Devicetree
 help / color / mirror / Atom feed
From: sashiko-bot@kernel.org
To: "Saravanakrishnan Krishnamoorthy" <skrishnamoorthy@rambus.com>
Cc: robh@kernel.org, conor+dt@kernel.org, devicetree@vger.kernel.org
Subject: Re: [PATCH v2 08/19] crypto: cmh - add AES skcipher/aead/cmac
Date: Thu, 09 Jul 2026 20:47:15 +0000	[thread overview]
Message-ID: <20260709204715.ADB291F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260709203037.1884436-9-skrishnamoorthy@rambus.com>

Thank you for your contribution! Sashiko AI review found 5 potential issue(s) to consider:
- [High] Unbounded memory leak and DoS via orphaned chunks in `cmh_aes_cmac_init` and `cmh_aes_cmac_import`.
- [High] Memory allocation failure and `WARN` due to oversized `kmalloc` in `cmh_aes_crypt`.
- [High] Cryptographic logic bug causing mathematically incorrect IV generation in CFB-128 partial block chaining.
- [High] Alignment violation resulting in misaligned pointers for generic CCM fallback subrequest.
- [High] Sleeping in atomic context due to hardcoded `GFP_KERNEL` in `cmh_aes_cmac_import`.
--

--- Patch [8]: [PATCH v2 08/19] crypto: cmh - add AES skcipher/aead/cmac ---
commit 0196177c32d5ce7a03aa73937a1fac3eb268a239
Author: Alex Ousherovitch <aousherovitch@rambus.com>

crypto: cmh - add AES skcipher/aead/cmac

Register AES algorithms using the CMH AES core (core ID 0x03): skcipher, aead,
and ahash. Supports 128, 192, and 256-bit keys and handles associated data,
payload, and authentication tag.

> diff --git a/drivers/crypto/cmh/cmh_aes.c b/drivers/crypto/cmh/cmh_aes.c
> new file mode 100644
> --- /dev/null
> +++ b/drivers/crypto/cmh/cmh_aes.c
[ ... ]
> +static void cmh_aes_update_iv(struct skcipher_request *req, u32 mode,
> +			      u32 op, const u8 *in_buf, const u8 *out_buf)
> +{
[ ... ]
> +	case AES_MODE_CFB:
[ ... ]
> +		if (req->cryptlen >= bs) {
> +			if (op == AES_OP_ENCRYPT)
> +				memcpy(req->iv, out_buf + req->cryptlen - bs,
> +				       bs);

[Severity: High]
Does this extract an unaligned 16-byte slice when the request length is not
block-aligned? Mixing the end of the previous ciphertext block and the start
of the partial block produces an incorrect shift-register state for CFB-128.
If cra_blocksize is set to 1, standard CFB-128 chaining on partial blocks
requires saving the unused keystream in the state between requests instead.

[ ... ]
> +static int cmh_aes_crypt(struct skcipher_request *req, u32 aes_op)
> +{
[ ... ]
> +	if (req->cryptlen > CMH_AES_MAX_CRYPTLEN)
> +		return -EINVAL;
[ ... ]
> +	/* Linearise input from scatterlist */
> +	rctx->in_buf = kmalloc(req->cryptlen, gfp);

[Severity: High]
Does this allow kmalloc to be called with a size up to 32MB? Since
KMALLOC_MAX_SIZE is typically 4MB or 8MB, allocations exceeding this limit
will trigger page allocator warnings and fail. Unprivileged userspace could
potentially trigger this via the AF_ALG skcipher interface.

> diff --git a/drivers/crypto/cmh/cmh_aes_aead.c b/drivers/crypto/cmh/cmh_aes_aead.c
> new file mode 100644
> --- /dev/null
> +++ b/drivers/crypto/cmh/cmh_aes_aead.c
[ ... ]
> +static int cmh_aes_aead_init_tfm(struct crypto_aead *tfm)
> +{
[ ... ]
> +		/*
> +		 * Subreq lives at (rctx + 1).  Alignment is guaranteed
> +		 * by the crypto framework's __ctx ALIGN mechanism.
> +		 */
> +		crypto_aead_set_reqsize(tfm,
> +					sizeof(struct cmh_aes_aead_reqctx) +
> +					sizeof(struct aead_request) +
> +					crypto_aead_reqsize(fb));
[ ... ]
> +static int cmh_aes_ccm_fallback(struct aead_request *req, u32 aes_op)
> +{
> +	struct crypto_aead *tfm = crypto_aead_reqtfm(req);
> +	struct cmh_aes_aead_tfm_ctx *tctx = crypto_aead_ctx(tfm);
> +	struct cmh_aes_aead_reqctx *rctx = aead_request_ctx(req);
> +	struct aead_request *subreq = (void *)(rctx + 1);

[Severity: High]
Does this calculate a misaligned pointer for subreq? The crypto framework
aligns the start of the primary request context, but
sizeof(struct cmh_aes_aead_reqctx) is not guaranteed to be a multiple of
CRYPTO_MINALIGN.

Because struct aead_request requires strict alignment for its __ctx member,
this can lead to alignment faults or data corruption when CCM mode falls
back to software. Should the context size wrap the struct size with
ALIGN(..., crypto_tfm_ctx_alignment())?

> diff --git a/drivers/crypto/cmh/cmh_aes_cmac.c b/drivers/crypto/cmh/cmh_aes_cmac.c
> new file mode 100644
> --- /dev/null
> +++ b/drivers/crypto/cmh/cmh_aes_cmac.c
[ ... ]
> +static int cmh_aes_cmac_init(struct ahash_request *req)
> +{
> +	struct cmh_aes_cmac_reqctx *rctx = ahash_request_ctx(req);
> +
> +	memset(rctx, 0, sizeof(*rctx));
[ ... ]
> +static int cmh_aes_cmac_update(struct ahash_request *req)
> +{
[ ... ]
> +	chunk = kmalloc(sizeof(*chunk) + req->nbytes, gfp);

[Severity: High]
Does zeroing the request context in cmh_aes_cmac_init() orphan the chunks
dynamically allocated during cmh_aes_cmac_update()? If a user repeatedly
calls .update() followed by .init() on the same request via the AF_ALG
socket, it seems total_len is reset and the link to the allocated chunks is
severed. Can this lead to unbounded memory leaks and an out-of-memory
condition?

[ ... ]
> +static int cmh_aes_cmac_import(struct ahash_request *req, const void *in)
> +{
[ ... ]
> +	if (state->total_len) {
> +		chunk = kmalloc(sizeof(*chunk) + state->total_len, GFP_KERNEL);

[Severity: High]
Can this allocation happen in atomic or softirq contexts? The kernel crypto
API allows .import() callbacks to execute during IPsec packet processing.
Using a hardcoded GFP_KERNEL here without checking
req->base.flags & CRYPTO_TFM_REQ_MAY_SLEEP could trigger a sleeping in
atomic context bug.

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260709203037.1884436-1-skrishnamoorthy@rambus.com?part=8

  reply	other threads:[~2026-07-09 20:47 UTC|newest]

Thread overview: 41+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-07-09 20:30 [PATCH v2 00/19] crypto: cmh - add CRI CryptoManager Hub driver Saravanakrishnan Krishnamoorthy
2026-07-09 20:30 ` [PATCH v2 01/19] dt-bindings: crypto: add Rambus CryptoManager Hub Saravanakrishnan Krishnamoorthy
2026-07-09 20:38   ` sashiko-bot
2026-07-10  8:58   ` Conor Dooley
2026-07-10 23:14     ` Ousherovitch, Alex
2026-07-09 20:30 ` [PATCH v2 02/19] crypto: cmh - add core platform driver Saravanakrishnan Krishnamoorthy
2026-07-09 20:49   ` sashiko-bot
2026-07-09 20:30 ` [PATCH v2 03/19] crypto: cmh - add key provisioning and management Saravanakrishnan Krishnamoorthy
2026-07-09 20:49   ` sashiko-bot
2026-07-09 20:30 ` [PATCH v2 04/19] crypto: cmh - add SHA-2/SHA-3/SHAKE ahash Saravanakrishnan Krishnamoorthy
2026-07-09 20:45   ` sashiko-bot
2026-07-09 20:30 ` [PATCH v2 05/19] crypto: cmh - add HMAC ahash Saravanakrishnan Krishnamoorthy
2026-07-09 20:42   ` sashiko-bot
2026-07-09 20:30 ` [PATCH v2 06/19] crypto: cmh - add CSHAKE/KMAC ahash Saravanakrishnan Krishnamoorthy
2026-07-09 20:47   ` sashiko-bot
2026-07-09 20:30 ` [PATCH v2 07/19] crypto: cmh - add SM3 ahash Saravanakrishnan Krishnamoorthy
2026-07-09 20:47   ` sashiko-bot
2026-07-09 20:30 ` [PATCH v2 08/19] crypto: cmh - add AES skcipher/aead/cmac Saravanakrishnan Krishnamoorthy
2026-07-09 20:47   ` sashiko-bot [this message]
2026-07-09 20:30 ` [PATCH v2 09/19] crypto: cmh - add SM4 skcipher/aead/cmac/xcbc Saravanakrishnan Krishnamoorthy
2026-07-09 20:49   ` sashiko-bot
2026-07-09 20:30 ` [PATCH v2 10/19] crypto: cmh - add ChaCha20-Poly1305 Saravanakrishnan Krishnamoorthy
2026-07-09 20:46   ` sashiko-bot
2026-07-09 20:30 ` [PATCH v2 11/19] crypto: cmh - add DRBG hwrng Saravanakrishnan Krishnamoorthy
2026-07-09 20:54   ` sashiko-bot
2026-07-09 20:30 ` [PATCH v2 12/19] crypto: cmh - add RSA akcipher Saravanakrishnan Krishnamoorthy
2026-07-09 20:57   ` sashiko-bot
2026-07-09 20:30 ` [PATCH v2 13/19] crypto: cmh - add ECDSA/SM2 sig Saravanakrishnan Krishnamoorthy
2026-07-09 21:04   ` sashiko-bot
2026-07-09 20:30 ` [PATCH v2 14/19] crypto: cmh - add ECDH/X25519 kpp Saravanakrishnan Krishnamoorthy
2026-07-09 21:08   ` sashiko-bot
2026-07-09 20:30 ` [PATCH v2 15/19] crypto: cmh - add ML-KEM/ML-DSA (QSE) Saravanakrishnan Krishnamoorthy
2026-07-09 21:03   ` sashiko-bot
2026-07-09 20:30 ` [PATCH v2 16/19] crypto: cmh - add SLH-DSA/LMS/XMSS (HCQ) Saravanakrishnan Krishnamoorthy
2026-07-09 21:02   ` sashiko-bot
2026-07-09 20:30 ` [PATCH v2 17/19] Documentation: ioctl: add CMH ioctl documentation and register 'J' Saravanakrishnan Krishnamoorthy
2026-07-09 20:54   ` sashiko-bot
2026-07-09 20:30 ` [PATCH v2 18/19] selftests: crypto: cmh - add kselftest for management ioctl Saravanakrishnan Krishnamoorthy
2026-07-09 20:54   ` sashiko-bot
2026-07-09 20:30 ` [PATCH v2 19/19] MAINTAINERS: add Rambus CryptoManager Hub (CMH) Saravanakrishnan Krishnamoorthy
2026-07-10  1:04   ` Randy Dunlap

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260709204715.ADB291F000E9@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=conor+dt@kernel.org \
    --cc=devicetree@vger.kernel.org \
    --cc=robh@kernel.org \
    --cc=sashiko-reviews@lists.linux.dev \
    --cc=skrishnamoorthy@rambus.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox