From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 457232FDC27; Mon, 13 Apr 2026 16:10:48 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776096648; cv=none; b=EgwVuH4NI+9lcvYZa/EYCm3Rhem4mRaY1AcHFuakVBY+evq7gFogM6fiRq/MMrhIr2N+codDp9iTTahHKHO7pc6WGAuCNrDEUhpR09hkffTSg/6+Q+hkRutdH/htAsteCzznmRYf7PXi4ncPYNA9juDQXVASTdXFFG1jDYseP4c= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776096648; c=relaxed/simple; bh=Z92jHjVXC9CiqcWagkLZw0B2DhtLZ31Wyr89T9BRxF4=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=hl8Y+sNqtzYWrhKX6gjqygPHcoGBpllBEgjuZ7g0/ITkb/r/lyFkX8ndP788i0hUDthdj8Bd1VFwa7R4nxudnFW7qvXECELqyLWgLR3IDkxeTCnul8xYRwzmEWMTvBCQV7ie/aZ5xzwdz5JR8istpevgjtk0JT6JCysr5aXW4VE= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=hbfxoZV8; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="hbfxoZV8" Received: by smtp.kernel.org (Postfix) with ESMTPSA id CE9C7C2BCAF; Mon, 13 Apr 2026 16:10:47 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1776096648; bh=Z92jHjVXC9CiqcWagkLZw0B2DhtLZ31Wyr89T9BRxF4=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=hbfxoZV8vUrBI7rCEGWDbkl70pRujABLwAZf/SLn0w63OV4z/XkMQZq17ptOrdNWJ PSQ3NIs63/ndSc+EkqsrtMkKnCB2KuM4wbsYo3soDN8dvko7IcDj7qrchh7F0d+r1h kjvv8oE5I8Sey+hDixYLcRVhxYiidiODyVh5H1To= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, Ard Biesheuvel , Eric Biggers Subject: [PATCH 6.12 01/70] lib/crypto: chacha: Zeroize permuted_state before it leaves scope Date: Mon, 13 Apr 2026 17:59:56 +0200 Message-ID: <20260413155728.238602820@linuxfoundation.org> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260413155728.181580293@linuxfoundation.org> References: <20260413155728.181580293@linuxfoundation.org> User-Agent: quilt/0.69 X-stable: review X-Patchwork-Hint: ignore Precedence: bulk X-Mailing-List: patches@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit 6.12-stable review patch. If anyone has any objections, please let me know. ------------------ From: Eric Biggers commit e5046823f8fa3677341b541a25af2fcb99a5b1e0 upstream. Since the ChaCha permutation is invertible, the local variable 'permuted_state' is sufficient to compute the original 'state', and thus the key, even after the permutation has been done. While the kernel is quite inconsistent about zeroizing secrets on the stack (and some prominent userspace crypto libraries don't bother at all since it's not guaranteed to work anyway), the kernel does try to do it as a best practice, especially in cases involving the RNG. Thus, explicitly zeroize 'permuted_state' before it goes out of scope. Fixes: c08d0e647305 ("crypto: chacha20 - Add a generic ChaCha20 stream cipher implementation") Cc: stable@vger.kernel.org Acked-by: Ard Biesheuvel Link: https://lore.kernel.org/r/20260326032920.39408-1-ebiggers@kernel.org Signed-off-by: Eric Biggers Signed-off-by: Greg Kroah-Hartman --- lib/crypto/chacha.c | 4 ++++ 1 file changed, 4 insertions(+) --- a/lib/crypto/chacha.c +++ b/lib/crypto/chacha.c @@ -86,6 +86,8 @@ void chacha_block_generic(u32 *state, u8 put_unaligned_le32(x[i] + state[i], &stream[i * sizeof(u32)]); state[12]++; + + memzero_explicit(x, sizeof(x)); } EXPORT_SYMBOL(chacha_block_generic); @@ -110,5 +112,7 @@ void hchacha_block_generic(const u32 *st memcpy(&stream[0], &x[0], 16); memcpy(&stream[4], &x[12], 16); + + memzero_explicit(x, sizeof(x)); } EXPORT_SYMBOL(hchacha_block_generic);