Re: [PATCH] crypto: sun4i-ss: restrict PRNG seed length to prevent heap overflow

["Tianchu Chen" <tianchu.chen@linux.dev>]

May 28, 2026 at 11:29 PM, sashiko-bot@kernel.org mailto:sashiko-bot@kernel.org  wrote:


> 
> Thank you for your contribution! Sashiko AI review found 5 potential issue(s) to consider:
> 
> New issues:
> - [Critical] The newly added bounds check unconditionally rejects valid seeds and completely breaks PRNG initialization on 64-bit architectures.
> 
> Pre-existing issues:
> - [Critical] This problem wasn't introduced by this patch, but the PRNG generation function silently truncates unaligned requested lengths, failing to generate random bytes for the remainder of the buffer while still returning success.
> - [High] This problem wasn't introduced by this patch, but the patch silently permits undersized seeds, leading to partial seed updates.
> - [High] This problem wasn't introduced by this patch, but the PRNG seed is copied into the shared device state without any locking, creating a data race with concurrent PRNG generations.
> - [High] This problem wasn't introduced by this patch, but there is a blind read from TXFIFO in PRNG generation without checking if data is available.
> --
> 
> commit ce68b95827dcfbd778d1a5a3d2de5fd10e821954
> Author: Tianchu Chen <flynnnchen@tencent.com>
> crypto: sun4i-ss: restrict PRNG seed length to prevent heap overflow
> 
> This commit restricts the PRNG seed length in sun4i_ss_prng_seed() to prevent
> a heap overflow. Without bounds checking, user-supplied seeds via AF_ALG could
> exceed the fixed-size buffer and corrupt adjacent memory.
> 
> Fixes: 6298e948215f ("crypto: sunxi-ss - Add Allwinner Security System crypto accelerator")
> Cc: stable@vger.kernel.org
> 
> > 
> > diff --git a/drivers/crypto/allwinner/sun4i-ss/sun4i-ss-prng.c b/drivers/crypto/allwinner/sun4i-ss/sun4i-ss-prng.c
> >  index 491fcb7b81b40..010fa891c1056 100644
> >  --- a/drivers/crypto/allwinner/sun4i-ss/sun4i-ss-prng.c
> >  +++ b/drivers/crypto/allwinner/sun4i-ss/sun4i-ss-prng.c
> >  @@ -8,6 +8,8 @@ int sun4i_ss_prng_seed(struct crypto_rng *tfm, const u8 *seed,
> >  struct rng_alg *alg = crypto_rng_alg(tfm);
> >  
> >  algt = container_of(alg, struct sun4i_ss_alg_template, alg.rng);
> >  + if (slen > sizeof(algt->ss->seed))
> >  + return -EINVAL;
> > 
> [Severity: Critical]
> Does sizeof(algt->ss->seed) unconditionally reject valid seeds?
> 
> On 64-bit architectures, BITS_PER_LONG is 64, which makes the evaluation of
> SS_SEED_LEN / BITS_PER_LONG result in 3. The seed array becomes u32 seed[3],
> yielding a total size of 12 bytes. This would trigger the EINVAL branch for
> standard 24-byte seeds and completely break PRNG initialization.
> 


sun4i-ss is designed for 32-bit ARM only (A10/A13/A20/A33). It's behind
ARCH_SUNXI in Kconfig so it never builds on 64-bit. On the real hardware
sizeof(ss->seed) is always 24, same as .seedsize.