From: sashiko-bot@kernel.org
To: "Saravanakrishnan Krishnamoorthy" <skrishnamoorthy@rambus.com>
Cc: robh@kernel.org, conor+dt@kernel.org, devicetree@vger.kernel.org
Subject: Re: [PATCH v2 08/19] crypto: cmh - add AES skcipher/aead/cmac
Date: Thu, 09 Jul 2026 20:47:15 +0000 [thread overview]
Message-ID: <20260709204715.ADB291F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260709203037.1884436-9-skrishnamoorthy@rambus.com>
Thank you for your contribution! Sashiko AI review found 5 potential issue(s) to consider:
- [High] Unbounded memory leak and DoS via orphaned chunks in `cmh_aes_cmac_init` and `cmh_aes_cmac_import`.
- [High] Memory allocation failure and `WARN` due to oversized `kmalloc` in `cmh_aes_crypt`.
- [High] Cryptographic logic bug causing mathematically incorrect IV generation in CFB-128 partial block chaining.
- [High] Alignment violation resulting in misaligned pointers for generic CCM fallback subrequest.
- [High] Sleeping in atomic context due to hardcoded `GFP_KERNEL` in `cmh_aes_cmac_import`.
--
--- Patch [8]: [PATCH v2 08/19] crypto: cmh - add AES skcipher/aead/cmac ---
commit 0196177c32d5ce7a03aa73937a1fac3eb268a239
Author: Alex Ousherovitch <aousherovitch@rambus.com>
crypto: cmh - add AES skcipher/aead/cmac
Register AES algorithms using the CMH AES core (core ID 0x03): skcipher, aead,
and ahash. Supports 128, 192, and 256-bit keys and handles associated data,
payload, and authentication tag.
> diff --git a/drivers/crypto/cmh/cmh_aes.c b/drivers/crypto/cmh/cmh_aes.c
> new file mode 100644
> --- /dev/null
> +++ b/drivers/crypto/cmh/cmh_aes.c
[ ... ]
> +static void cmh_aes_update_iv(struct skcipher_request *req, u32 mode,
> + u32 op, const u8 *in_buf, const u8 *out_buf)
> +{
[ ... ]
> + case AES_MODE_CFB:
[ ... ]
> + if (req->cryptlen >= bs) {
> + if (op == AES_OP_ENCRYPT)
> + memcpy(req->iv, out_buf + req->cryptlen - bs,
> + bs);
[Severity: High]
Does this extract an unaligned 16-byte slice when the request length is not
block-aligned? Mixing the end of the previous ciphertext block and the start
of the partial block produces an incorrect shift-register state for CFB-128.
If cra_blocksize is set to 1, standard CFB-128 chaining on partial blocks
requires saving the unused keystream in the state between requests instead.
[ ... ]
> +static int cmh_aes_crypt(struct skcipher_request *req, u32 aes_op)
> +{
[ ... ]
> + if (req->cryptlen > CMH_AES_MAX_CRYPTLEN)
> + return -EINVAL;
[ ... ]
> + /* Linearise input from scatterlist */
> + rctx->in_buf = kmalloc(req->cryptlen, gfp);
[Severity: High]
Does this allow kmalloc to be called with a size up to 32MB? Since
KMALLOC_MAX_SIZE is typically 4MB or 8MB, allocations exceeding this limit
will trigger page allocator warnings and fail. Unprivileged userspace could
potentially trigger this via the AF_ALG skcipher interface.
> diff --git a/drivers/crypto/cmh/cmh_aes_aead.c b/drivers/crypto/cmh/cmh_aes_aead.c
> new file mode 100644
> --- /dev/null
> +++ b/drivers/crypto/cmh/cmh_aes_aead.c
[ ... ]
> +static int cmh_aes_aead_init_tfm(struct crypto_aead *tfm)
> +{
[ ... ]
> + /*
> + * Subreq lives at (rctx + 1). Alignment is guaranteed
> + * by the crypto framework's __ctx ALIGN mechanism.
> + */
> + crypto_aead_set_reqsize(tfm,
> + sizeof(struct cmh_aes_aead_reqctx) +
> + sizeof(struct aead_request) +
> + crypto_aead_reqsize(fb));
[ ... ]
> +static int cmh_aes_ccm_fallback(struct aead_request *req, u32 aes_op)
> +{
> + struct crypto_aead *tfm = crypto_aead_reqtfm(req);
> + struct cmh_aes_aead_tfm_ctx *tctx = crypto_aead_ctx(tfm);
> + struct cmh_aes_aead_reqctx *rctx = aead_request_ctx(req);
> + struct aead_request *subreq = (void *)(rctx + 1);
[Severity: High]
Does this calculate a misaligned pointer for subreq? The crypto framework
aligns the start of the primary request context, but
sizeof(struct cmh_aes_aead_reqctx) is not guaranteed to be a multiple of
CRYPTO_MINALIGN.
Because struct aead_request requires strict alignment for its __ctx member,
this can lead to alignment faults or data corruption when CCM mode falls
back to software. Should the context size wrap the struct size with
ALIGN(..., crypto_tfm_ctx_alignment())?
> diff --git a/drivers/crypto/cmh/cmh_aes_cmac.c b/drivers/crypto/cmh/cmh_aes_cmac.c
> new file mode 100644
> --- /dev/null
> +++ b/drivers/crypto/cmh/cmh_aes_cmac.c
[ ... ]
> +static int cmh_aes_cmac_init(struct ahash_request *req)
> +{
> + struct cmh_aes_cmac_reqctx *rctx = ahash_request_ctx(req);
> +
> + memset(rctx, 0, sizeof(*rctx));
[ ... ]
> +static int cmh_aes_cmac_update(struct ahash_request *req)
> +{
[ ... ]
> + chunk = kmalloc(sizeof(*chunk) + req->nbytes, gfp);
[Severity: High]
Does zeroing the request context in cmh_aes_cmac_init() orphan the chunks
dynamically allocated during cmh_aes_cmac_update()? If a user repeatedly
calls .update() followed by .init() on the same request via the AF_ALG
socket, it seems total_len is reset and the link to the allocated chunks is
severed. Can this lead to unbounded memory leaks and an out-of-memory
condition?
[ ... ]
> +static int cmh_aes_cmac_import(struct ahash_request *req, const void *in)
> +{
[ ... ]
> + if (state->total_len) {
> + chunk = kmalloc(sizeof(*chunk) + state->total_len, GFP_KERNEL);
[Severity: High]
Can this allocation happen in atomic or softirq contexts? The kernel crypto
API allows .import() callbacks to execute during IPsec packet processing.
Using a hardcoded GFP_KERNEL here without checking
req->base.flags & CRYPTO_TFM_REQ_MAY_SLEEP could trigger a sleeping in
atomic context bug.
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260709203037.1884436-1-skrishnamoorthy@rambus.com?part=8
next prev parent reply other threads:[~2026-07-09 20:47 UTC|newest]
Thread overview: 41+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-09 20:30 [PATCH v2 00/19] crypto: cmh - add CRI CryptoManager Hub driver Saravanakrishnan Krishnamoorthy
2026-07-09 20:30 ` [PATCH v2 01/19] dt-bindings: crypto: add Rambus CryptoManager Hub Saravanakrishnan Krishnamoorthy
2026-07-09 20:38 ` sashiko-bot
2026-07-10 8:58 ` Conor Dooley
2026-07-10 23:14 ` Ousherovitch, Alex
2026-07-09 20:30 ` [PATCH v2 02/19] crypto: cmh - add core platform driver Saravanakrishnan Krishnamoorthy
2026-07-09 20:49 ` sashiko-bot
2026-07-09 20:30 ` [PATCH v2 03/19] crypto: cmh - add key provisioning and management Saravanakrishnan Krishnamoorthy
2026-07-09 20:49 ` sashiko-bot
2026-07-09 20:30 ` [PATCH v2 04/19] crypto: cmh - add SHA-2/SHA-3/SHAKE ahash Saravanakrishnan Krishnamoorthy
2026-07-09 20:45 ` sashiko-bot
2026-07-09 20:30 ` [PATCH v2 05/19] crypto: cmh - add HMAC ahash Saravanakrishnan Krishnamoorthy
2026-07-09 20:42 ` sashiko-bot
2026-07-09 20:30 ` [PATCH v2 06/19] crypto: cmh - add CSHAKE/KMAC ahash Saravanakrishnan Krishnamoorthy
2026-07-09 20:47 ` sashiko-bot
2026-07-09 20:30 ` [PATCH v2 07/19] crypto: cmh - add SM3 ahash Saravanakrishnan Krishnamoorthy
2026-07-09 20:47 ` sashiko-bot
2026-07-09 20:30 ` [PATCH v2 08/19] crypto: cmh - add AES skcipher/aead/cmac Saravanakrishnan Krishnamoorthy
2026-07-09 20:47 ` sashiko-bot [this message]
2026-07-09 20:30 ` [PATCH v2 09/19] crypto: cmh - add SM4 skcipher/aead/cmac/xcbc Saravanakrishnan Krishnamoorthy
2026-07-09 20:49 ` sashiko-bot
2026-07-09 20:30 ` [PATCH v2 10/19] crypto: cmh - add ChaCha20-Poly1305 Saravanakrishnan Krishnamoorthy
2026-07-09 20:46 ` sashiko-bot
2026-07-09 20:30 ` [PATCH v2 11/19] crypto: cmh - add DRBG hwrng Saravanakrishnan Krishnamoorthy
2026-07-09 20:54 ` sashiko-bot
2026-07-09 20:30 ` [PATCH v2 12/19] crypto: cmh - add RSA akcipher Saravanakrishnan Krishnamoorthy
2026-07-09 20:57 ` sashiko-bot
2026-07-09 20:30 ` [PATCH v2 13/19] crypto: cmh - add ECDSA/SM2 sig Saravanakrishnan Krishnamoorthy
2026-07-09 21:04 ` sashiko-bot
2026-07-09 20:30 ` [PATCH v2 14/19] crypto: cmh - add ECDH/X25519 kpp Saravanakrishnan Krishnamoorthy
2026-07-09 21:08 ` sashiko-bot
2026-07-09 20:30 ` [PATCH v2 15/19] crypto: cmh - add ML-KEM/ML-DSA (QSE) Saravanakrishnan Krishnamoorthy
2026-07-09 21:03 ` sashiko-bot
2026-07-09 20:30 ` [PATCH v2 16/19] crypto: cmh - add SLH-DSA/LMS/XMSS (HCQ) Saravanakrishnan Krishnamoorthy
2026-07-09 21:02 ` sashiko-bot
2026-07-09 20:30 ` [PATCH v2 17/19] Documentation: ioctl: add CMH ioctl documentation and register 'J' Saravanakrishnan Krishnamoorthy
2026-07-09 20:54 ` sashiko-bot
2026-07-09 20:30 ` [PATCH v2 18/19] selftests: crypto: cmh - add kselftest for management ioctl Saravanakrishnan Krishnamoorthy
2026-07-09 20:54 ` sashiko-bot
2026-07-09 20:30 ` [PATCH v2 19/19] MAINTAINERS: add Rambus CryptoManager Hub (CMH) Saravanakrishnan Krishnamoorthy
2026-07-10 1:04 ` Randy Dunlap
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260709204715.ADB291F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=conor+dt@kernel.org \
--cc=devicetree@vger.kernel.org \
--cc=robh@kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
--cc=skrishnamoorthy@rambus.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox