanakrishnan Krishnamoorthy
2026-07-09 20:38   ` sashiko-bot
2026-07-10  8:58   ` Conor Dooley
2026-07-10 23:14     ` Ousherovitch, Alex
2026-07-09 20:30 ` [PATCH v2 02/19] crypto: cmh - add core platform driver Saravanakrishnan Krishnamoorthy
2026-07-09 20:49   ` sashiko-bot
2026-07-09 20:30 ` [PATCH v2 03/19] crypto: cmh - add key provisioning and management Saravanakrishnan Krishnamoorthy
2026-07-09 20:49   ` sashiko-bot
2026-07-09 20:30 ` [PATCH v2 04/19] crypto: cmh - add SHA-2/SHA-3/SHAKE ahash Saravanakrishnan Krishnamoorthy
2026-07-09 20:45   ` sashiko-bot
2026-07-09 20:30 ` [PATCH v2 05/19] crypto: cmh - add HMAC ahash Saravanakrishnan Krishnamoorthy
2026-07-09 20:42   ` sashiko-bot
2026-07-09 20:30 ` [PATCH v2 06/19] crypto: cmh - add CSHAKE/KMAC ahash Saravanakrishnan Krishnamoorthy
2026-07-09 20:47   ` sashiko-bot
2026-07-09 20:30 ` [PATCH v2 07/19] crypto: cmh - add SM3 ahash Saravanakrishnan Krishnamoorthy
2026-07-09 20:47   ` sashiko-bot
2026-07-09 20:30 ` [PATCH v2 08/19] crypto: cmh - add AES skcipher/aead/cmac Saravanakrishnan Krishnamoorthy
2026-07-09 20:47   ` sashiko-bot
2026-07-09 20:30 ` [PATCH v2 09/19] crypto: cmh - add SM4 skcipher/aead/cmac/xcbc Saravanakrishnan Krishnamoorthy
2026-07-09 20:49   ` sashiko-bot
2026-07-09 20:30 ` [PATCH v2 10/19] crypto: cmh - add ChaCha20-Poly1305 Saravanakrishnan Krishnamoorthy
2026-07-09 20:46   ` sashiko-bot [this message]
2026-07-09 20:30 ` [PATCH v2 11/19] crypto: cmh - add DRBG hwrng Saravanakrishnan Krishnamoorthy
2026-07-09 20:54   ` sashiko-bot
2026-07-09 20:30 ` [PATCH v2 12/19] crypto: cmh - add RSA akcipher Saravanakrishnan Krishnamoorthy
2026-07-09 20:57   ` sashiko-bot
2026-07-09 20:30 ` [PATCH v2 13/19] crypto: cmh - add ECDSA/SM2 sig Saravanakrishnan Krishnamoorthy
2026-07-09 21:04   ` sashiko-bot
2026-07-09 20:30 ` [PATCH v2 14/19] crypto: cmh - add ECDH/X25519 kpp Saravanakrishnan Krishnamoorthy
2026-07-09 21:08   ` sashiko-bot
2026-07-09 20:30 ` [PATCH v2 15/19] crypto: cmh - add ML-KEM/ML-DSA (QSE) Saravanakrishnan Krishnamoorthy
2026-07-09 21:03   ` sashiko-bot
2026-07-09 20:30 ` [PATCH v2 16/19] crypto: cmh - add SLH-DSA/LMS/XMSS (HCQ) Saravanakrishnan Krishnamoorthy
2026-07-09 21:02   ` sashiko-bot
2026-07-09 20:30 ` [PATCH v2 17/19] Documentation: ioctl: add CMH ioctl documentation and register 'J' Saravanakrishnan Krishnamoorthy
2026-07-09 20:54   ` sashiko-bot
2026-07-09 20:30 ` [PATCH v2 18/19] selftests: crypto: cmh - add kselftest for management ioctl Saravanakrishnan Krishnamoorthy
2026-07-09 20:54   ` sashiko-bot
2026-07-09 20:30 ` [PATCH v2 19/19] MAINTAINERS: add Rambus CryptoManager Hub (CMH) Saravanakrishnan Krishnamoorthy
2026-07-10  1:04   ` Randy Dunlap

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260709204658.9F1211F000E9@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=conor+dt@kernel.org \
    --cc=devicetree@vger.kernel.org \
    --cc=robh@kernel.org \
    --cc=sashiko-reviews@lists.linux.dev \
    --cc=skrishnamoorthy@rambus.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox